Free Tool

DKIM Record Generator

DKIM setup has two parts: the DNS record and enabling signing in your ESP. Most guides only cover one. Generate your record, then verify your mail server is actually signing with it.

Your domain

Selector

Common selectors: google, default, s1, s2, k1, selector1, selector2

Key Type (k=)

Algorithm used for signing your emails.

RSA Most widely supported. Use for maximum compatibility. Ed25519 Smaller keys, faster verification. Not yet universally supported.

Key Length

Bit length for your RSA key pair.

1024-bit Minimum. Some providers flag as weak. 2048-bit Recommended. Good balance of security and compatibility. 4096-bit Maximum security. May exceed DNS UDP packet limits.

Enable test mode (t=y) — Failures won't cause rejection during initial setup

Notes (n=) — optional

Visible in DNS but not used by validators

DNS Record Name

default._domainkey.yourdomain.com

TXT

Record Value

v=DKIM1; h=sha256; k=rsa; p=YOUR_PUBLIC_KEY_HERE

Replace YOUR_PUBLIC_KEY_HERE with your actual base64-encoded public key. Generate a key pair using:

openssl genrsa -out private.pem 2048 && openssl rsa -in private.pem -pubout -outform der | openssl base64 -A

How to publish this record

Generate a key pair using the OpenSSL command above
Log in to your DNS provider (Cloudflare, GoDaddy, Namecheap, Route53, etc.)
Create a new TXT record
Set the Name/Host to default._domainkey
Paste the record value above into the Value/Content field, replacing YOUR_PUBLIC_KEY_HERE with your public key
Configure your mail server to sign outbound emails with the private key
Save and wait up to 48 hours for propagation (usually under 1 hour)

Understanding DKIM

What is a DKIM selector?

A selector is a name that identifies which DKIM key to use. It lets you have multiple active keys for the same domain — useful for rotating keys or using different keys for different services.

RSA vs Ed25519 — which should I use?

RSA 2048-bit is the safe choice — it’s universally supported. Ed25519 is newer, faster, and uses shorter keys, but some older mail servers don’t support it yet. You can publish both.

How do I generate the key pair?

Use OpenSSL: openssl genrsa -out private.pem 2048 for the private key, then openssl rsa -in private.pem -pubout -outform der | openssl base64 -A for the public key to paste into your DNS record.

Should I enable test mode?

Enable t=y during initial setup so DKIM failures don’t cause rejections. Once you’ve verified signatures are working correctly, remove test mode to enforce DKIM.

Related Free Tools

DKIM Record Checker → SPF Record Builder → DMARC Record Generator → Deliverability Check →

Why We Built This Tool

DKIM setup has two parts: the DNS record and enabling signing in your mail server. Most guides cover only one. This generator builds the exact record with the correct selector, key type, and format — plus OpenSSL commands to generate the key pair.

What Goes Wrong Without This

Manual DKIM record construction is error-prone. Selector naming inconsistencies, weak key lengths, missing hash algorithms, and DNS formatting mistakes cause signature verification failures. These fail silently — emails land in spam without bouncing.

Who This Tool Is For

E-commerce & DTC Brands

Teams setting up DKIM from scratch or rotating keys who need to generate correctly formatted DNS records without manual OpenSSL commands.

Email Marketing Agencies

Agencies managing DKIM setup for multiple client domains and needing to generate records with proper selector naming and key configuration.

B2B SaaS & Outbound Teams

Teams deploying dedicated sending infrastructure or configuring self-hosted mail servers with DKIM signing enabled.

Frequently Asked Questions

What is a DKIM selector?

A selector is a label that identifies which DKIM key to use for signing. It lets you have multiple active DKIM keys for the same domain — useful for rotating keys or using different keys for different services.

RSA vs Ed25519 — which should I use?

RSA 2048-bit is the safe choice — universally supported by all email providers. Ed25519 is newer, faster, and uses shorter keys, but older mail servers may not support it yet. You can publish both for compatibility.

How do I generate a DKIM key pair?

Use OpenSSL: 'openssl genrsa -out private.pem 2048' for the private key, then 'openssl rsa -in private.pem -pubout -outform der | openssl base64 -A' to create the public key for your DNS record.

Do I need an InboxEagle account to use this tool?

No. This tool is completely free and requires no account or sign-up. InboxEagle provides it as a standalone resource for email marketers, developers, and agencies.

Generate It. Publish It. Then Monitor It Doesn't Get Revoked.

Once you publish your DKIM record, InboxEagle monitors your DKIM signatures 24/7 — alerting you when keys expire, when signatures fail, and when it's time to rotate your keys.

Start DKIM Monitoring — Free Trial

No credit card required · Cancel anytime

Not ready yet? See how DKIM Monitoring works →