DKIM Record Generator

A DKIM (DomainKeys Identified Mail) record is a DNS TXT record published at selector._domainkey.yourdomain.com that contains the public key used to verify DKIM signatures on outgoing emails. When a mail server signs an email with DKIM, it adds a cryptographic signature to the email header. Receiving servers look up the DKIM record to retrieve the public key and verify the signature, confirming the email hasn't been tampered with in transit.

A DKIM selector is a label that identifies a specific DKIM key pair for a domain. It allows a domain to have multiple DKIM keys simultaneously — for example, different selectors for different mail servers or services. Common selectors include "default", "google", "k1", or "selector1". The selector is included in the DKIM-Signature header of each email so the receiver knows which public key to look up.

RSA (2048-bit) is the most widely supported and recommended choice for DKIM. Ed25519 offers smaller keys and faster verification, but it is not yet universally supported by all mail providers. If you want maximum compatibility, use RSA with 2048-bit keys. For forward-looking security, you can publish both an RSA key and an Ed25519 key using different selectors.

For RSA keys, 2048-bit is the recommended minimum and the standard used by most email providers including Google and Microsoft. 1024-bit keys are considered weak and may be rejected by some receivers. 4096-bit keys provide stronger security but may cause issues with DNS TXT record size limits (255 characters per string). 2048-bit offers the best balance of security and compatibility.

First, generate a key pair using OpenSSL (e.g., openssl genrsa -out private.pem 2048 for RSA) or your email service's built-in DKIM key generator. Extract the public key, base64-encode it, and publish it in a DNS TXT record at selector._domainkey.yourdomain.com. Configure your mail server to sign outgoing emails with the private key. Finally, test your setup by sending an email and checking the DKIM-Signature header, or use our DKIM Checker to verify the DNS record.