DKIM Selectors

DKIM is the part of email authentication that most often trips up external audits. SPF and DMARC live at predictable DNS names; DKIM does not. Without the selector, there is no reliable way to check the intended DKIM record directly.

Record pattern

[selector]._domainkey.example.com

Best source

Use selector names issued by the sending platform or mailbox provider.

Why it matters

Missing selector-aware DKIM coverage can hold strong domains below the top grade bands.

How the API handles missing selectors

Useful triage still works: The API can still evaluate MX, SPF, DMARC, MTA-STS, TLS-RPT, and BIMI when selectors are omitted.
Results become more provisional: The response uses assessment_confidence and coverage_summary to explain what was directly verified.
Heuristics are conservative: When a domain clearly matches one provider, the API may try common selectors as hints. Those checks are still less authoritative than exact provider-issued selector names.

Where selectors usually come from

Look in the mail provider or sending platform that asked you to publish DKIM DNS records. Google Workspace, Microsoft 365, Amazon SES, SendGrid, Mailchimp, Klaviyo, and similar products expose selector names or record targets during domain authentication setup.

Important: A failed selector lookup does not prove DKIM is absent. It usually means the selector name is stale, incomplete, or not the selector currently in use for that sender.