Free DKIM Record Generator
Stop your email from being modified during transit with a DKIM record. Our free DKIM Record Generator helps you create DKIM records in seconds!
Stop your email from being modified during transit with a DKIM record. Our free DKIM Record Generator helps you create DKIM records in seconds!
You must enter this key in your DKIM signer. Keep it secret — anyone with access can stamp tokens pretending to be you.
The raw PEM public key. Not used in DNS directly (the record above already embeds it), but handy elsewhere.
Publish the record on this DNS host. Format: [selector]._domainkey.[yourdomain] — never use @ in DNS records.
Generate your DKIM key pair in 5 simple steps:
Type your domain (e.g., yourdomain.com) — no http://, www, or mail. prefix needed. This is the domain that will appear in your DKIM-Signature header.
A selector is a short label (e.g., 'default', 'mail', 'v1') that identifies which key is in use. It becomes part of your DNS hostname. You can use anything you want - it's a label you control. If unsure, use 'default'.
RSA 2048-bit is the recommended standard. Ed25519 is the modern choice if your ESP supports it. Do not use RSA 1024-bit as it is deprecated.
Your DKIM key pair is generated instantly on your device. No keys are stored on our servers or transmitted anywhere. All generation happens in your browser.
Two keys appear: (1) Public key TXT record → copy to your DNS management console. (2) Private key (PEM format) → copy to your ESP's admin panel or your mail server's DKIM configuration. Keep the private key secure.
A DKIM record is a DNS TXT record published at selector._domainkey.yourdomain.com that contains the public key receivers use to verify email signatures from your domain. When you send an email, your mail server digitally signs it with the private key, adding a DKIM-Signature header to the message. Receiving mail servers retrieve the public key from your DNS and verify the signature. If the signature is valid, the email passed DKIM authentication.
DKIM is one of three standards required for DMARC to work (SPF and DMARC are the other two). All three together ensure authenticated, trusted email delivery.
For a complete guide, see our:
When you generate a DKIM key pair, two outputs are created:
This is the TXT record value that starts with v=DKIM1; k=rsa; p=... Publish this in your DNS at selector._domainkey.yourdomain.com. Receiving mail servers retrieve this key to verify that emails signed by your domain are legitimate.
Copy to your DNS management console (GoDaddy, Cloudflare, Route 53, etc.) as a TXT record.
This is the PEM-format key that stays on your mail server or in your email service provider (ESP) account. It signs every email you send.
Copy to your ESP's or mail server's DKIM signing configuration. Never paste it in DNS, email, or any public location.
Our generator tool offers several key sizes and algorithm options. Here’s what each means:
Our generator tool offers several key sizes and algorithm options. Here’s what each means:
This is typically managed by your domain registrar (GoDaddy, Namecheap) or your cloud provider (AWS Route 53, Google Cloud DNS, Cloudflare). Go to your domain's DNS settings.
Click "Add Record" or "Create TXT Record" (the exact button name varies by provider).
Enter: selector._domainkey Replace 'selector' with whatever label you chose when generating your key.
Copy the entire public key value from the generator and paste it into the Value field.
Click Save. The TXT record is now published.
DNS changes can take up to 48 hours to propagate worldwide.
default._domainkey.yourdomain.com TXT v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC... Breaking Down Each Component:
| Component | Value | What it means |
|---|---|---|
| v | DKIM1 | Protocol version |
| k | rsa | indicates this is an RSA key |
| p | MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC... | Public key value |
Auckland Regional Manager, Advantage
“Our business is based on trust, not only between us and clients but partners as well. The great partnership we have with PowerDMARC allows us to deliver exceptional services to our clients.”
Generating a key pair is just the first step. Here’s the complete workflow:
Follow the 'How to Publish Your DKIM Record in DNS' section above. This makes your public key available to receiving mail servers.
Login to your email service provider, and paste the private key. Each provider has different steps so check their documentation for exact instructions.
In your ESP's settings, enable DKIM signing for your domain. Set the selector to match what you chose in the generator (e.g., 'default').
Check your setup using our free DKIM Checker. It’s instant and accurate, perfect for quick troubleshooting.
DKIM alone provides no enforcement. DMARC tells receivers what to do with unauthenticated mail, helping prevent email fraud and spoofing.
For automated DKIM monitoring, key rotation, and management, PowerDMARC's Hosted DKIM service handles this for you.