Skip to content
🔐Security ScannerPopular·📊Traffic AnalyzerNew·🌐DNS LookupPopular·🔑Password GeneratorPopular·📋JSON FormatterTrending·🔍SSL CheckerPopular·🛡️Phishing CheckerNew·💱Currency ConverterTrending·📧DMARC CheckerPopular·🖼️Image CompressorTrending·📱QR Code GeneratorPopular·🔗Domain ScannerNew·
ToolZilla

DKIM RecordGenerator

Build a valid DKIM DNS TXT record with the right tags, selector and key parameters — ready to paste into your DNS provider.

Configuration

The domain you send email from

Unique label for this key (e.g. "default", "google", "ses")

RSA is most widely supported

2048-bit recommended; 4096 may exceed DNS limits

Generated DKIM Record

DNS Record Namedefault._domainkey.example.com
Record TypeTXT
Record Valuev=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC3QEKyU1fSo6...paste-your-public-key-here; h=sha256
Full TXT Record
default._domainkey.example.com IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC3QEKyU1fSo6...paste-your-public-key-here; h=sha256"
Note: The p= value above is a placeholder. You must generate your own 2048-bit RSA key pair and replace it with the Base64-encoded public key. Example using OpenSSL:
# Generate private key
openssl genrsa -out dkim_private.pem 2048
# Extract public key
openssl rsa -in dkim_private.pem -pubout -outform DER | openssl base64 -A

Implementation Steps

  1. Generate a 2048-bit RSAkey pair using OpenSSL or your email provider's tools.
  2. Configure your mail server or email service to sign outgoing messages with the private key using selector default.
  3. Log in to your DNS provider and create a TXT record with name default._domainkey.example.com.
  4. Paste the record value above into the TXT record content, replacing the placeholder public key with your real key.
  5. Wait for DNS propagation (usually 5–30 minutes), then send a test email and verify the DKIM signature passes using a DKIM checker.

Frequently Asked Questions

What is DKIM and why do I need it?

DKIM (DomainKeys Identified Mail) is an email authentication method that lets a sending domain digitally sign outgoing messages. Receiving mail servers verify the signature using a public key published in DNS, which helps prove the message was not tampered with in transit and truly originates from the claimed domain.

What is a DKIM selector?

A selector is a label you choose that identifies a specific DKIM key pair. It appears as a prefix in the DNS record name (e.g., default._domainkey.example.com). Using selectors lets you rotate keys or use different keys for different sending services without conflicts.

Which key size should I use?

2048-bit RSA keys are recommended for most use cases. They provide strong security and are widely supported. 1024-bit keys are considered weak by modern standards. 4096-bit keys offer extra security but some DNS providers have trouble with the large TXT record.

What does testing mode (t=y) do?

When testing mode is enabled (t=y), receiving servers are told that the domain is still testing DKIM. Messages that fail DKIM verification should not be treated differently. Remove this flag once you have confirmed that signing works correctly.

Do I still need to generate my own key pair?

Yes. This tool generates the DNS record syntax with the correct tags and formatting, but the actual RSA or Ed25519 key pair must be generated separately using tools like OpenSSL. You then paste the public key into the p= tag of the record.

Complete Guide: How to Use the DKIM Record Generator

Generate DKIM key pairs and DNS records for email authentication. Our tool creates the public/private key pair, formats the DNS TXT record, and provides step-by-step instructions for publishing the key and configuring your mail server.

Step-by-Step Instructions

  1. 1

    Enter your domain

    Type the domain you want to create DKIM keys for (e.g., example.com).

  2. 2

    Choose a selector

    Enter a selector name (e.g., 'mail', 'dkim', 'default'). This creates the DNS name: selector._domainkey.domain.

  3. 3

    Select key length

    Choose 2048-bit (recommended) or 1024-bit. Longer keys are more secure but some older DNS providers have TXT record length limits.

  4. 4

    Generate and configure

    Copy the DNS TXT record (public key) to your DNS and configure your mail server with the private key.

Common Use Cases

  • Email setup — generate DKIM keys when configuring a new mail server
  • Key rotation — create new DKIM keys as part of regular security maintenance
  • Custom email — set up DKIM for self-hosted mail servers (Postfix, Exim, etc.)
  • Multiple selectors — create separate DKIM keys for different email services
  • Migration — generate new keys when moving to a new mail infrastructure
  • Testing — create DKIM keys for development and staging environments

Pro Tips

💡Always use 2048-bit keys. If your DNS provider has a 255-character TXT record limit, you may need to split the key across multiple strings.
💡Keep the private key secret — if it's compromised, an attacker can sign emails as your domain.
💡Use different selectors for different email services so you can rotate keys independently.
💡After publishing the DNS record, use our DKIM Checker tool to verify it's correctly configured.

Related Tools

🔍

Website Security Scanner

Scan a website for security headers, HTTPS config, cookie flags, and common vulnerabilities.

🕵️

Domain Intelligence Scanner

Full domain recon — WHOIS age, DNS records, SSL status, security headers, tech stack detection.

🚀

Load Testing

Stress test any website with up to 200 virtual users. Get latency, throughput, error rates and a full downloadable report.

📡

Web Traffic Analyzer

Deep-scan any website — detect technologies, audit SEO, check performance, security headers, DNS, accessibility and content analytics.