Free DKIM Record Generator

Stop your email from being modified during transit with a DKIM record. Our free DKIM Record Generator helps you create DKIM records in seconds!

0+

Organisations worldwide

0+

Fortune 100 and governments

0+

countries served

How to Use This DKIM Generator

Generate your DKIM key pair in 5 simple steps:

1

Enter Your Domain Name

Type your domain (e.g., yourdomain.com) — no http://, www, or mail. prefix needed. This is the domain that will appear in your DKIM-Signature header.

2

Choose a Selector

A selector is a short label (e.g., 'default', 'mail', 'v1') that identifies which key is in use. It becomes part of your DNS hostname. You can use anything you want - it's a label you control. If unsure, use 'default'.

3

Choose a Key Size

RSA 2048-bit is the recommended standard. Ed25519 is the modern choice if your ESP supports it. Do not use RSA 1024-bit as it is deprecated.

4

Click Generate

Your DKIM key pair is generated instantly on your device. No keys are stored on our servers or transmitted anywhere. All generation happens in your browser.

5

Copy Both Outputs

Two keys appear: (1) Public key TXT record → copy to your DNS management console. (2) Private key (PEM format) → copy to your ESP's admin panel or your mail server's DKIM configuration. Keep the private key secure.

All generations are client-side and local to your device. PowerDMARC never stores or sees your keys.

What is a DKIM Record?

A DKIM record is a DNS TXT record published at selector._domainkey.yourdomain.com that contains the public key receivers use to verify email signatures from your domain. When you send an email, your mail server digitally signs it with the private key, adding a DKIM-Signature header to the message. Receiving mail servers retrieve the public key from your DNS and verify the signature. If the signature is valid, the email passed DKIM authentication.

DKIM is one of three standards required for DMARC to work (SPF and DMARC are the other two). All three together ensure authenticated, trusted email delivery.

For a complete guide, see our:

Understanding Your Generated Key Pair

When you generate a DKIM key pair, two outputs are created:

Public Key

Public and safe to share.

TXT Record Value

This is the TXT record value that starts with v=DKIM1; k=rsa; p=... Publish this in your DNS at selector._domainkey.yourdomain.com. Receiving mail servers retrieve this key to verify that emails signed by your domain are legitimate.

What to do with it

Copy to your DNS management console (GoDaddy, Cloudflare, Route 53, etc.) as a TXT record.

Private Key

Don’t share it with anyone

PEM-Format Key

This is the PEM-format key that stays on your mail server or in your email service provider (ESP) account. It signs every email you send.

What to do with it

Copy to your ESP's or mail server's DKIM signing configuration. Never paste it in DNS, email, or any public location.

Choosing a Key Size and Algorithm

Our generator tool offers several key sizes and algorithm options. Here’s what each means:

RSA 2048-bit
Recommended Standard
  • The current industry minimum.
  • Required by Google and Yahoo sender guidelines.
  • Supported universally.
  • Safe for all organizations.
RSA 1024-bit
Do Not Use
  • Deprecated.
  • Considered cryptographically weak.
  • Most modern mail servers reject keys this small.
RSA 4096-bit
Not Recommended
  • DNS TXT record becomes larger.
  • Can cause DNS lookup timeouts or failures.
Ed25519
Modern Best Practice
  • Smaller key size.
  • Faster signature verification.
  • Equivalent or better security than RSA 2048.
  • Supported by most major providers.

How to Publish Your DKIM Record in DNS

Our generator tool offers several key sizes and algorithm options. Here’s what each means:

1
Log In to Your DNS Management Console

This is typically managed by your domain registrar (GoDaddy, Namecheap) or your cloud provider (AWS Route 53, Google Cloud DNS, Cloudflare). Go to your domain's DNS settings.

2
Create a New TXT Record

Click "Add Record" or "Create TXT Record" (the exact button name varies by provider).

3
Set the Hostname/Name

Enter: selector._domainkey Replace 'selector' with whatever label you chose when generating your key.

4
Paste the Public Key Value

Copy the entire public key value from the generator and paste it into the Value field.

5
Save the Record

Click Save. The TXT record is now published.

6
Wait for DNS Propagation

DNS changes can take up to 48 hours to propagate worldwide.

Verify Your DKIM Record is Live Using Our Free DKIM Checker

DKIM Record Example

DNS Record Details
Host/Name: default._domainkey.yourdomain.com
Type: TXT
Value: v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC...

Breaking Down Each Component:

Component Value What it means
v DKIM1 Protocol version
k rsa indicates this is an RSA key
p MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC... Public key value

Trusted by Thousands Worldwide

Steve Smith
Steve Smith

Auckland Regional Manager, Advantage

“Our business is based on trust, not only between us and clients but partners as well. The great partnership we have with PowerDMARC allows us to deliver exceptional services to our clients.”

What to Do After Generating Your DKIM Record

Generating a key pair is just the first step. Here’s the complete workflow:

Publish the Public Key in DNS

Follow the 'How to Publish Your DKIM Record in DNS' section above. This makes your public key available to receiving mail servers.

1
Upload the Private Key to Your ESP

Login to your email service provider, and paste the private key. Each provider has different steps so check their documentation for exact instructions.

2
Enable DKIM Signing

In your ESP's settings, enable DKIM signing for your domain. Set the selector to match what you chose in the generator (e.g., 'default').

3
Verify DKIM is Passing

Check your setup using our free DKIM Checker. It’s instant and accurate, perfect for quick troubleshooting.

4
Set Up DMARC Policy

DKIM alone provides no enforcement. DMARC tells receivers what to do with unauthenticated mail, helping prevent email fraud and spoofing.

5
Enable Automated Management

For automated DKIM monitoring, key rotation, and management, PowerDMARC's Hosted DKIM service handles this for you.

6

Frequently Asked Questions

What is a DKIM generator?
A DKIM generator is a tool that creates a DKIM key pair for you, so you don't have to generate them manually using openssl or other command-line tools. This tool prevents syntax errors and ensures both keys are cryptographically valid and matched to each other.
What is the difference between the DKIM public and private key?
The public key is published in your DNS, used by receiving mail servers to verify that emails claiming to be from your domain were actually signed by your mail server. It can be shared publicly as that's its purpose.

The private key is stored only on your mail server or in your ESP's systems, used to digitally sign every email your domain sends. This must be kept secret as anyone with the private key can forge emails from your domain.
How do I add a DKIM record to my DNS?
Simply log into your DNS provider (GoDaddy, Cloudflare, Route 53, etc.). Create a new TXT record with the hostname selector._domainkey (replacing 'selector' with your chosen label) and paste the public key value. Save the record. DNS changes take up to 48 hours to propagate. After that, receiving mail servers can retrieve your public key and verify DKIM signatures on your emails.
Can I generate multiple DKIM records?
Yes. Best practice is to have one selector per sending service. For example, if you use Google Workspace for corporate email and Mailchimp for marketing campaigns, generate two DKIM records with different selectors (e.g., 'google' and 'marketing'). Publish both to DNS, and configure each service with its respective private key. This also enables key rotation.
Where does the DKIM selector go?
The selector appears in two places: (1) As part of the DNS hostname: selector._domainkey.yourdomain.com. (2) In the s= tag of the DKIM-Signature header on every email your domain sends. Receiving servers read the DKIM-Signature header to find the selector, then look up the corresponding public key in your DNS using that selector.

Get back control of your domain with our Domain Key Generator Tool!