Have the cronjob check old selectors (or just selector1 and selector2)

[Divide-By-0]

In the case of Office 365 Microsoft rotate the keys for us. I am not sure how often this is but it could be as often as weekly. i.e. in Week 1 they sign messages using selector1 (it is the active selector). Selector2 contains the new key intended to be used in week 2. When week 2 starts Microsoft begin to use selector2 as the new signing key, and after a period of a few days it creates a new key for selector1 and publishes that in DNS. After the new key has been published then any email received by mail servers after that time won’t validate with DKIM, so it is important to leave enough time to ensure mail has been delivered.

From https://neroblanco.co.uk/2016/04/email-arrive-signed-tenant-onmicrosoft-com/ . This means that we need to check updated keys for replacing selector1 with selector2 as well, even if that's not the currently active selector.