Skip to main content

New

Test your email deliverability

Send a test email and get a complete diagnosis of your SPF, DKIM and DMARC authentication in seconds.

  • Real send test
  • Instant diagnosis
  • No signup required
Run the test

DKIM Selector Finder

Automatically find all DKIM selectors configured for a domain

Don't know your DKIM selectors? Simply enter your domain. This tool automatically discovers all configured DKIM selectors using smart DNS brute-force. No selector input required.

Automatic discovery

Scans 50 to 120 known DKIM selectors via DNS brute-force. Detects selectors from Google, Microsoft, SendGrid, Mailchimp, and 30+ other providers.

MX heuristics

Smart mode automatically detects your email providers via MX records and prioritizes their DKIM selectors. Faster and more relevant results.

In-depth analysis

Each selector found is analyzed in depth: key type (RSA/Ed25519), length, validity, security alerts, and DMARC compatibility.

Provider identification

Automatically identifies which email provider is associated with each DKIM selector found: Google Workspace, Microsoft 365, SendGrid, etc.

Actionable recommendations

Get precise recommendations: RSA keys to upgrade to 2048 bits, invalid selectors to fix, MX providers without a DKIM signature.

The problem: checking DKIM without knowing the selector

Traditional DKIM tools ask for a domain and a selector. But most users don't know their DKIM selector. Result: they can't verify their configuration.

The DKIM Selector Finder solves this problem. Enter a domain, and the tool automatically discovers all configured DKIM selectors.

How does the discovery work?

1. Email provider detection (Smart mode)

The tool queries your domain's MX records to identify your email providers:

  • *.google.com → Google Workspace → selector google
  • *.outlook.com → Microsoft 365 → selectors selector1, selector2
  • *.mcsv.net → Mailchimp → selectors k1, k2, k3

2. Smart DNS brute-force

The tool tests known selectors in parallel by querying:

<selector>._domainkey.<your-domain>

For each selector, a DNS TXT query is sent. If a DKIM record exists, it is analyzed.

3. In-depth analysis

Each selector found is analyzed using the same engine as our DKIM Checker:

  • Key type: RSA or Ed25519
  • Key length: 1024, 2048, 4096 bits
  • Record validity
  • Security alerts (weak key, invalid format)
  • CNAME detection (delegation to provider)

When should you use this tool?

SituationThis tool is for you
You don't know your DKIM selectorAutomatic discovery
Security audit of a third-party domainComplete view of the DKIM configuration
Email provider migrationCheck which selectors are still active
DMARC deployment in reject modeEnsure all email flows are DKIM-signed
Deliverability debuggingIdentify invalid selectors or weak keys

DKIM selectors for major providers

ProviderDKIM SelectorsMX Pattern
Google Workspacegoogle*.google.com
Microsoft 365selector1, selector2*.outlook.com
SendGrids1, s2, smtpapi*.sendgrid.net
Mailchimpk1, k2, k3*.mcsv.net
Amazon SESamazonses*.amazonses.com
Postmarkpm*.mtasv.net
HubSpoths1, hs2
Brevo (Sendinblue)mail, sendinblue*.sendinblue.com
Zoho Mailzoho, zmail*.zoho.com
OVHovhmo**.ovh.net

This table covers the most common providers. The tool tests 100+ selectors in total.

Limitations of brute-force discovery

DNS does not allow listing a zone's subdomains (no wildcard enumeration on *._domainkey). Discovery relies on a catalog of known selectors.

What will be found:

  • Standard selectors from 35+ providers in the catalog
  • Generic selectors (default, dkim, mail, s1, selector1, etc.)
  • Common numeric selectors (dkim1, dkim2, k1, k2)

What will not be found:

  • Custom or random selectors (e.g., campaign-2024-q3)
  • Dynamically generated selectors (hash, UUID)
  • Selectors on subdomains (e.g., bounce.yourdomain.com)

For those cases, check the headers of your sent emails: DKIM-Signature: s=selector.

FAQ - Frequently Asked Questions

Q: What is a DKIM selector?

A: A DKIM selector is an identifier used to locate the DKIM public key in DNS. It is published at selector._domainkey.yourdomain.com. Each email provider uses its own selector, which allows multiple DKIM signatures to be active simultaneously.

Q: How can I find my DKIM selectors without sending an email?

A: This tool discovers your selectors via DNS brute-force: it tests 50 to 120 known selectors directly against your DNS zone. No email is sent. Smart mode first detects your providers via MX to prioritize the right selectors.

Q: What are the default DKIM selectors for major providers?

A: Google Workspace uses google. Microsoft 365 uses selector1 and selector2. SendGrid uses s1 and s2. Mailchimp uses k1, k2, and k3. Postmark uses pm. See the provider table above for the full list.

Q: Can you check DKIM without knowing the selector?

A: Yes, that's exactly what this tool does. Unlike traditional DKIM checkers, the Selector Finder automatically tests known selectors via DNS brute-force.

Q: What does "DKIM selector not found" mean?

A: No TXT record exists for this selector in DNS. Possible causes: DKIM is not configured, custom selector not in the catalog, record deleted, or incomplete DNS propagation.

Q: What's the difference between Smart mode and Full mode?

A: Smart mode detects your providers via MX and tests ~50 selectors. Full mode tests ~120 selectors without filtering. Use Full if Smart doesn't find all your selectors.

Q: Can the tool find all DKIM selectors?

A: No. Custom or dynamically generated selectors will not be detected. For those cases, check your email headers (DKIM-Signature: s=selector).

ToolPurpose
DKIM CheckerAnalyze a specific DKIM selector in depth
DKIM Syntax CheckerValidate DKIM record syntax before publishing
DKIM GeneratorGenerate DKIM key pairs (RSA/Ed25519)
Deliverability AuditCheck SPF, DKIM, DMARC, and MX for a domain
DMARC InspectorTest your DMARC policy
Email Header AnalyzerExtract DKIM selectors from a received email

Useful resources