DKIM Record Generator
Generate DKIM DNS TXT records for email authentication online. Free DKIM generator with RSA key pairs to prevent email spoofing.
Domain Settings
Common: default, google, selector1, k1, mail
2048-bit is the industry standard. Some DNS providers have a 255-character TXT record limit, which may not fit 4096-bit keys.
How It Works
- Enter your domain name and choose a selector.
- Select the RSA key size (2048-bit recommended).
- Click Generate to create a key pair in your browser.
- Add the DNS TXT record to your domain's DNS settings.
- Configure your mail server with the private key.
- Test by sending an email and checking DKIM headers.
Security Notice
Keys are generated entirely in your browser using the Web Crypto API. No data is sent to any server. However, always treat your private key as a secret. Never share it publicly or commit it to version control.
Common DKIM Selectors by Provider
| Provider | Selector(s) | Notes |
|---|---|---|
| Google Workspace | google | Default for Gmail / Google Workspace |
| Microsoft 365 | selector1 / selector2 | Auto-generated by Exchange Online |
| Mailchimp | k1 | Standard for Mailchimp sending |
| SendGrid | s1 / s2 | SendGrid recommended selectors |
| Amazon SES | custom (e.g. ses) | User-defined during SES setup |
| Postmark | pm | Postmark default DKIM selector |
| Zoho Mail | zmail | Default for Zoho Mail |
| Fastmail | fm1 / fm2 / fm3 | Fastmail auto-generated selectors |
| ProtonMail | protonmail / protonmail2 | ProtonMail custom domain selectors |
| Custom / Self-hosted | default / mail | Common conventions for self-managed servers |
What is DKIM?
DKIM (DomainKeys Identified Mail) is an email authentication method that allows the receiving mail server to verify that an email was authorized by the owner of the sending domain. It works by attaching a digital signature to outgoing emails, which is linked to a cryptographic public key published in the domain's DNS records.
DKIM is one of three key email authentication protocols, alongside SPF (Sender Policy Framework) and DMARC (Domain-based Message Authentication, Reporting, and Conformance). Together, these protocols help prevent email spoofing, phishing attacks, and improve email deliverability.
How DKIM Works
Sending Side
- The domain owner generates an RSA key pair (public and private).
- The public key is published as a DNS TXT record under
selector._domainkey.domain.com. - The mail server uses the private key to create a cryptographic signature of the email headers and body.
- This signature is added as a
DKIM-Signatureheader to the outgoing email.
Receiving Side
- The receiving mail server extracts the
DKIM-Signatureheader. - It reads the selector and domain from the signature to look up the public key via DNS.
- Using the public key, it verifies the signature against the email content.
- If the signature matches, the email passes DKIM verification, confirming it was not tampered with in transit.
DKIM Record Format
A DKIM DNS record is a TXT record with the following structure:
Tag Descriptions
v=DKIM1-- Version identifier. Must be DKIM1.k=rsa-- Key type. Currently only rsa is widely supported.p=...-- Base64-encoded public key data. An emptyp=means the key has been revoked.t=s(optional) -- Strict mode: the "i=" domain in signatures must exactly match "d=".t=y(optional) -- Testing mode: receiving servers should not treat DKIM failures as definitive.
The Email Authentication Trio: SPF, DKIM, and DMARC
For maximum email security and deliverability, it is recommended to implement all three email authentication protocols together:
- SPF (Sender Policy Framework): Specifies which mail servers are authorized to send email on behalf of your domain. Defined as a DNS TXT record on your root domain.
- DKIM (DomainKeys Identified Mail): Adds a cryptographic signature to outgoing emails, allowing receivers to verify the message was not altered and was authorized by the domain owner.
- DMARC (Domain-based Message Authentication, Reporting, and Conformance): Tells receiving servers what to do when SPF or DKIM checks fail (none, quarantine, or reject), and provides a reporting mechanism.
How to Use DKIM Record Generator
Get public key from email service
Find the DKIM public key in your email provider's dashboard — it's usually under email authentication settings or sender domain verification. SendGrid, Mailgun, AWS SES, Postmark, Office 365, and the others all surface this in slightly different places, but the key itself is just a long string of base64-encoded characters that you'll paste into the tool.
Choose a selector
Pick a name for this DKIM key — the selector becomes part of the DNS path. 'default' is fine for a single-provider setup; for multi-provider deployments use the service name ('sendgrid', 'mailgun') so you can identify each key at a glance. You can use multiple selectors on the same domain, which is how key rotation and multi-service setups work.
Generate DNS record
The tool produces a properly-formatted DNS TXT record — name 'selector._domainkey.yourdomain' with value 'v=DKIM1; k=rsa; p=publickey'. Copy the full record exactly. Watch for whitespace and line breaks getting introduced during copy-paste, since those break the record without producing an obvious error.
Publish and verify
Add the TXT record in your DNS provider's control panel (Cloudflare, Route 53, whatever you use). Wait 24 to 48 hours for DNS propagation to complete. Verify by running the domain through mxtoolbox.com, or by sending yourself a test email and checking the headers for 'dkim=pass' on the receiving side. If verification fails after propagation, double-check the record value matches what the generator produced exactly.
When to Use DKIM Record Generator
Email authentication setup
DKIM (DomainKeys Identified Mail) is one of the three pillars of modern email authentication, alongside SPF and DMARC. Your sending server signs outgoing email with a private key, and recipients verify the signature against a public key you publish in DNS. Without it, your messages are far more likely to land in the spam folder or get rejected outright by Gmail and Outlook, which have steadily tightened their authentication requirements.
New email service setup
Every transactional email provider — SendGrid, Mailgun, AWS SES, Postmark, and the others — requires you to publish a DKIM record before they'll send mail on your behalf. The tool helps you format the record correctly given the public key the provider supplies, which is faster than digging through their per-provider documentation and makes mistakes less likely on the DNS side.
Domain authentication audit
For an existing DKIM setup, the tool can decode your published records, validate that the format is correct, and surface any issues that might be hurting deliverability. This matters during security audits, when troubleshooting bounce-back patterns, and when you suspect a key may have been exposed and need to be rotated quickly.
Multi-provider setup
Larger organizations often use multiple email providers — one for transactional mail, another for marketing campaigns, a third for support replies. Each provider needs its own DKIM record under a different selector, and the tool helps you manage that fleet of records without losing track. Especially helpful for enterprise teams and agencies running DKIM for client domains.
DKIM Record Generator Examples
Standard DKIM TXT record
Selector: default, Domain: example.com, Public key: provided by mail servicedefault._domainkey.example.com TXT v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDx...A standard DKIM record. The selector ('default' here) is something you pick — it's used in the DNS path so receivers know which key to fetch. The 'p=' parameter holds the public key, which your mail service supplies. You publish the record at 'default._domainkey.yourdomain.com' as a TXT record in DNS.
Multiple selectors
Selectors: mailgun, sendgridmailgun._domainkey.example.com TXT v=DKIM1...\nsendgrid._domainkey.example.com TXT v=DKIM1...When you use multiple email providers, each gets its own selector and its own DKIM record. Both records coexist in DNS without conflict, so Mailgun can sign your marketing mail while SendGrid signs transactional, and recipients verify each with the correct public key. The pattern scales to as many providers as you need.
Decoding existing record
Existing: v=DKIM1; k=rsa; p=ABC123...Type: DKIM version 1. Algorithm: RSA. Public key parses cleanly. Record format is correct.Validating an existing record is useful when you've just published it and want to confirm DNS propagation worked, when you're troubleshooting authentication failures showing up in DMARC reports, or when you're auditing the DKIM setup of a domain you've inherited. The tool parses the record and tells you whether the structure is valid.
Tips & Best Practices for DKIM Record Generator
- 1.DKIM only does its full job when paired with SPF and DMARC. All three together form the modern email authentication trio, and skipping any of them noticeably reduces deliverability with the major providers. Set up SPF first, add DKIM, then layer DMARC on top.
- 2.Pick selector names that mean something. 'default' works for a single setup, but for multi-provider deployments use the service name ('sendgrid', 'mailgun', 'postmark') so you can tell at a glance which DNS record belongs to which provider. The selector becomes part of the DNS path, so naming it well pays off during troubleshooting.
- 3.Use 2048-bit RSA keys for new setups. 1024-bit keys are considered legacy and increasingly weak — Google and others have publicly noted they're acceptable but not preferred. There's no real downside to 2048-bit; it's just the modern default.
- 4.Verify after DNS propagation finishes. Tools like mxtoolbox.com confirm your DKIM record is published correctly and parses without errors. DNS changes typically need 24 to 48 hours to propagate fully, so don't panic if verification fails immediately after you push the record.
- 5.Rotate keys periodically. A compromised private key means an attacker can forge signatures from your domain, which is bad. Annual rotation is a reasonable default, with an immediate rotation if you have any reason to suspect the key has leaked. Most providers make this straightforward through their dashboard.
- 6.Account for every service that sends from your domain. A forgotten transactional service that doesn't have DKIM configured will see its mail flagged as unauthenticated, which is exactly the kind of subtle deliverability problem that takes months to track down. Audit your sending services periodically.
Frequently Asked Questions
Related Tools
DMARC Record Generator
Create valid DMARC DNS TXT records online to protect your domain from spoofing and phishing. Free step-by-step DMARC policy builder.
SPF Record Generator
Create valid SPF TXT records for email authentication online. Free SPF generator to prevent spoofing and improve deliverability.
Email Header Analyzer
Parse and analyze email headers online to trace delivery paths and check SPF, DKIM, and DMARC authentication. Free header analyzer.
Email Spam Checker
Test email subject lines and body for spam trigger words online. Free spam checker with score and deliverability improvement tips.
MX Record Lookup
Look up MX records for any domain online. Free MX lookup tool showing mail server priorities, email providers, and SPF/DMARC records.
Email Subject Line Tester
Test and score email subject lines for deliverability and engagement online. Free subject line tester with spam risk and improvement tips.