DKIM selector

A DKIM selector is the label in front of _domainkey.yourdomain.com that identifies which DKIM key the receiver should use to verify a message. Selectors exist so one domain can have multiple keys simultaneously, each for a different sender or each for key rotation.

A DKIM-Signature header looks like:

DKIM-Signature: v=1; a=rsa-sha256; d=example.com; s=mailchimp123; ...

The s= tag is the selector. The receiver looks up the DNS record:

mailchimp123._domainkey.example.com. IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSI..."

That TXT contains the public key. The receiver uses it to verify the signature.

Why selectors exist

Two reasons:

Multiple senders

You probably send mail through several systems: your transactional ESP, your marketing platform, your CRM, your support tool. Each one has its own DKIM keypair. Each gets its own selector:

• mc1._domainkey.example.com for Mailchimp.
• s1._domainkey.example.com for SendGrid.
• pm._domainkey.example.com for Postmark.

Same domain, different selectors, different keys, all valid at once.

Key rotation

DKIM keys should rotate periodically (recommended: every 6-12 months). With selectors, rotation is non-disruptive:

1. Publish new key under a new selector (s2024-q3).
2. Configure the sender to start signing with the new selector.
3. Wait for mail-in-flight to drain. ~1 week.
4. Remove the old selector's DNS record.

No outage window. Receivers verify whatever selector the message used.

Selector naming convention

There's no standard. Common conventions:

• Mailchimp: mte1, mte2, ...
• Google Workspace: google, selector1, selector2.
• Microsoft 365: selector1, selector2.
• Date-based rotation: s2026-01, s2026-07.

Use whatever makes the next person debugging it less confused.

Limit

Practical limit is whatever your DNS provider allows in TXT record count. There's no DKIM-specific cap. Most teams have 3-10 selectors at any one time. If you have more than 20, you probably have legacy senders you can clean up.