How to edit DKIM selector?

Randomz · February 19, 2026, 11:19am

I have done this manually so many times in the last fortnight, it has never caused me problems at all.

This probably wouldn’t have come up as an issue if VMin install used the first word of the host name as selector like it used to.

It’s a one minute task that I now do every fresh install.

Edit “selector ” to be “selector ”, Virtualmin, Email Settings, DomainKeys etc, click No, Yes, then Save.

Bingo, new selector in place. This before I add any domains.

So you can cross this off my wishlist.

I just wish it had been answered a couple of years ago.

Ilia · February 19, 2026, 11:33am

Yeah, I don’t see why not have it configurable in Virtualmin module config.

Though, can you explain more about your thinking on why you care in the first place about changing the DKIM selector if it works either way?

Randomz · February 19, 2026, 11:51am

Due to ISP change I had to change the IP and hostname for the server.

Then when checking DKIM etc it bothered me to see the old server name, wondering what the ramifications were. - hence my first unanswered request in Septermber 25.

Then setting up a new server once VMin 8 had EL10 compatibility, and I saw that it had changed to a number. That was a nuisance as I had to keep checking what it was if I was testing DKIM with eg mxtoolbox. So much easier if it is the hostname.

So I started this thread and it just felt like I was at fault for asking.

Turns out it’s just a label, and no good reason why it shouldn’t be the hostname, also no good reason why we shouldn’t be able to change it if we choose.

Seriously, probably 99% won’t ever touch it.

Once I get EL10 working 100% with VMin 8 with no bugs, I probably won’t ever change it after the initial change.

Maybe just add it to the docs and people like me can find it if they feel the need.

Even this thread won’t be as useful as it could have been as it has become so long.

shoulders · February 19, 2026, 12:07pm

Should be per domain
settable in server template

Dkim key rotation is a thing for security.

Extreme case, a tech savvy employee steals the keys and then is fired.

Randomz · February 19, 2026, 2:48pm

How about keeping the selector and regenerating the keys?

shoulders · February 19, 2026, 3:03pm

Why Selectors Exist
- Multiple keys for one domain: You can have different keys for different services (marketing vs. transactional email)
- Key rotation: New keys get new selectors, allowing old and new to coexist during transitions
- Service separation: Each email service provider can have its own selector without conflicts
- Troubleshooting: If one service has issues, you can identify it by selector
Selector Naming Best Practices
- Multiple keys for one domain: You can have different keys for different services (marketing vs. transactional email)
- Key rotation: New keys get new selectors, allowing old and new to coexist during transitions
- Service separation: Each email service provider can have its own selector without conflicts
- Troubleshooting: If one service has issues, you can identify it by selector

Seems on point.

Ilia · February 19, 2026, 5:30pm

Why not use an input called “Selector for DKIM record name” to enter the selector you want, when DKIM is disabled?

Randomz · February 19, 2026, 8:19pm

So you let this thread go for 3 weeks, before you shared this simple answer?

ID10T · February 19, 2026, 8:44pm

On my system it only displays. It’s just like the one shown.

Ilia · February 19, 2026, 9:04pm

You know what—you’re right! I missed that too, my apologies!

The reason it’s easy to miss is that we should always show the input field but keep it disabled.

Randomz · February 19, 2026, 9:23pm

You need to click No to: Signing of outgoing mail enabled, then Save and return to the form. You can then edit the selector, click Yes to the above question and Save again.

So simple if only we all knew.

Randomz · February 19, 2026, 9:26pm

What about a mouseover telling to disable first?

Then again, does Signing of outgoing mail enabled need to be disabled to change it?

I have manually edited /etc/opendkim.conf, then gone to that page and hit Save without disabling/enabling. The Save action appears to do it all for me.

Ilia · February 19, 2026, 9:33pm

Yes, it’s already there. Check the commit in the link above.

That would add two DKIM DNS records to the DNS zone, meaning it won’t remove the one with the old selector.

I think this is why Jamie decided to use a text label instead of always showing it as an editable input field.

I believe it would be better to always keep it as an input field and handle the complexity on the server side rather than in the UI. @Jamie, we should be the ones handling complexity, not the users.

Jamie · February 21, 2026, 6:15pm

Yes, I suppose we could add support for changing the selector by internally re-generating all the DNS records and other OpenDKIM configs.

shoulders · February 21, 2026, 6:48pm

would this allow key rotation or are you just looking at swapping the current values?

Ilia · February 21, 2026, 7:05pm

Changing the DKIM selector and rotating the key are two different processes.