What is the DKIM selector and how does it work?

There are 150,465 live websites using DKIM.

But what is DKIM?

DKIM stands for Domain Keys Identified Mail which is an email authentication technique that helps the receiver to check whether the email was sent and authorized by the owner of that domain. It is done by giving the email a digital signature. It is a header added to the 


message and is secured with encryption. The DKIM signatures are not visible to end-users and the validation is done on the server level.

What is a DKIM selector?

The DKIM selector is a string used by the outgoing server to detect the private key to sign the email message and by the receiving server to detect the public key to verify whether the email message is from a trusted source or not. 

Every time a private or public key pair is generated, a tuple { selector, private key, public key } is created, where the selector is used to detect the private key and the public key.

How does the DKIM selector work?

DKIM Selector

When the signing server chooses the selector, the server makes use of the selector to find the private key only accessible to the server, to decode the signature. Once the signature is decoded, the DKIM selector is inserted in the email headers as an s= tag, then the email is sent.

Let us understand by the following example:

Let’s consider that the selector chosen by the signing server is s1, the tag will look like s=s1. Further, the selector can be any arbitrarily chosen string like itismyselector1122, as long as it is indicating towards a valid private or public key pair.

Here is a practical example of DKIM signature header

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dmarcly.com; h=content-transfer-encoding:content-type:from:mime-version:subject: x-feedback-id:to; s=s1; bh=jCC0oQBCKfJ10bCI3PCG52Zwowyeh1haGJPACkWN9F4=; b=GzLBVZ0M1hMt1Y7hVT+ajaNrswTv+/FFVMrcaixD70hpTJwAmNwZUKJIzLslSC+iWHby 9gm+yfx6Z1qnXIL6qgBPnlZD4zwyK4D3Umd1je82jniuD7RJWYDqJH0zL+EevCDdoVZGmT IlxzZB6v95bws6539z/5qee+Xmu5KYe4Y=

Here the DKIM selector used in the DKIM signature is s=s1.

When the email reaches the receiving server, the server automatically looks at the email headers to locate the s= tag. Now if the tag is present then the server will perform the role of extracting the selector from the tag. 

When the public key is found, the server makes use of it to decrypt the message to verify the integrity. If the integrity is verified, the DKIM authentication succeeds otherwise it fails.  

In case no public key is found then the DKIM authentication fails. 

How do I find my DKIM selector?

A DKIM selector is specified when the private or public key pair gets created when it is set up for the email sender, and it can be any random or arbitrary string of text.

The selector is inserted into the DKIM-Signature email header as an s= tag when the email is sent. The easiest way to discover the selector for your domain is by sending an email to yourself. 

When you open the email, view the “original message” of the email. Your focus here is to view the header information, which includes all the DKIM authentication results.

Search the headers for “DKIM-signature” to find if the DKIM signature is applied to the message or not. If there are multiple DKIM-Signature headers, find the one which contains your domain. This DKIM signature contains an attribute “s=” which is the selector used. 

Relationship between DKIM and DMARC

DMARC stands for “Domain-based Message Authentication, Reporting, and Conformance.” It is an email authentication, policy, and reporting protocol that is built around both SPF and DKIM. 

Now you might be wondering when DMARC uses both DKIM and SPF then why it is necessary. It ensures that when an email is received, the information received in both records matches the “friendly form” domain that the user actually sees and the form address that is contained in the message’s header.  A DMARC record is created when you have both SPK and DKIM in place. Sometimes many domains don’t have SPF or DKIM set up, so the best way to go about it is through DMARC implementation tools. DMARC setup is similar to that of SPF as it is a simple one-line entry in the domain’s DNS records. It ties the DKIM and SPF protocols with a consistent set of policies.

Now, why do we need to use SPF, DKIM, and DMARC together?

The combination of these security protocols helps to combat the issue of Spam and Spear Phishing. Many networks are compromised because of these issues so the IT managers are looking for a better solution. Along with the increased rise in ransomware which often is preceded by spear-phishing emails, the enterprises are getting motivated towards protecting their email infrastructure.

Each of the elements- SPF, DKIM, and DMARC solves a somewhat different piece of the email puzzle to prevent phishing emails and spam. This is accomplished through a combination of standard authentication and encryption tools such as public and private key signing, and adding special DNS records to authenticate email coming from your domains.

Also, there has been significant evolution in the internet’s email protocols. Now emails are used by everyone to facilitate everyday communication.  So when the email infrastructure implements all these protocols, it can be ensured that messages cannot be easily forged and you can block them from ever-darkening your users’ inboxes.


DKIM is an email authentication technology that has been around since 2005. It is a method of adding a tamper-proof seal to the emails and ensuring that the emails are protected and safe. DMARC combines the elements of DKIM and SPF and ensures a secured way to deal with spam and spear phishing.  

ProDMARC is a user-friendly DMARC email protection solution that acts as your expert guide to help you move as quickly as possible to a reject policy. ProDMARC is a SaaS solution that enables organizations to handle complex DMARC deployments with ease. Across all email networks, the solution offers 360-degree visibility and governance. 

Contact us for the best email authentication solutions.


Leave a Reply

Your email address will not be published.