A selector is a text string at the beginning of your DKIM TXT or CNAME record host/name used to identify or point to a specific DKIM public key.
selector._domainkey.example.com
DKIM selectors are specific to each mailbox and email service provider and set up by domain owners to enable DKIM authentication.
| Provider | DKIM Selector |
|---|---|
| Gmail (Google Workspace) | google |
| Yahoo Mail | yahoo |
| Outlook (Microsoft 365) | selector1, selector2 |
| AOL Mail | dkim |
| Apple Mail (iCloud) | apple |
| FastMail | fm1 |
| Zoho Mail | zoho |
| Provider | DKIM Selector |
|---|---|
| MailChimp | k1, k2, k3 |
| SendGrid | s1, s2 |
| Constant Contact | ctct1, ctct2 |
| HubSpot | hubspot |
| Campaign Monitor | cm1, cm2 |
| AWeber | aweber |
| ActiveCampaign | activecampaign |
| MailerLite | litesrv |
| Mailgun | smtp |
| Klaviyo | kl, kl2 |
Questions frequently asked by our users regarding DKIM records and authentication.
Yes, it is highly recommended to implement both SPF and DKIM for comprehensive email authentication. While SPF helps verify the sending server's identity and prevents email spoofing, DKIM provides an additional layer of security by ensuring that the email content has not been altered in transit. While SPF is effective in some cases, DKIM is especially important in scenarios involving email forwarding, as it is designed to withstand these situations and maintain email integrity. Therefore, having both SPF and DKIM protocols in place strengthens your email security measures effectively.
Yes, DKIM is a crucial component of DMARC protection. DMARC (Domain-based Message Authentication, Reporting, and Conformance) utilizes DKIM, alongside SPF (Sender Policy Framework), as one of the essential authentication mechanisms. To successfully pass a DMARC check, at least one of these authentication protocols, such as DKIM, must be properly implemented and validated. Therefore, DKIM plays a significant role in enhancing the security and reliability of email communication under the DMARC framework.
To investigate DKIM issues, there are several steps that can be taken:
You can have as many DKIM records as you want. The quantity of DKIM records you can use is not limited, and the only restriction would be the capacity and support provided by your DNS provider. Each DKIM record can be linked with its unique selector. It is crucial to utilize multiple selectors for each email sending service to properly manage and authenticate your email messages.
Some common DKIM issues that can arise include DNS configuration errors, key length problems, mismatched domain names, incorrect signing algorithms, and message body changes.
DNS configuration errors can lead to DKIM failures if there are issues with setting up the required DNS TXT records, such as missing or incorrect records or syntax errors.
Key length is crucial in DKIM, as it must be at least 1024 bits to function properly. Using a key that is too short may result in DKIM failures, as some email providers may require longer keys.
DKIM requires that the domain name used in the DKIM signature matches the domain name in the email's From address. A mismatch in domain names can cause DKIM to fail, impacting DMARC compliance and alignment.
Incorrect signing algorithms can also be a common issue with DKIM. Not all email providers support all signing algorithms, so using an unsupported algorithm can lead to DKIM failures.
Lastly, changes to the email message body after it has been signed can result in an invalid DKIM signature. This can occur if the email passes through a gateway or is modified by a content filter, causing the DKIM signature to fail verification at the recipient's email server.
To analyze the DKIM selector from Email Headers, you can look for the DKIM-Signature email header in the email message. The DKIM selector is typically included within this header as an 's=' tag. This tag represents the selector value associated with the DKIM signature, which helps identify the specific key used to sign the message.
When examining the DKIM-Signature header, pay close attention to the 's=' tag, which indicates the selector for that particular DKIM signature. This selector is crucial for verifying the authenticity of the sender and ensuring that the message has not been tampered with in transit.
By identifying and analyzing the DKIM selector from the email headers, you can gain insights into the cryptographic key used to sign the message and validate its origin, thereby enhancing the security and trustworthiness of the email communication.