DKIM tools

Free DKIM generator

Create a DKIM selector, generate your DNS TXT record, and publish the public key so receivers can verify your signed mail.

Create a publish-ready DKIM TXT record and keypair for your sending domain. Keep the private key secure and publish the record at {selector}._domainkey.{domain}.

About

The DKIM Generator creates a cryptographic keypair and publish-ready DNS TXT record for selector._domainkey.yourdomain.com.

You get the public key for DNS and the private key to install on your mail server or ESP, enabling cryptographic signing of outbound mail.

Keypair generation

Creates matching public and private keys in one step, RSA 1024/2048/4096 or Ed25519.

DNS-ready record

Formatted TXT value with the public key embedded, copy directly to your DNS panel.

Secure private key

Private key shown once, mask/reveal toggle and copy for installation on your signer.

2048-bit default

Industry-standard key length pre-selected for compatibility with all major providers.

How to use this tool

Enter domain & selector

Provide your sending domain and a unique selector name (e.g. s1, google, mail).

Choose key length

Select RSA 2048 (recommended), 4096, 1024, or Ed25519 algorithm.

Generate keypair

The tool creates the DNS TXT record, private key PEM, and public key PEM.

Publish & install

Add the TXT record to DNS, install the private key on your signer, then verify with the DKIM Checker.

Understanding the results

Keep the private key secret, anyone with it can sign mail as your domain. The public key in DNS lets receivers verify signatures.

Record generated

DKIM TXT record and keypair created successfully, ready to publish and install.

Warnings

Non-blocking notices, e.g. 1024-bit key deprecation or DNS record length concerns.

2048-bit RSA (recommended)

Best balance of security and provider compatibility for most senders.

4096-bit RSA

Maximum strength but longer DNS records, verify your DNS provider supports large TXT values.

Important result fields

Generated DKIM record

TXT value starting with v=DKIM1; k=; p= containing the public key.

Private key

PEM-format signing key, install on your mail server or ESP. Never share publicly.

Public key

PEM public key for reference, the DNS record already embeds this value.

Subdomain (Host)

Publish at selector._domainkey.yourdomain.com as a TXT record.

Best practices & recommendations

Use 2048-bit RSA

Default and recommended. Avoid 1024-bit for new keys, below modern minimums.

Secure the private key

Store in your ESP or mail server config only. Never commit to git or share via email.

Use unique selectors for rotation

Name selectors by purpose or date (s1, s2, 2026mar) to simplify key rotation.

Verify with the DKIM Checker

After DNS propagation, confirm the public key is live and valid before sending signed mail.

Frequently asked questions

As a TXT record at selector._domainkey.yourdomain.com, for example s1._domainkey.example.com.

2048-bit RSA is the industry standard. Use 4096-bit only if policy requires it. Avoid 1024-bit for new deployments.

The keypair is generated for your session. Store the private key immediately, treat it like a password.

A modern elliptic-curve algorithm with compact keys and fast signing. Verify your ESP supports it before use.

Each selector should map to one key. Reusing a selector overwrites the previous key, use a new selector for rotation.

RSA public keys are large. Some DNS providers split long TXT into multiple strings, the checker handles this.

DMARC checks whether SPF or DKIM passes and aligns with the From domain. DKIM signing is required for DMARC alignment via DKIM.

Run this check once, or have it watched 24/7.

SenderSignal monitors these signals continuously: 48 blacklists, SPF, DKIM, DMARC, TLS and more, with alerts in Slack, email and signed webhooks.

Start monitoring free All free tools