Free Tool

DKIM Record Generator

DKIM setup has two parts: the DNS record and enabling signing in your ESP. Most guides only cover one. Generate your record, then verify your mail server is actually signing with it.

Your domain

Selector

Common selectors: google, default, s1, s2, k1, selector1, selector2

Key Type (k=)

Algorithm used for signing your emails.

RSA Most widely supported. Use for maximum compatibility. Ed25519 Smaller keys, faster verification. Not yet universally supported.

Key Length

Bit length for your RSA key pair.

1024-bit Minimum. Some providers flag as weak. 2048-bit Recommended. Good balance of security and compatibility. 4096-bit Maximum security. May exceed DNS UDP packet limits.

Enable test mode (t=y) — Failures won't cause rejection during initial setup

Notes (n=) — optional

Visible in DNS but not used by validators

DNS Record Name

default._domainkey.yourdomain.com

TXT

Record Value

v=DKIM1; h=sha256; k=rsa; p=YOUR_PUBLIC_KEY_HERE

Replace YOUR_PUBLIC_KEY_HERE with your actual base64-encoded public key. Generate a key pair using:

openssl genrsa -out private.pem 2048 && openssl rsa -in private.pem -pubout -outform der | openssl base64 -A

How to publish this record

Generate a key pair using the OpenSSL command above
Log in to your DNS provider (Cloudflare, GoDaddy, Namecheap, Route53, etc.)
Create a new TXT record
Set the Name/Host to default._domainkey
Paste the record value above into the Value/Content field, replacing YOUR_PUBLIC_KEY_HERE with your public key
Configure your mail server to sign outbound emails with the private key
Save and wait up to 48 hours for propagation (usually under 1 hour)

Get your DKIM record + ESP signing setup instructions

No spam. Unsubscribe any time.

Understanding DKIM

What is a DKIM selector?

A selector is a name that identifies which DKIM key to use. It lets you have multiple active keys for the same domain — useful for rotating keys or using different keys for different services.

RSA vs Ed25519 — which should I use?

RSA 2048-bit is the safe choice — it’s universally supported. Ed25519 is newer, faster, and uses shorter keys, but some older mail servers don’t support it yet. You can publish both.

How do I generate the key pair?

Use OpenSSL: openssl genrsa -out private.pem 2048 for the private key, then openssl rsa -in private.pem -pubout -outform der | openssl base64 -A for the public key to paste into your DNS record.

Should I enable test mode?

Enable t=y during initial setup so DKIM failures don’t cause rejections. Once you’ve verified signatures are working correctly, remove test mode to enforce DKIM.

Related Free Tools

DKIM Record Checker → SPF Record Builder → DMARC Record Generator → Deliverability Check →

Generate It. Publish It. Then Monitor It Doesn't Get Revoked.

Once you publish your DKIM record, InboxEagle monitors your DKIM signatures 24/7 — alerting you when keys expire, when signatures fail, and when it's time to rotate your keys.

Start DKIM Monitoring — Free Trial

No credit card required · Cancel anytime

Not ready yet? See how DKIM Monitoring works →