DKIM Record Generator
Generate DKIM DNS TXT records for email authentication. Create RSA key pairs and properly formatted DKIM records to prevent email spoofing.
Domain Settings
Common: default, google, selector1, k1, mail
2048-bit is the industry standard. Some DNS providers have a 255-character TXT record limit, which may not fit 4096-bit keys.
How It Works
- Enter your domain name and choose a selector.
- Select the RSA key size (2048-bit recommended).
- Click Generate to create a key pair in your browser.
- Add the DNS TXT record to your domain's DNS settings.
- Configure your mail server with the private key.
- Test by sending an email and checking DKIM headers.
Security Notice
Keys are generated entirely in your browser using the Web Crypto API. No data is sent to any server. However, always treat your private key as a secret. Never share it publicly or commit it to version control.
Common DKIM Selectors by Provider
| Provider | Selector(s) | Notes |
|---|---|---|
| Google Workspace | google | Default for Gmail / Google Workspace |
| Microsoft 365 | selector1 / selector2 | Auto-generated by Exchange Online |
| Mailchimp | k1 | Standard for Mailchimp sending |
| SendGrid | s1 / s2 | SendGrid recommended selectors |
| Amazon SES | custom (e.g. ses) | User-defined during SES setup |
| Postmark | pm | Postmark default DKIM selector |
| Zoho Mail | zmail | Default for Zoho Mail |
| Fastmail | fm1 / fm2 / fm3 | Fastmail auto-generated selectors |
| ProtonMail | protonmail / protonmail2 | ProtonMail custom domain selectors |
| Custom / Self-hosted | default / mail | Common conventions for self-managed servers |
What is DKIM?
DKIM (DomainKeys Identified Mail) is an email authentication method that allows the receiving mail server to verify that an email was authorized by the owner of the sending domain. It works by attaching a digital signature to outgoing emails, which is linked to a cryptographic public key published in the domain's DNS records.
DKIM is one of three key email authentication protocols, alongside SPF (Sender Policy Framework) and DMARC (Domain-based Message Authentication, Reporting, and Conformance). Together, these protocols help prevent email spoofing, phishing attacks, and improve email deliverability.
How DKIM Works
Sending Side
- The domain owner generates an RSA key pair (public and private).
- The public key is published as a DNS TXT record under
selector._domainkey.domain.com. - The mail server uses the private key to create a cryptographic signature of the email headers and body.
- This signature is added as a
DKIM-Signatureheader to the outgoing email.
Receiving Side
- The receiving mail server extracts the
DKIM-Signatureheader. - It reads the selector and domain from the signature to look up the public key via DNS.
- Using the public key, it verifies the signature against the email content.
- If the signature matches, the email passes DKIM verification, confirming it was not tampered with in transit.
DKIM Record Format
A DKIM DNS record is a TXT record with the following structure:
Tag Descriptions
v=DKIM1-- Version identifier. Must be DKIM1.k=rsa-- Key type. Currently only rsa is widely supported.p=...-- Base64-encoded public key data. An emptyp=means the key has been revoked.t=s(optional) -- Strict mode: the "i=" domain in signatures must exactly match "d=".t=y(optional) -- Testing mode: receiving servers should not treat DKIM failures as definitive.
The Email Authentication Trio: SPF, DKIM, and DMARC
For maximum email security and deliverability, it is recommended to implement all three email authentication protocols together:
- SPF (Sender Policy Framework): Specifies which mail servers are authorized to send email on behalf of your domain. Defined as a DNS TXT record on your root domain.
- DKIM (DomainKeys Identified Mail): Adds a cryptographic signature to outgoing emails, allowing receivers to verify the message was not altered and was authorized by the domain owner.
- DMARC (Domain-based Message Authentication, Reporting, and Conformance): Tells receiving servers what to do when SPF or DKIM checks fail (none, quarantine, or reject), and provides a reporting mechanism.