A receiver tried to verify a DKIM signature but the selector referenced in the message header has no DNS record. This causes DKIM to fail with "no key for signature" and breaks DMARC alignment via DKIM.
Verify which selector is in your outgoing email headers, then publish the matching TXT record at {selector}._domainkey.yourdomain.com.
Every DKIM-signed email contains a header like "DKIM-Signature: v=1; a=rsa-sha256; d=yourdomain.com; s=selector1" — the s= tag identifies the selector. The receiver looks up selector1._domainkey.yourdomain.com to fetch the public key. If that DNS record doesn't exist, DKIM verification fails immediately.
A missing selector means every signed message from that selector fails DKIM. DMARC alignment via DKIM also fails, which can flip DMARC pass to fail when SPF doesn't align either. Spam filters lose a positive signal, increasing the chance your mail goes to junk.
Send a test email to a Gmail or Outlook account, view headers, and look at the DKIM-Signature line. The s= tag is your selector.
# Example DKIM-Signature header:
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=yourdomain.com; s=google20240301; t=1234567890;
bh=...; b=...Run a DNS query for {selector}._domainkey.yourdomain.com. If it returns NXDOMAIN or empty, that's your problem.
dig +short TXT google20240301._domainkey.yourdomain.comLog into your email provider (Google Workspace, Microsoft 365, SendGrid, etc.) and find the DKIM setup section. Copy the exact key value or CNAME target they specify.
Add a TXT (or CNAME) record at {selector}._domainkey.yourdomain.com with the value from your provider.
# TXT record example:
selector1._domainkey IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GN..."
# CNAME record example (Microsoft 365):
selector1._domainkey IN CNAME selector1-yourdomain-com._domainkey.yourtenant.onmicrosoft.com.After 5-10 minutes, query the selector again. The record should return the public key.
dig +short TXT selector1._domainkey.yourdomain.comAfter making changes, use our free scanner to verify the fix is working correctly. DNS changes can take up to 48 hours to propagate, but most propagate within minutes.
Send a test email to any external address you can read headers on (Gmail "Show original" works well). Look for the DKIM-Signature header — the s= value is the selector.
Yes, and it's common — different sending services (your email host, your marketing platform, your CRM) each use their own selector. Each must have its own _domainkey record.
They are essentially the same — the receiver couldn't locate the public key in DNS. "Selector not found" emphasizes the lookup miss; "record not found" emphasizes the DNS record absence. The fix is identical.
More DKIM resources — tools to verify, setup guides, deeper reading, and compliance context.