NsLookup logo
Learning center

DKIM Selectors Explained and Key Rotation

Email authentication can feel confusing at first, especially when terms like DKIM selectors start showing up in your DNS settings. But if you're sending emails from your domain, understanding this small detail is actually very important.
DKIM Selectors Explained and Key Rotation

A DKIM selector helps receiving servers locate your DKIM public key and verify your emails. Without it, your messages may fail authentication or land in spam. On top of that, managing DKIM selectors properly also helps you rotate keys regularly, which keeps your domain secure.

In this guide, we'll explain what a DKIM selector is, how it works, how to find it, and how to rotate DKIM keys safely. If you're new to DKIM altogether, start with what DKIM is and how email verification works.

What is a DKIM Selector

A DKIM selector is a small piece of text that helps email servers find your DKIM key in your DNS. You can think of it like a label that shows where your key is stored.

When you send an email, your email system adds a DKIM signature to it. This signature includes your domain (d=) and the selector (s=). The selector tells the receiving server which DKIM key to use.

Here's how it works in simple steps. First, your email is signed using a private key on your server. Then, the selector is added to the email header as part of the DKIM signature. When the email reaches the receiver, their server reads the selector. It then looks up your public key in DNS using something like: 

selector._domainkey.yourdomain.com

After that, the server checks the email using this key. If everything matches, the email is verified and trusted. If it doesn't match, the email may fail DKIM verification and end up in spam.

What are DKIM Selectors (Plural)?

DKIM selectors (plural) simply means using more than one selector for the same domain. Instead of relying on a single DKIM key, you can create multiple selectors, and each one points to a different key in your DNS.

This is helpful in many situations. For example, if you use different email services like Google Workspace or a marketing tool, each can have its own selector. It also makes DKIM key rotation easier, since you can add a new selector without removing the old one right away. You can even use extra selectors for testing or backup setups without affecting your main email flow.

DKIM Selector Example

Here's a simple DKIM selector example to help you understand how it works.

  • Selector: s1
  • Domain: yourdomain.com

Your DNS record would look like this:

s1._domainkey.yourdomain.com

And in your email header, the DKIM signature might include:

s=s1;
d=yourdomain.com;

This is exactly how a DKIM selector is used. The selector (s1) tells the receiving server where to find your public key. So, the server looks up s1._domainkey.yourdomain.com.

What is DKIM Key Rotation?

DKIM key rotation means changing your DKIM keys from time to time to keep your email security strong. Instead of using the same key forever, you generate a new key and start using it for signing your emails.

Over time, keeping one key for too long can become risky. If that key gets exposed or misused, someone could send fake emails that look like they came from your domain. That's why rotating keys is a good practice.

With DKIM, this process is smooth because you can create a new key with a new selector, add it to your DNS, and switch to it without breaking email deliverability. You can also keep the old key active for a short time during the transition.

Regular DKIM key rotation helps reduce the risk of key compromise, prevents unauthorized email signing, and avoids long-term exposure of your keys.

How DKIM Selectors Help in Key Rotation

DKIM selectors make key rotation easy by allowing you to use old and new keys simultaneously without breaking anything. Here's how the whole process goes:

Step 1: Generate a New Key Pair

Go to your email provider or DKIM tool and create a new key. This gives you a private key (which stays on your mail server) and a public key (which goes into DNS). Assign it a new selector name like s2. Keep it different from your old one (s1) so both can exist together.

Step 2: Add the New Selector to Your DNS

Create a new TXT record in your DNS and paste the new public key value here. Do not delete the old record yet. Now you have two active DKIM selectors in DNS.

Step 3: Update Your Mail Server to Use the New Selector

Go to your email platform settings and change the DKIM configuration to use s2. From this moment, all new outgoing emails will be signed with the new key.

Step 4: Keep the Old Selector Active For Verification

Emails sent earlier (with s1) may still be in transit or inboxes. Receiving servers will still check those using the old selector. That's why you keep it live.

Step 5: Monitor DKIM Results

Check email headers or your authentication dashboard. Look for dkim=pass and confirm the selector shows s2. This tells you the new setup is working.

Step 6: Safely Remove the Old Selector

After a few days or weeks, once you're sure everything is stable, delete the old DNS record (s1).

Best Practices for DKIM Selectors and Key Rotation

Setting up DKIM is not a one-time task. To keep your emails secure and properly authenticated, you need to follow a few best practices for managing DKIM selectors and rotating keys.

Use Clear Naming

Always choose simple and meaningful names for your selectors. You can use names like s1, s2, or something based on the service, like google. This makes it easier to understand which key belongs to which system later. If you use multiple tools, clear naming helps you avoid confusion and mistakes during updates or troubleshooting. When you look at your DNS months later, you should instantly know what each selector is used for.

Rotate Keys Regularly

DKIM keys should not be used forever. Over time, keeping the same key increases security risk. A good practice is to rotate your keys every 6 to 12 months. This means generating a new key and switching to a new selector. Regular rotation reduces the chances of misuse if a key is ever exposed. It also shows that your email setup follows strong security hygiene, which helps maintain trust with email providers.

Don't Delete Old Keys Immediately

When you switch to a new selector, do not rush to delete the old one. Emails signed with the old key may still be in inboxes or in transit. If you remove the old selector too soon, those emails may fail DKIM checks. Keep the old selector active for a few days or weeks during the transition. This ensures a smooth switch without affecting email delivery or authentication.

Monitor Authentication

After making any changes, always check if your emails are passing DKIM. You can review email headers or use the EasyDMARC DKIM Lookup Tool to verify your selectors and DNS records. Monitoring helps you catch issues early, such as incorrect records or failed signatures. This step is important to ensure your emails remain trusted and do not end up in spam.

Never delete the old selector too early

The single most common rotation mistake is removing the old s1 record the moment you switch to s2. Messages already in transit or sitting in inboxes are still verified against the old key, so keep it live for a few days or weeks before cleaning it up.

Conclusion

DKIM selectors may seem like a small technical detail, but they play a big role in keeping your emails secure and trusted. From helping receiving servers find the right key to making key rotation smooth, they are essential for proper email authentication. If you understand how to manage selectors and rotate keys regularly, you reduce the risk of failures, spoofing, and deliverability issues.

Keeping your DKIM setup updated is not just about security. It also protects your sender reputation and ensures your emails consistently reach the inbox. Even small mistakes, like wrong selectors or missing records, can impact your results, so regular checks and updates are important.

If you want to make this process easier, you can start your 14-day free trial to monitor your DKIM, validate selectors, and manage your email authentication without the manual hassle.

Frequently Asked Questions

Can changing a DKIM selector affect email deliverability immediately?

Yes, it can if not done properly. If you switch to a new selector but the DNS record is missing or incorrect, emails may fail DKIM checks. This can lead to emails being sent to spam or being rejected by strict servers.

Is there a limit to the number of DKIM selectors I can create?

There is no strict limit on the number of DKIM selectors you can have. However, too many unused or outdated selectors can clutter your DNS and make management confusing. It's best to keep only active and necessary selectors.

Do DKIM selectors expire automatically?

No, DKIM selectors do not expire on their own. They remain active in your DNS until you manually remove them. This is why it's important to clean up old selectors after key rotation to avoid unnecessary exposure.

Can I reuse an old DKIM selector name after deleting it?

Technically, yes, but it is not recommended. Reusing old selector names can cause confusion and issues if some servers still cache old DNS data. It's better to use a new, unique selector each time.

Do DKIM selectors work the same across all email providers?

The basic concept remains the same, but setup steps can vary slightly between providers. Some platforms generate selectors automatically, while others require manual setup. Always follow your provider's instructions to avoid configuration errors.