How-to

How to discover and manage DKIM selectors for your domain

DKIM keys are published in DNS under selectors. Learn how to find which selectors your senders use and manage them on the Blankitt domain detail page.

3 min readLast updated 14 June 2026
Jump to section

DKIM (DomainKeys Identified Mail) adds a cryptographic signature to your outgoing mail. The matching public key lives in your DNS under a selector, at selector._domainkey.yourdomain. Getting DKIM right — and aligned — is one of the two ways mail passes DMARC, so knowing which selectors are in play matters.

What a selector is

A selector is just a label that lets you publish multiple DKIM keys for one domain — one per sending service, or several for key rotation. Each maps to its own TXT record:

selector1._domainkey.example.com.  IN  TXT  "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQ..."

When a message is signed, its DKIM-Signature header names the selector (s=) and signing domain (d=). A receiver looks up s._domainkey.d to fetch the key and verify the signature.

DKIM pass vs DKIM alignment

  • DKIM pass = the signature verifies against the published key.
  • DKIM alignment = the signing d= domain matches your From: domain.

DMARC needs alignment, not just a pass. A vendor that signs with their own d= domain will get a DKIM pass but fail alignment — so you usually need them to sign as your domain.

Step 1 — Discover your selectors

Every email service that signs for you has its own selector, and it is easy to lose track. To find them:

  • Open the domain on the Domains list and go to the domain detail page. Use DKIM selector management to view and manage the selectors Blankitt is tracking for the domain.
  • Cross-reference the Offenders page: each sending source shows its DKIM result and vendor attribution, which tells you which services are (and aren't) signing as your domain.
  • Check the live DNS records section on the domain detail page, which surfaces DMARC, SPF, DKIM, BIMI, MTA-STS and TLSRPT records for the domain.

Each vendor documents the selector name it uses (often something like s1, selector1, or a service-specific label) — note them as you confirm each one.

Step 2 — Manage selectors on the domain detail page

Use DKIM selector management on the domain detail page to keep your tracked selectors tidy — adding the ones a sender uses so Blankitt can monitor them, and clearing out selectors for services you no longer use.

Step 3 — Add a new sender's DKIM key

When you onboard a new email service:

  1. Enable DKIM in the vendor's dashboard and copy the selector name and public key they provide.
  2. Publish the TXT record at selector._domainkey.yourdomain in your DNS.
  3. Confirm the vendor signs with d=yourdomain so the signature aligns.
  4. Track the selector via DKIM selector management.

Step 4 — Rotating keys

Good practice is to rotate DKIM keys periodically. Because selectors let multiple keys coexist, you can publish a new selector's key, switch the vendor to sign with it, confirm mail still passes via Offenders, then retire the old selector. The DNS Changelog records each change so you have an audit trail.

Tip

If a legitimate sender is failing DMARC and you cannot make SPF align, fixing DKIM alignment is usually the answer — pair this article with the Fix Groups guide on aligning a failing sender.

Still stuck? Email support or open the support widget in the bottom-right.