Free DKIM Record Generator

Generate a DKIM public/private key pair and ready-to-publish DNS TXT record in seconds

Email Tester Inbox Placement Tester
DKIM Record Generator
Create a valid DKIM record to add to your DNS configuration and complete the second step of email authentication.
Domain:
Selector:
Key Length:
Built with by Henry Timmes · Named contributor to RFC 7489 (DMARC)

How to Generate and Deploy a DKIM Record

DKIM signs every outgoing message with a cryptographic key, giving receiving servers proof that the email is genuine and arrived unmodified. The generator above creates everything you need in one click.

Use 2048-bit Keys

1024-bit RSA keys are considered weak and are rejected by Gmail and other major receivers. 2048-bit is the recommended standard. 4096-bit keys offer stronger security but can hit DNS TXT record length limits - use 2048-bit unless you have a specific reason to go higher.

Choose a Clear Selector Name

Your selector identifies which public key to use. Pick something meaningful like the year (2026), service name (sendgrid), or purpose (marketing). This makes key rotation easier - you can run multiple selectors simultaneously, one per sending service.

Sign Before Delivery

DKIM signs a hash of the message headers and body. If anything modifies the message after signing - an ESP appending a footer, a gateway rewriting headers - the signature will fail. Make sure signing happens as the final step before the message leaves your infrastructure.

How to Generate and Publish Your DKIM Record

  1. Enter your domain name and choose a selector (e.g., mail, 2026, or your ESP's name)
  2. Select 2048-bit as your key length - it is the recommended standard for most senders
  3. Click Generate DKIM and copy both the DNS TXT record value (public key) and the private key
  4. Add the TXT record to your DNS at selector._domainkey.yourdomain.com and wait for propagation
  5. Configure your mail server or ESP with the private key, then verify with the DKIM Lookup tool and a test send
Tip: Your private key must be kept secret - never publish it, commit it to source control, or share it. Only the public key goes in DNS. If your private key is ever exposed, generate a new key pair immediately, publish the new public key under a new selector, and revoke the old one by removing its DNS record.

DKIM: Protecting Your Emails from Impersonation

DKIM records are a critical layer of security against email spoofing. Spoofing is when malicious actors disguise their sending address to appear as a trusted source. DKIM uses cryptography to verify the legitimacy of the sender, ensuring the message truly originated from the claimed domain.


When a DKIM-enabled mail server sends a message, it adds a digital signature to the email header using a private key held by the sender. The corresponding public key is published as a TXT record in the domain's DNS, making it accessible to any receiving server that needs to verify the signature.


When an email arrives, the receiving server retrieves the sender's public key from DNS and uses it to verify the signature. A successful match confirms the email came from an authorized source and was not modified in transit - significantly reducing the risk of spoofing and phishing attacks.


Once you have it set up, it's time to test it with our very own Email Tester.

DKIM Generator

DKIM Tag Specification Explained

TAG MEANING
v This tag specifies the DKIM version being used. Currently the most common value is v=DKIM1.
a This tag identifies the cryptographic algorithm used to generate the digital signature. A common value is rsa-sha256.
d This tag indicates the domain name used with the selector to locate the sender's public key in DNS.
s This tag specifies the selector record name used to find the public key. It is a subdomain label created by the sender for DKIM purposes (e.g., mail._domainkey.example.com).
c This tag specifies the canonicalization method applied to headers and body before signing. Common values are relaxed/relaxed and simple/simple.
h This tag lists the email header fields included in the signature calculation. Headers not listed here are not protected by DKIM.
t This tag specifies flags that modify DKIM behavior. Valid values include y for testing mode and s for strict subdomain handling.

Frequently Asked Questions

DKIM (DomainKeys Identified Mail) is an email authentication protocol that lets your mail server sign outgoing messages with a cryptographic signature. Receiving servers verify that signature against a public key in your DNS, confirming the message came from an authorized sender and was not altered in transit. DKIM is required for DMARC alignment and is one of the key factors in inbox placement and sender reputation.

Use the generator above to create a public/private key pair for your domain and selector. Copy the DNS TXT record value and add it to your DNS at selector._domainkey.yourdomain.com. Then configure your mail server or ESP with the private key so it signs outgoing messages. Use the DKIM Lookup tool to confirm the record is live, and send a test message to verify signatures are passing end-to-end.

Use 2048-bit RSA as your standard. 1024-bit keys are considered cryptographically weak and are rejected by some receivers including Gmail. 4096-bit keys provide stronger security but can cause problems with DNS providers that limit TXT record length, and add processing overhead on high-volume sending infrastructure. 2048-bit offers the best balance of security and compatibility for most senders.

A DKIM TXT record published at selector._domainkey.yourdomain.com includes:
  • v=DKIM1: Version - always required and always first.
  • k=rsa: Key type. RSA is the standard; Ed25519 is a newer, shorter alternative.
  • p=: The base64-encoded public key. An empty value here means the key has been revoked.
  • h=: Optional. Limits which hash algorithms are acceptable (e.g., sha256).
  • t=: Optional flags. y = testing mode; s = signature does not apply to subdomains.

DKIM results appear in the Authentication-Results header of received messages:
  • pass: The signature verified successfully - the message is authentic and unaltered.
  • fail: The signature was invalid. Common causes include a key mismatch or message modification after signing.
  • neutral / permerror: A DNS or configuration problem prevented verification - check that your record is correctly published.
  • none: No DKIM signature was present in the message. Check that your mail server is configured to sign outgoing mail.

  • Body hash failures: An ESP, gateway, or mailing list modifies the message after signing, breaking the hash. Signing must be the final step before delivery.
  • Weak key rejection: 1024-bit RSA keys are flagged or rejected by modern receivers. Upgrade to 2048-bit.
  • DNS record length limits: 4096-bit public keys can exceed the 255-character limit per DNS string chunk. They must be split correctly or your provider may truncate them silently.
  • Forgetting to configure the mail server: Publishing the DNS record does not automatically enable DKIM signing - you must also configure your mail server or ESP to use the private key.
  • Key rotation errors: Removing the old DNS selector before updating the mail server causes a signing gap. Always switch the server first, confirm it is working, then remove the old record.

Are You Ready To Experience The Difference?

CC Logo

Become a part of the Campaign Cleaner community today, and join countless satisfied customers who have witnessed significant improvements in their email deliverability and campaign success. Don't let HTML issues hold you back; let Campaign Cleaner optimize your campaigns and boost your inbox rates.

Let's Get Started