7

Background

When using third party tools which send mails from your domain, you often need to setup DKIM records with selectors defined by the third party. E.g. for MailChimp you're asked to setup:

  • k2._domainkey.example.com
  • k3._domainkey.example.com

The selectors (k2/k3) must match those defined by the third party, in order to function as expected / match the selectors sent in the mail's headers.

According to this answer, DKIM selectors must also be unique; i.e. you cannot have multiple public keys associated with the same DKIM selector (so whilst DNS would allow me to create 2 TXT records called k2._domainkey.example.com; that would lead to unexpected functionality; most likely intermittent mail failures.

However, there's no rule to ensure that the third parties provide unique selectors; or even standards to make collisions less likely (i.e. MailChimp don't suggest using mailchimp1._domainkey.example.com or anything like that); most examples of DKIM records I've seen have a 3 char selector (typically 2 characters and a number), giving only a few thousand unique selectors; so collisions are reasonably likely.

Note: I mention MailChimp above as that's a well known example mail provider; but this is a generic question, rather than specific to that provider.

Question

What options are available when DKIM selector collisions occur?

Is it possible to satisfy both provider's requirements, or is that only possible where the providers have added functionality to allow you to specify your own selector value.

JohnLBevan
  • 183
  • 1
  • 6

1 Answers1

2

DKIM selectors are arbitrary strings. They're used to locate the corresponding public key on the DNS, and can virtually be anything that is valid as a DNS label.

Having said that, selectors provided by email providers usually have the provider name -- or something that resembles it -- so it is unlikely that there will be a clash. For example, Google Workspace's uses google as selector, and it would be very weird if another provider used the same selector. Obviously, if the provider gives you a way to change the DKIM selector, you can set it to anything, but then it is your choice.

Lastly, that answer you linked is wrong, or at least incomplete. From a strictly technical POV, DKIM allows multiple keys from a single selector:

6.1.2. Get the Public Key

(...)

  1. If the query for the public key returns multiple key records, the Verifier can choose one of the key records or may cycle through the key records(...)

RFC 6376, section 6.1.2, item 4

It is just that selectors in the DNS cannot have multiple entries, due to a technical limitation. In theory, if another mechanism of storing DKIM selectors is used in the future, and if this mechanism supports multiple keys per selector, then DKIM will work just fine. The quote in that answer refers to unique selector names.

fvsdpl
  • 101
  • 6