1

It is possible to set a "subdomain" in DKIM DNS record name. This "subdomain" is called a selector. It allows to have multiple DKIM keys for the same domain.

There is something I do not understand during the DKIM verification.

Let's suppose Bob sends a mail to Alice. How Alice mailserver should know this selector ? This selector is not shown in DMARC record (and anywhere else) so how destination mail server can know the selector name ?

Thanks

Bob5421
  • 319
  • 3
  • 8
  • 16

3 Answers3

3

It's contained in the DKIM header.

Example:

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=example.com; s=default;

This corresponds to the txt record under the following DNS record:

default._domainkey.example.com

Gerald Schneider
  • 23,274
  • 8
  • 57
  • 89
2

The DKIM-Signature header field in the e-mail message itself contains the selector used (as well as the d= domain) as a mandatory part of the signature / header:

RFC 6376

s= The selector subdividing the namespace for the "d=" (domain) tag
  (plain-text; REQUIRED).

  Internationalized selector names MUST be encoded as A-labels, as
  described in Section 2.3 of [RFC5890].

  ABNF:

  sig-s-tag    = %x73 [FWS] "=" [FWS] selector

  ... 

    INFORMATIVE EXAMPLE of a signature header field spread across
    multiple continuation lines:

   DKIM-Signature: v=1; a=rsa-sha256; d=example.net; s=brisbane;
      c=simple; q=dns/txt; i=@eng.example.net;
      t=1117574938; x=1118006938;
      h=from:to:subject:date;
      z=From:foo@eng.example.net|To:joe@example.com|
       Subject:demo=20run|Date:July=205,=202005=203:44:08=20PM=20-0700;
      bh=MTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTI=;
      b=dzdVyOfAKCdLXdJOc9G2q8LoXSlEniSbav+yuU4zGeeruD00lszZVoG4ZHRNiYzR

which the corresponds to a brisbane._domainkey.example.net DNS record

HBruijn
  • 77,029
  • 24
  • 135
  • 201
0

The selector is on the DKIM-Signature header that is added to the email by the signer, along with the signing domain identifier (SDID).

The selector is on the s= tag and, together with the domain in the d= tag, you have everything you need to look up the record on the DNS.

This selector is not shown in DMARC record

The selector should be present in the <record><auth_results><dkim><selector>...</selector></dkim></auth_results></record> element. Although I wonder why a reporting server would leave the selector out, its presence is not a strict requirement.

fvsdpl
  • 61
  • 3
  • I have no DKIM-Signature header in the mail I am sending. But DKIM verification is still working ! Do you think some mail server looks at default selector by default ? Thanks – Bob5421 Sep 13 '22 at 15:36
  • When one is setting up DKIM one must choose a selector to use on one's email software, _and_ configure DNS accordingly. There's no default value for the selector. If your emails are being signed somehow, that's because some server along the way is doing it. Debugging this is simple: check the domain (`d=`) tag on the signature headers, and you'll see the DNS domain name that added the signature. – fvsdpl Sep 15 '22 at 07:36