DKIM Selector Not Found: Causes and How to Fix It
Fix the DKIM selector not found error. Learn what selectors are, find the correct one for your provider, and verify your DKIM DNS records.
DKIM Selector Not Found: Causes and How to Fix It
The "DKIM selector not found" error means that a DNS lookup for your DKIM public key returned no results. This is one of the most common DKIM issues, and it directly affects your email deliverability and DMARC compliance. The good news: it's almost always a configuration problem that's easy to fix once you identify the root cause.
What Is a DKIM Selector?
DKIM (DomainKeys Identified Mail) uses public-key cryptography to sign outgoing emails. The selector is a label that tells receiving mail servers where to find the public key in your DNS records.
When an email is signed with DKIM, the signature header includes a selector value:
DKIM-Signature: v=1; a=rsa-sha256; d=yourdomain.com; s=google;
h=from:to:subject:date; bh=...; b=...The s=google part is the selector. The receiving server then looks up:
google._domainkey.yourdomain.comIf that DNS record doesn't exist or returns an empty result, you get the "selector not found" error.
Why "Selector Not Found" Happens
There are four common causes:
1. Wrong Selector Name
This is the most frequent cause. You're querying a selector that doesn't match what your email provider actually uses. Each provider has its own default selector(s), and they don't always match what you'd expect.
2. DNS Record Not Published
The DKIM record hasn't been added to your DNS yet, or it was added incorrectly. This often happens when:
- DKIM was enabled in the email provider but the DNS record was never created
- The record was added to the wrong domain or subdomain
- A DNS migration lost the record
3. Propagation Delay
If you just added the DKIM record, it may take up to 48 hours to propagate globally, though most DNS providers update within minutes to a few hours.
4. CNAME vs TXT Record Mismatch
Some providers (like Microsoft 365) use CNAME records that point to their DKIM key servers, while others use direct TXT records containing the public key. Using the wrong record type will result in a "not found" error.
Common DKIM Selectors by Provider
Here are the default DKIM selectors for popular email services. If you're troubleshooting "selector not found," make sure you're looking up the correct one:
| Provider | Selector(s) | Record Type |
|---|---|---|
| Google Workspace | google |
TXT |
| Microsoft 365 | selector1, selector2 |
CNAME |
| Zoho Mail | zoho |
TXT |
| Mailchimp / Mandrill | k1 |
CNAME |
| SendGrid | s1, s2 |
CNAME |
| Amazon SES | Custom (generated per identity) | CNAME |
| Postmark | 20230601 (date-based, varies) |
CNAME |
| Mailgun | smtp, mailo, or custom |
TXT |
| Brevo (Sendinblue) | mail |
TXT |
| HubSpot | hs1, hs2 |
CNAME |
| Yahoo Mail | s1024, s2048 |
TXT |
| FastMail | fm1, fm2, fm3 |
CNAME |
| Proton Mail | protonmail, protonmail2, protonmail3 |
CNAME |
| SparkPost | scph0724 (varies) |
TXT |
| ConvertKit | ck |
CNAME |
For a complete reference with provider-specific configuration steps, see our Email Service Providers Guide.
Step-by-Step Fix
Step 1: Identify the Correct Selector
First, find out what selector your email provider is actually using. You can:
- Check your provider's admin console — Most providers show the DKIM selector and required DNS record in their authentication or email settings.
- Look at an email header — Open a sent email, view the full headers, and find the
DKIM-Signatureheader. Thes=value is your selector. - Use our auto-detection tool — The DKIM Checker attempts to detect selectors automatically by testing common ones.
Step 2: Verify the DNS Record Exists
Once you know the selector, check if the DNS record is published. The record should be at:
{selector}._domainkey.yourdomain.comFor example, if your selector is google and your domain is example.com:
google._domainkey.example.comYou can verify this with our DKIM Checker — enter your domain and selector, and the tool will show you whether the record exists and if it's valid.
Step 3: Add or Fix the DNS Record
If the record is missing, add it in your DNS provider:
For a TXT record (Google Workspace, Zoho, etc.):
| Field | Value |
|---|---|
| Type | TXT |
| Name | google._domainkey (replace google with your selector) |
| Value | The public key value from your email provider |
| TTL | 3600 (1 hour) |
For a CNAME record (Microsoft 365, SendGrid, etc.):
| Field | Value |
|---|---|
| Type | CNAME |
| Name | selector1._domainkey (replace with your selector) |
| Value | The CNAME target from your email provider |
| TTL | 3600 (1 hour) |
Step 4: Wait and Re-verify
After adding the record, wait at least 15 minutes (or up to 48 hours depending on your DNS provider) and then verify again with the DKIM Checker.
Common Mistakes
Adding the Full Domain in the Name Field
Most DNS providers append your domain automatically. If your selector is google, enter just google._domainkey — not google._domainkey.yourdomain.com. Otherwise you'll end up with google._domainkey.yourdomain.com.yourdomain.com.
Using TXT When CNAME Is Required (or Vice Versa)
Check your provider's documentation carefully. Microsoft 365, for example, requires CNAME records that point to selector1-yourdomain-com._domainkey.yourtenant.onmicrosoft.com. A TXT record won't work.
Forgetting to Enable DKIM in the Provider
Some providers require you to explicitly enable DKIM signing in their admin console after adding the DNS record. The DNS record alone isn't enough — the provider must also be configured to sign outgoing emails.
Multiple Domains or Subdomains
If you send email from a subdomain (like mail.yourdomain.com), the DKIM record needs to be added for that subdomain, not the root domain. The lookup would be:
google._domainkey.mail.yourdomain.comAfter Fixing DKIM
Once your DKIM selector is found and the record is valid, verify your complete email authentication setup:
- SPF Checker → — Make sure SPF is also configured
- DMARC Checker → — Verify DMARC is active
- Email Compliance Checker → — Run a full audit of all three protocols
Monitor with DMARC Examiner
DKIM issues don't always trigger visible errors — emails might still be delivered but fail DMARC alignment silently. DMARC Examiner monitors your authentication results continuously and alerts you the moment DKIM failures spike, so you can fix problems before they affect deliverability.
Related Articles:
Ready to improve your email deliverability?
Start monitoring your DMARC reports and get insights into your email authentication setup.
Start Free TrialRelated Articles
troubleshootingDKIM Signature Invalid: Troubleshooting Guide
Fix DKIM signature validation errors. Learn the most common causes of invalid DKIM signatures and step-by-step solutions to restore email authentication.
troubleshootingDMARC Record Not Found: How to Fix This Error
Quick guide to fix DMARC record not found error. Learn the most common causes and step-by-step solutions to get your DMARC record working.
troubleshootingSPF Record: Too Many DNS Lookups (How to Fix)
Fix the SPF too many DNS lookups error. Learn why the 10 lookup limit exists, how to count lookups, and solutions including SPF flattening.