Discover selectors
We try 12 common names automatically. Custom selectors you enter once.
Product · DKIM
DKIM selectors that don't suddenly disappear.
Multi-selector discovery, key-length audit, rotation reminders. Before an expired key silently halves your deliverability.
DKIM selectors
5 active, 1 rotation overdue
selector1
google
mailgun
sendgrid1
k1
mailgun._domainkey
Overdue
468 days since last rotation
k1._domainkey
RSA-1024
Weak key · upgrade recommended
How it works
From first scan to rotation
Audit keys
Key length, algorithm, publication date, DNS format. Weak keys are flagged.
Plan rotation
Reminders at 90, 180, 365 days. Integrated dual-selector instructions.
Features
What DKIM monitoring has to deliver
Multi-selector discovery (12 common + custom)
Key-length audit (RSA 1024 vs 2048+)
Algorithm detection (RSA, Ed25519)
Rotation reminders (90/180/365 days)
DNS-TXT split detection (long records)
CNAME selector support (Mailgun, Sendgrid)
Provider detection (Google, M365, Mailchimp)
Continuous monitoring with alerts on selector loss
DNS record
Public key as a TXT entry
What a DKIM selector looks like
v=DKIM1 marks the version. k=rsa (or ed25519) the algorithm. p=… contains the base64-encoded public key.
The host follows the scheme <selector>._domainkey.<domain>. Some DNS providers split long TXT records at 255 characters — Mailantis checks for correct multi-line concatenation.
Host: selector1._domainkey.example.com · Type: TXTv=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC9...IDAQAB
Pricing
DKIM monitoring in every plan
Monitoring
from €30/ month per domain
Selector discovery, key audit, rotation reminders, Slack/webhook alerts. Scales with domain count.
Open appEnterprise & Partner
on request
Multi-tenancy (MSP), white-label, bulk audit, SSO, custom SLA. Consolidated invoice across sub-orgs.
Get in touchFAQ
Common questions about DKIM
What is a DKIM selector?
A selector is a DNS subdomain prefix under which the DKIM public key is published, e.g. selector1._domainkey.example.com. A sender can run multiple selectors in parallel — useful for key rotation without signature outage.
Which key length is safe?
RSA with at least 2048 bits is today's standard. 1024 bits has been considered crackable by state actors for years and is flagged as weak by many recipients. Ed25519 is a modern, shorter key type — but not yet supported everywhere.
How do I rotate DKIM keys without downtime?
With the dual-selector pattern: publish a new selector with a new key, switch your sender software to the new selector, leave the old selector active for 7–14 days (for in-flight mail), then remove it.
My selector isn't detected — why?
Mailantis tries the 12 most common selector names (default, google, selector1/2, k1, mail and others). For custom selectors, enter the name once in your account — after that monitoring runs automatically.
Ed25519 instead of RSA — does it make sense?
It makes sense as an additional selector (e.g. alongside RSA-2048), not as a replacement. Some recipients don't validate Ed25519 yet — the parallel RSA key remains a safety net. Mailantis monitors both types.