Free DKIM Record Generator

Generate DKIM public/private key pairs and DNS TXT records for your domain. Choose your selector and key length — everything runs in your browser.

RSA Key GenerationKeys Stay In-Browser100% Free

Domain Name

Selector

A selector identifies a specific DKIM key. Common selectors: default, selector1, google, s1.

Key Length

Keys are generated entirely in your browser using the Web Crypto API. Your private key is never sent to our servers.

Already have DKIM set up?

Verify your existing record is valid and properly published.

Check DKIM Record

What is DKIM and Why It Matters

DKIM adds a cryptographic signature to every outgoing email, letting receiving servers verify it really came from your domain and wasn't tampered with in transit.

Required for DMARC Compliance

DKIM is one of the three pillars of email authentication alongside SPF and DMARC. Without it, receiving servers have no way to verify that your message content hasn't been modified after sending. Major providers like Gmail, Yahoo, and Microsoft now require DKIM for reliable inbox delivery.

GmailYahooOutlookApple Mail

Cryptographic Signing

Each email gets a unique digital signature generated from your private key. Receivers use the public key published in your DNS to verify authenticity.

Tamper Protection

If anyone modifies the email headers or body after sending, the DKIM signature check fails — alerting the receiving server immediately.

How to Publish Your DKIM Record

Four steps from generation to verified DKIM authentication.

Generate Your DKIM Keys

Use the tool above to create your key pair. Enter your domain, choose a selector name (like selector1 or default), and select your key length. We recommend 2048-bit for the best balance of security and compatibility.

Tip:Save your private key immediately after generation. It's created in your browser and we have no way to recover it.

Publish the DNS Record

Log into your DNS provider (Cloudflare, GoDaddy, Namecheap, Route53, etc.) and create a new TXT record. Set the hostname to the Name value shown in your results (e.g. selector1._domainkey.yourdomain.com) and paste the full Value string as the record content.

Configure Your Email Platform

Add the private key to your mail server or email service provider. The setup varies by platform — for Google Workspace it's under Admin > Apps > Gmail > Authenticate email. For Postfix, you'll configure OpenDKIM with the private key file.

Note:If you use Gmail, Microsoft 365, or another hosted provider, they may generate their own DKIM keys. Check your provider's documentation first.

Verify With Our DKIM Checker

DNS changes can take up to 48 hours to propagate, though most complete within minutes. Use our DKIM Record Checker to confirm the record is live and correctly formatted.

How DKIM Works Behind the Scenes

Sending

Email is Signed

Your mail server uses the private key to generate a unique signature for each outgoing email.

In Transit

DNS Lookup

The receiving server fetches your public key from the TXT record at selector._domainkey.yourdomain.com.

Receiving

Signature Verified

The public key decrypts the signature. If it matches the email content, authentication passes.

More Free DNS Tools

SPF Record Generator

Create SPF DNS records to authorize email senders

SPF Record Checker

Verify your SPF configuration is valid

DKIM Record Checker

Validate your DKIM signing setup

DMARC Record Generator

Create DMARC policies for email authentication

DMARC Record Checker

Check your DMARC policy and reporting config

Frequently Asked Questions

Common questions about DKIM records, key generation, and email authentication.

DKIM (DomainKeys Identified Mail) is an email authentication method that uses cryptographic signatures to verify that an email was sent by the domain it claims to be from and wasn't altered in transit.

2048-bit is recommended for most use cases. It provides strong security and is widely supported. 4096-bit offers extra security but some DNS providers have TXT record size limits that may cause issues.

A selector is a label that identifies which DKIM key to use. It's part of the DNS lookup path: selector._domainkey.yourdomain.com. You can have multiple selectors for different mail systems.

No. Both keys are generated entirely in your browser using the Web Crypto API. Nothing is sent to our servers. You must save your private key yourself.

Yes. SPF and DKIM serve different purposes. SPF verifies the sending server, while DKIM verifies the message integrity. Both are required for full DMARC compliance.

In Google Admin Console, go to Apps → Google Workspace → Gmail → Authenticate email. Google generates DKIM keys for you, but you still need to publish the DNS record.

Still have questions?

Contact our support team →

Your Next Campaign Deserves
a Clean List

Stop guessing. Stop bouncing. Start reaching the people who actually want to hear from you.

Get Started Free View Pricing

200 free credits · No credit card required · Results in minutes