🔐Security ScannerPopular·📊Traffic AnalyzerNew·🌐DNS LookupPopular·🔑Password GeneratorPopular·📋JSON FormatterTrending·🔍SSL CheckerPopular·🛡️Phishing CheckerNew·💱Currency ConverterTrending·📧DMARC CheckerPopular·🖼️Image CompressorTrending·📱QR Code GeneratorPopular·🔗Domain ScannerNew·
ToolBox

DKIM RecordGenerator

Build a valid DKIM DNS TXT record with the right tags, selector and key parameters — ready to paste into your DNS provider.

Configuration

The domain you send email from

Unique label for this key (e.g. "default", "google", "ses")

RSA is most widely supported

2048-bit recommended; 4096 may exceed DNS limits

Generated DKIM Record

DNS Record Namedefault._domainkey.example.com
Record TypeTXT
Record Valuev=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC3QEKyU1fSo6...paste-your-public-key-here; h=sha256
Full TXT Record
default._domainkey.example.com IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC3QEKyU1fSo6...paste-your-public-key-here; h=sha256"
Note: The p= value above is a placeholder. You must generate your own 2048-bit RSA key pair and replace it with the Base64-encoded public key. Example using OpenSSL:
# Generate private key
openssl genrsa -out dkim_private.pem 2048
# Extract public key
openssl rsa -in dkim_private.pem -pubout -outform DER | openssl base64 -A

Implementation Steps

  1. Generate a 2048-bit RSAkey pair using OpenSSL or your email provider's tools.
  2. Configure your mail server or email service to sign outgoing messages with the private key using selector default.
  3. Log in to your DNS provider and create a TXT record with name default._domainkey.example.com.
  4. Paste the record value above into the TXT record content, replacing the placeholder public key with your real key.
  5. Wait for DNS propagation (usually 5–30 minutes), then send a test email and verify the DKIM signature passes using a DKIM checker.

Frequently Asked Questions

What is DKIM and why do I need it?

DKIM (DomainKeys Identified Mail) is an email authentication method that lets a sending domain digitally sign outgoing messages. Receiving mail servers verify the signature using a public key published in DNS, which helps prove the message was not tampered with in transit and truly originates from the claimed domain.

What is a DKIM selector?

A selector is a label you choose that identifies a specific DKIM key pair. It appears as a prefix in the DNS record name (e.g., default._domainkey.example.com). Using selectors lets you rotate keys or use different keys for different sending services without conflicts.

Which key size should I use?

2048-bit RSA keys are recommended for most use cases. They provide strong security and are widely supported. 1024-bit keys are considered weak by modern standards. 4096-bit keys offer extra security but some DNS providers have trouble with the large TXT record.

What does testing mode (t=y) do?

When testing mode is enabled (t=y), receiving servers are told that the domain is still testing DKIM. Messages that fail DKIM verification should not be treated differently. Remove this flag once you have confirmed that signing works correctly.

Do I still need to generate my own key pair?

Yes. This tool generates the DNS record syntax with the correct tags and formatting, but the actual RSA or Ed25519 key pair must be generated separately using tools like OpenSSL. You then paste the public key into the p= tag of the record.

Related Tools

💱

Currency Converter

Convert between world currencies with live exchange rates. Fast, free and accurate currency conversion tool.

📏

Unit Converter

Convert length, weight, temperature, volume and speed units instantly. Free online unit conversion calculator.

🕐

Time Zone Converter

Convert time between different time zones worldwide. Easy and accurate time zone conversion tool.

🔐

Base64 Encoder / Decoder

Encode text to Base64 or decode Base64 to text online. Free Base64 encoding and decoding tool.