I often see DKIM configuration guides using default as the selector. Is this a special selector or it is just a convention to use this if you only have one mail server?
In other words, if I use the selector default._domainkeys.example.com, will this entry be used to validate the signature for morespecific.selector._domainkey.example.com the absence of an exact match, or will it only match signatures that specific d=default as the selector?
often see DKIM configuration guides using default as the selector. Is this a special selector
It is not. There is nothing in RFC 4871 that says "default" as selector as a specific meaning.
Instead its section 4.1 introduces selectors as labels in the _domainkey zone that way:
To support multiple concurrent public keys per signing domain, the
key namespace is subdivided using "selectors". For example,
selectors might indicate the names of office locations (e.g.,
"sanfrancisco", "coolumbeach", and "reykjavik"), the signing date
(e.g., "january2005", "february2005", etc.), or even the individual
user.[..]
Periods are allowed in selectors and are component separators. When
keys are retrieved from the DNS, periods in selectors define DNS
label boundaries in a manner similar to the conventional use in
domain names. Selector components might be used to combine dates
with locations, for example, "march2005.reykjavik". In a DNS
implementation, this can be used to allow delegation of a portion of
the selector namespace.
Note this also:
While some domains may wish to make selector values well known,
others will want to take care not to allocate selector names in a way that allows harvesting of data by outside parties. For example, if
per-user keys are issued, the domain owner will need to make the
decision as to whether to associate this selector directly with the
user name, or make it some unassociated random value, such as a
fingerprint of the public key.
So there is no fallback on some "default" selector, as the resolution process is governed by:
All DKIM keys are stored in a subdomain named "_domainkey". Given a
DKIM-Signature field with a "d=" tag of "example.com" and an "s=" tag of "foo.bar", the DNS query will be for "foo.bar._domainkey.example.com".
(but look at section 3.8 for explanations about how a parent can sign its children content).
