Create a DKIM selector, generate your DNS TXT record, and publish the public key so receivers can verify your signed mail.
The DKIM Generator creates a cryptographic keypair and publish-ready DNS TXT record for selector._domainkey.yourdomain.com.
You get the public key for DNS and the private key to install on your mail server or ESP, enabling cryptographic signing of outbound mail.
Creates matching public and private keys in one step, RSA 1024/2048/4096 or Ed25519.
Formatted TXT value with the public key embedded, copy directly to your DNS panel.
Private key shown once, mask/reveal toggle and copy for installation on your signer.
Industry-standard key length pre-selected for compatibility with all major providers.
Provide your sending domain and a unique selector name (e.g. s1, google, mail).
Select RSA 2048 (recommended), 4096, 1024, or Ed25519 algorithm.
The tool creates the DNS TXT record, private key PEM, and public key PEM.
Add the TXT record to DNS, install the private key on your signer, then verify with the DKIM Checker.
Keep the private key secret, anyone with it can sign mail as your domain. The public key in DNS lets receivers verify signatures.
DKIM TXT record and keypair created successfully, ready to publish and install.
Non-blocking notices, e.g. 1024-bit key deprecation or DNS record length concerns.
Best balance of security and provider compatibility for most senders.
Maximum strength but longer DNS records, verify your DNS provider supports large TXT values.
TXT value starting with v=DKIM1; k=; p= containing the public key.
PEM-format signing key, install on your mail server or ESP. Never share publicly.
PEM public key for reference, the DNS record already embeds this value.
Publish at selector._domainkey.yourdomain.com as a TXT record.
Default and recommended. Avoid 1024-bit for new keys, below modern minimums.
Store in your ESP or mail server config only. Never commit to git or share via email.
Name selectors by purpose or date (s1, s2, 2026mar) to simplify key rotation.
After DNS propagation, confirm the public key is live and valid before sending signed mail.
As a TXT record at selector._domainkey.yourdomain.com, for example s1._domainkey.example.com.
2048-bit RSA is the industry standard. Use 4096-bit only if policy requires it. Avoid 1024-bit for new deployments.
The keypair is generated for your session. Store the private key immediately, treat it like a password.
A modern elliptic-curve algorithm with compact keys and fast signing. Verify your ESP supports it before use.
Each selector should map to one key. Reusing a selector overwrites the previous key, use a new selector for rotation.
RSA public keys are large. Some DNS providers split long TXT into multiple strings, the checker handles this.
DMARC checks whether SPF or DKIM passes and aligns with the From domain. DKIM signing is required for DMARC alignment via DKIM.
SenderSignal monitors these signals continuously: 48 blacklists, SPF, DKIM, DMARC, TLS and more, with alerts in Slack, email and signed webhooks.