DKIM Record Generator

Build DKIM DNS TXT records for email signing with custom selector, key type, and flags.

  1. Home
  2. Hash & Security
  3. DKIM Record Generator

The domain that sends email (e.g., your company domain).

A unique name for this key (e.g., google, sendgrid, default).

RSA key length. 2048-bit is the standard for most providers.

RSA (k=rsa)

RSA SHA-256 is the most widely supported DKIM key type.


DKIM DNS Record

Add this as a TXT record in your DNS zone with the record name <selector>._domainkey.<domain>.

What Is a DKIM Record Generator?

DomainKeys Identified Mail (DKIM) is an email authentication method that allows the sender to cryptographically sign email messages. The signature is verified by the receiving server using a public key published in the sender's DNS as a TXT record. DKIM helps ensure email integrity and authenticity, preventing tampering and spoofing.

A DKIM DNS record contains the version tag (v=DKIM1), the hash algorithm (h=sha256), the key type (k=rsa), and the public key (p=...). The record is published at a specific DNS name constructed from the selector and domain: <selector>._domainkey.<domain>. Each email service or sending infrastructure can use a different selector, allowing key rotation without disrupting service.

Common use cases include authenticating email sent through Google Workspace, Microsoft 365, SendGrid, Mailgun, Amazon SES, and other email service providers. DKIM is typically used alongside SPF and DMARC for comprehensive email authentication.

How to Use This DKIM Record Generator

  1. Enter your domain — Type the domain you use for sending email (e.g., example.com).
  2. Choose a selector — Enter a unique selector name. Common selectors include google (for Google Workspace), sendgrid, mailgun, or default. Your email provider will tell you which selector to use.
  3. Select key length — Choose 2048-bit for most providers. Some older providers may require 1024-bit.
  4. Generate your key pair — Use OpenSSL or your email provider's admin console to generate an RSA key pair. Replace the example public key in the generated record with your actual Base64-encoded public key.
  5. Publish the record — Add the TXT record to your DNS zone at <selector>._domainkey.<domain>. Then enable DKIM signing in your email server or provider settings.

Frequently Asked Questions

What is a DKIM selector?

A DKIM selector is a unique identifier that allows multiple DKIM keys to be published for the same domain. This enables key rotation — you can publish a new key with a new selector before switching to it, avoiding email authentication failures during the transition. Email service providers often provide a specific selector name (e.g., google for Google Workspace).

How do I generate the actual key pair?

Use OpenSSL: openssl genrsa -out dkim_private.pem 2048 to generate the private key, then openssl rsa -in dkim_private.pem -pubout -outform der 2>/dev/null | openssl base64 -A to get the Base64 public key. Alternatively, most email providers (Google Workspace, Microsoft 365, SendGrid) generate the key pair automatically in their admin console.

Why do I need DKIM along with SPF and DMARC?

SPF checks the sending server IP is authorized. DKIM verifies the message was not tampered with using a cryptographic signature. DMARC tells receiving servers what to do if SPF or DKIM fails. DMARC requires either SPF or DKIM (preferably both) to pass for email to be authenticated. All three are needed for optimal email deliverability and anti-spoofing protection.