DKIM Record Generator
Email AuthGenerate an RSA key pair for DKIM (DomainKeys Identified Mail) signing right in your browser, plus the DNS TXT record to publish. Or paste an existing public key to build the record. Keys are generated client-side via the Web Crypto API and never leave your device.
DKIM Settings
A label that lets you have multiple DKIM keys per domain. Common: default, s1, google, k1.
Used in the host preview only — your DNS provider already knows your domain.
2048-bit is the standard. 1024 is being phased out — many receivers now reject it.
What is DKIM?
DKIM (DomainKeys Identified Mail) is an email-authentication standard that adds a cryptographic signature to every outgoing message. The signature is generated with your private key on the mail server, and receivers verify it using the public key you publish in DNS. If the signed message is modified in transit — by a forwarder, a mailing list, or an attacker — the signature breaks and DKIM fails.
Together with SPF and DMARC, DKIM is one of the three records every domain that sends email needs in 2026. Defined by RFC 6376.
DKIM record format
A DKIM record is a TXT record at selector._domainkey.yourdomain.com with the following tags:
| Tag | Required? | Purpose |
|---|---|---|
| v | No | Version. Must be DKIM1 if present. Defaults to DKIM1. |
| k | No | Key type. rsa (default) or ed25519. |
| p | Yes | Base64-encoded public key. The whole point of the record. An empty p= means the key has been revoked. |
| t | No | Flags: y = testing mode, s = strict (no subdomain delegation). |
| s | No | Service type. Almost always omitted; email is the default. |
| h | No | Acceptable hash algorithms. Usually omitted. |
How DKIM signing works (technical)
- The sending server selects which headers to sign (always includes
From) and the message body. - It canonicalizes them — typically
relaxed/relaxed, which trims whitespace consistently so forwarders don't break the signature. - It hashes the canonicalized body with SHA-256, and adds the hash to the
DKIM-Signatureheader alongside the list of signed headers. - It signs the hash of the canonicalized headers (including the partially-built DKIM-Signature) with the private key.
- The signature is added as the
b=tag in the header, and the message is sent. - The receiver fetches the public key from
selector._domainkey.from-domain.com, verifies the signature, and reports the result to DMARC.
Frequently Asked Questions
What is a DKIM selector?
A selector is just a label that lets you have multiple DKIM keys per domain. The full DNS name is selector._domainkey.yourdomain.com, so a selector of s1 for example.com means publishing at s1._domainkey.example.com. Use different selectors per sending platform so you can rotate them independently.
Should I use 1024-bit or 2048-bit RSA?
2048-bit. NIST has recommended against 1024-bit RSA for years, and many providers (Microsoft 365, Google) are deprecating it. Some legacy DNS providers had a 255-char TXT limit which forced 1024-bit, but almost all of them now support concatenated TXT records that fit a 2048-bit key.
Can I have multiple DKIM keys?
Yes. Each selector is independent — publish as many as you want. Common pattern: google._domainkey for Google Workspace, k1._domainkey for SendGrid, s1._domainkey for your own outbound server, etc. Each platform signs with its own key and uses its own selector.
How often should I rotate DKIM keys?
Every 6 to 12 months is a reasonable cadence, with new selectors so old signatures stay verifiable until the old DNS records are removed. Rotate immediately if the private key is exposed.
My TXT record is over 255 characters — will it work?
Yes. DNS allows TXT records to be split into multiple 255-character "character strings" that the resolver concatenates. Cloudflare, Route 53, GoDaddy, and Namecheap all do this automatically — paste the full record and they split it. If yours doesn't, split manually into "chunk1" "chunk2" with quotes around each.
Are the keys really generated in my browser?
Yes. This tool calls the Web Crypto API's SubtleCrypto.generateKey() with RSASSA-PKCS1-v1_5 + SHA-256 and exports the result. The private key never leaves your device. View source if you want to confirm.
Set up the full email-auth stack: SPF record generator · DMARC record generator · HTTP security headers.