DKIM Key Generator

Generate DKIM RSA key pairs to cryptographically sign your emails

Generate DKIM Keys

Domain (optional)

DKIM Selector *

A unique identifier (e.g., "default", "google", "mailchimp"). Letters, numbers, hyphens, underscores only.

Key Size *

2048 bits Recommended 1024 bits Legacy compatibility

DNS Record Preview

Record Name

._domainkey.

What is DKIM?

DKIM adds a digital signature to your emails, proving they came from your domain and weren't modified in transit.

Prevents email spoofing
Improves email deliverability
Required for DMARC compliance

Keep Your Private Key Safe

Configure it on your mail server. Never share it publicly.

Want automated management?

DMARC Busta's Autopilot manages SPF, DKIM, and DMARC automatically with AI-powered decisions.

Get Started Free

What is DKIM (DomainKeys Identified Mail)?

Cryptographic email signing that proves your messages are authentic and unaltered

DKIM is an email authentication method that adds a cryptographic digital signature to every outgoing email. This signature is generated using a private key stored on your mail server and can be verified by anyone using a public key published in your DNS records.

When a receiving mail server gets an email claiming to be from your domain, it looks up the DKIM public key in your DNS and uses it to verify the signature. If the signature is valid, the server knows two things: the email genuinely originated from an authorised sender, and the message content has not been tampered with in transit.

DKIM works alongside SPF and DMARC to provide complete email authentication. While SPF verifies which servers are authorised to send email for your domain, DKIM proves that the email content is authentic and unaltered. DMARC ties both together with a policy that tells receiving servers what to do when checks fail.

For business owners, DKIM is essential for protecting your brand reputation and improving email deliverability. Major email providers like Google and Microsoft give preference to emails that pass DKIM verification, meaning your legitimate emails are more likely to reach the inbox rather than the spam folder.

Example DKIM DNS Record


                                v=DKIM1;
                                k=rsa;
                                p=MIGfMA0GCS...

How DKIM Works

Mail server signs email with private key

Signature is added to the email headers

Receiver looks up public key via DNS

Signature verified — authenticity confirmed

What This Tool Generates

Everything you need to set up DKIM signing for your domain

Public/Private Key Pair

A matched pair of RSA cryptographic keys. The private key signs outgoing emails on your mail server. The public key is published in DNS so receiving servers can verify signatures.

DNS TXT Record

A ready-to-use DNS TXT record containing your public key, formatted correctly for immediate addition to your domain's DNS zone.

Selector Configuration

The selector is a label that identifies your DKIM key in DNS. It allows you to have multiple DKIM keys for different email services, each with their own selector (e.g., google, mailchimp).

Key Size Selection

2048-bit

Recommended

1024-bit

Legacy

Choose between 1024-bit keys for legacy compatibility or 2048-bit keys for stronger security. We recommend 2048-bit for all new deployments.

Common DKIM Issues

Mistakes that can prevent DKIM from protecting your email

Using 1024-bit Keys

While 1024-bit keys still work and are accepted by most receiving servers, they are considered weaker by modern standards. A 2048-bit key provides significantly stronger cryptographic security and is now the recommended minimum. Fix: Generate a new 2048-bit key pair and update your DNS and mail server configuration.

Key Not Published in DNS

Generating a DKIM key pair is only the first step. The public key must be added as a TXT record in your domain's DNS for receiving servers to verify your signatures. Fix: Add the public key as a TXT record at selector._domainkey.yourdomain.com in your DNS zone.

Selector Mismatch

The selector configured in your mail server must exactly match the selector used in your DNS record name. If your mail server signs with selector s1 but your DNS record is published under default._domainkey, the signature verification will fail. Fix: Always double-check that both sides match.

Key Rotation

Like passwords, DKIM keys should be rotated periodically for security. If a private key is compromised, an attacker could sign emails as your domain. Regular rotation limits the window of exposure. Fix: Schedule key rotation every 6-12 months and use a new selector for each rotation.

Automate this: DMARC Busta monitors your DKIM selectors, detects issues, and alerts you to problems before they affect your email delivery.

Frequently Asked Questions

What key length should I use?

2048-bit is recommended for all new DKIM deployments. It provides significantly stronger cryptographic security than 1024-bit keys. While 1024-bit keys still work and may be needed for compatibility with older systems, 2048-bit is the current industry standard and should be your default choice.

How do I add a DKIM record to DNS?

Add a TXT record to your domain's DNS zone. The record name follows the format selector._domainkey.yourdomain.com, where "selector" is the label you chose when generating the key (e.g., "default" or "google"). The record value is the public key string generated by this tool. Consult your DNS provider's documentation for specific instructions on adding TXT records.

Can I have multiple DKIM selectors?

Yes, having multiple DKIM selectors is common and recommended when you use multiple email services. For example, you might have one selector for your primary mail server (e.g., "default"), another for your marketing platform (e.g., "mailchimp"), and another for your transactional email service. Each service signs with its own private key and selector, and each has its own DNS record.

Does DKIM prevent spoofing on its own?

No. DKIM verifies that an email was signed by an authorised sender and that the content was not modified in transit, but it does not tell receiving servers what to do with unsigned or failed emails. To prevent spoofing, you need to combine DKIM with SPF (which authorises sending servers) and DMARC (which defines a policy for handling failures). All three protocols working together provide comprehensive email authentication.

Related Tools

More free tools to secure your email authentication

Simplify DKIM Management

DMARC Busta monitors your DKIM selectors, detects issues, and helps you maintain healthy email authentication across all your domains.