Multiple DKIM records

Multiple DKIM selectors are normal. Multiple records at the same selector are not. Here is how to find the selector, remove duplicates, and avoid breaking active signatures.

Quick answers

Can a domain have multiple DKIM records?
Yes, a domain can have many DKIM selectors. That is normal. The error means one selector name returned multiple conflicting DNS records, or the checker found both CNAME and TXT data at the same selector.
Should I merge two DKIM public keys into one record?
No. DKIM public keys cannot be merged. Keep one valid key per selector, or configure one provider to use a different selector.
How do I find which DKIM selector is failing?
Look at the DKIM-Signature header in a message. The s= tag is the selector and the d= tag is the signing domain. Query s._domainkey.d with dig or nslookup.
Is a long DKIM key split into quoted strings a duplicate record?
Not necessarily. A single TXT record may contain multiple quoted strings on one DNS answer line. It is a problem when the selector returns multiple separate TXT answers or a TXT answer plus a CNAME.
Can old DKIM selectors stay in DNS after key rotation?
Yes, for a short grace period. Old selectors at different names do not cause multiple-record errors. Remove them after in-flight mail signed with the old selector has aged out.

The exact error

DKIM checkers and mail gateways use several versions of this warning: 

Multiple DKIM records found
Selector returned multiple DKIM records
Duplicate DKIM TXT records
DKIM record has both CNAME and TXT data

The fix depends on the selector. DKIM does not look up a single record for the whole domain. It looks up a selector-specific DNS name.

DKIM selectors: what is allowed

A DKIM signature contains two tags that identify the public key: 

DKIM-Signature: v=1; d=example.com; s=selector1; ...

The receiver combines them into this DNS lookup: 

selector1._domainkey.example.com

A domain can have many selectors: 

google._domainkey.example.com
selector1._domainkey.example.com
mailchimp._domainkey.example.com
s2026._domainkey.example.com

That is normal. It lets different providers sign mail independently and lets you rotate keys without downtime. The problem is multiple conflicting records at the same selector name.

Step 1: identify the failing selector

If you have a failed message, open the full headers and find DKIM-Signature. Extract:

  • s= - selector
  • d= - signing domain

Then query the DNS name: 

dig TXT selector1._domainkey.example.com +short
dig CNAME selector1._domainkey.example.com +short

On Windows: 

nslookup -type=TXT selector1._domainkey.example.com
nslookup -type=CNAME selector1._domainkey.example.com

Case 1: two TXT records at the same selector

Bad result: 

"v=DKIM1; k=rsa; p=MIIBIjANBgkqhki...old"
"v=DKIM1; k=rsa; p=MIIBIjANBgkqhki...new"

Receivers do not know which public key to use, so DKIM verification can fail. This often happens when a provider asks you to "add this DKIM record" and you add a new TXT record instead of replacing the existing value for the same selector.

Fix:

  1. Confirm which provider currently signs with this selector.
  2. Keep the public key that matches the active signing configuration.
  3. Delete the stale TXT record at the same selector.
  4. Send a new test message and confirm dkim=pass.

Do not merge the p= values. DKIM public keys are not SPF includes; they cannot be combined.

Case 2: CNAME and TXT at the same selector

Some providers ask for a CNAME selector: 

selector1._domainkey.example.com CNAME selector1-example-com._domainkey.provider.example

Others ask for a TXT selector: 

selector1._domainkey.example.com TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqhki..."

A DNS name with a CNAME must not have other record data at that same name. If a selector has both CNAME and TXT records, remove one. Follow the provider's current DKIM setup instructions and keep only the record type it expects.

Case 3: a long key split incorrectly

Long 2048-bit DKIM keys are often shown as multiple quoted strings: 

"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOC..."
"...restOfTheSamePublicKey"

That can be valid if it is one TXT record containing multiple strings. With dig, a valid split usually appears as one answer line with multiple quoted chunks: 

"v=DKIM1; k=rsa; p=MIIBIjAN..." "...continued..."

It is a duplicate problem when your DNS provider created two separate TXT records at the same selector. In that case, delete both and recreate the key as a single TXT record, letting the DNS provider split the value internally if needed.

Case 4: two providers using the same default selector

Many services default to selectors like selector1, selector2, google, or default. If two providers try to use the same selector for the same domain, they conflict.

Fix it by changing one provider to a unique selector, if supported. Good selector names include the provider and year: 

sendgrid2026._domainkey.example.com
zendesk2026._domainkey.example.com
mailchimp2026._domainkey.example.com

If the provider does not allow custom selectors, use a delegated sending subdomain such as news.example.com or support.example.com so each service has its own DKIM namespace.

Case 5: key rotation confusion

DKIM key rotation should use a new selector. This is safe: 

s2025._domainkey.example.com TXT "v=DKIM1; k=rsa; p=old..."
s2026._domainkey.example.com TXT "v=DKIM1; k=rsa; p=new..."

This is unsafe: 

s1._domainkey.example.com TXT "v=DKIM1; k=rsa; p=old..."
s1._domainkey.example.com TXT "v=DKIM1; k=rsa; p=new..."

During rotation, publish the new selector, switch signing to it, keep the old selector for at least several days so in-flight mail can still verify, then remove the old selector. Do not publish two keys at one selector.

Safe fix procedure

  1. Find the selector from a real DKIM-Signature header.
  2. Query both TXT and CNAME for selector._domainkey.domain.
  3. Identify which provider owns that selector.
  4. Back up the current DNS values before deleting anything.
  5. Keep one valid TXT record or one valid CNAME record, not both.
  6. Wait for DNS TTL to expire.
  7. Send a new test message from the affected provider.
  8. Confirm dkim=pass in the received message headers.

Validate the fix

Query the selector directly: 

dig TXT selector1._domainkey.example.com @1.1.1.1 +short
dig CNAME selector1._domainkey.example.com @1.1.1.1 +short

You should see one TXT answer that starts with v=DKIM1, or one CNAME answer pointing to the provider's DKIM host. Then send a fresh test message and inspect Authentication-Results for dkim=pass.

Use the DMARCTrust DMARC checker to validate the domain's public authentication DNS and catch related SPF or DMARC issues that can still cause delivery failures after DKIM is fixed.

Prevention

  • Give every provider a unique selector when the provider supports custom selectors.
  • Document which service owns each DKIM selector.
  • Use new selectors for key rotation instead of replacing keys in place.
  • Remove stale selectors only after you confirm no current mail signs with them.
  • Monitor DMARC aggregate reports for sudden DKIM failure spikes by source and selector.

Was this page helpful? Send us feedback

Last updated: May 2026

← All guides Start now

Need expert help with email deliverability?

Hire an email deliverability consultant who has shipped billions of emails. Free assessment, hands-on engagement, written quote before any work starts.

Talk to a consultant