DKIM Selector: What It Is & Why It Is A Crucial Part Of DKIM

Understand how DKIM selector is an integral constituent of a DKIM record.

DKIM is an email authentication protocol followed by almost all email providers today. Emails signed using DKIM assure recipients of their legitimacy, while senders can be assured of their delivery to the recipient’s inbox rather than the spam folder. The DKIM selector plays an essential role in determining whether the email is legitimate or if a malicious actor has tampered with it. Below, we discuss all this in detail, i.e., DKIM, DKIM selector, and how to find a DKIM selector.

 

DKIM selector

What Is DKIM?

DKIM or ‘DomainKeys Identified Mail’ is an email authentication method that safeguards email senders and recipients from spam, spoofing, and phishing. It works by detecting forged or tampered email messages by decrypting the DKIM signature present in the email headers. DKIM is deployed by publishing two CNAME records per domain in the DNS zone. Here is an example to give you an idea:

Host name: key1._domainkey
Points to address or value: key1-._domainkey.
TTL: 3600

Host name: key2._domainkey
Points to address or value: key2-._domainkey.
TTL: 3600

 

What Is A DKIM Selector?

A DKIM selector is an integral part of the DKIM record, and it facilitates publishing multiple DKIM keys on domains. The sending mail server uses it to retrieve the private key used to sign the outgoing email message. The DKIM selector also forms part of the email headers used by recipient servers to locate the domain’s public keys that help decrypt the email’s DKIM signature.

One may also need to set up multiple DKIM selectors for the following reasons.

  • Firstly, multiple DKIM selectors are needed to allow DKIM key rotation. DKIM key rotation protects the sender if the private key is stolen by a malicious actor who manages to break into the system. During the process, a new tuple {selector, private key, public key} is created. The public key will be published in the DNS, whereas the outbound server needs to sign all outgoing emails using the new private key.
  • The second reason for using multiple DKIM selectors is to set up multiple email delivery services on the same domain so that each service has its separate selector that does not interfere with the others.

 

 

DKIM Selector Example

Referring to the DKIM record above, key1 and key2 are used as DKIM selectors. The DKIM selectors can be an arbitrary string that the domain system administrators decide. Microsoft, for instance, uses selector1 and selector2 as its DKIM selectors.

 

How To Find A DKIM Selector?

If you use third-party email providers, then the chances are that the emails are DKIM signed. To know if the emails are DKIM signed and to find the DKIM selector associated with them, a user can follow the steps below:

  • The user has to send an email to their address itself.
  • The next step is to open the received email, and from the message details, navigate to “Show Original” from the menu.
  • Perform a search for “DKIM-Signature.” In the second line, there will be a tag “s=,” which is the selector.

In an email received from an ISP such as Gmail, one may find “s=arc-20160816” as part of the email. (In the example, ‘arc‘ or Authenticated Received Chain is a new standard created in 2016, which helps preserve the legitimacy of forwarded emails.)

 

Final Words

A DKIM selector is required and plays a crucial part in outbound servers to locate the private key to sign all outgoing emails, irrespective of whether one sets up a custom DKIM selector or uses a default one from Office 365. On the receiving end, all incoming servers use the DKIM selector to find the public key in the DNS for decrypting the email headers to verify the legitimacy of the email message, thus putting an end to tampering of email communication by malicious intruders.

Join the thousands of organizations that use DuoCircle


Find out how affordable it is for your organization today and be pleasantly surprised.

Interested in our Partner Program for MSPs and VARs? Visit Our MSP Partner Program.

Pin It on Pinterest