Free DKIM Record Generator
Generate Public and Private Key Pairs for Email Signing
What Does This Generator Create?
Our DKIM Record Generator produces two outputs: a private key in PEM format that you install on your mail server or configure in your email service provider, and a public key formatted as a ready-to-publish DNS TXT record. The public key record includes all required DKIM tags — version (v=DKIM1), key type (k=rsa), and the base64-encoded public key (p=). Simply copy the TXT record value and publish it at selector._domainkey.yourdomain.com in your DNS zone, then configure your mail server to sign outgoing messages with the corresponding private key.
Choosing Key Length and Selector
Select 2048-bit RSA for the best balance of security and compatibility — it is the recommended standard and supported by all major DNS providers and email services. 1024-bit is available for legacy compatibility but is considered weak. 4096-bit provides additional security margin but may exceed TXT record size limits at some DNS hosts. For the selector name, use something descriptive and versioned — for example, google2025, mailchimp-prod, or ses-v2. Descriptive selectors make it easy to identify which service uses which key and simplify key rotation when the time comes.
Installing Your DKIM Keys
The installation process depends on your email sending infrastructure. For cloud services like Google Workspace or Microsoft 365, you typically paste the public key into the admin console, and the service handles DNS publication or provides the exact TXT record to add. For self-hosted mail servers (Postfix, Exim, Exchange), install the private key on the server and configure the DKIM signing filter (e.g., OpenDKIM, Rspamd) with the correct selector and domain. After installation, send a test email and use our DKIM Checker to verify the signature validates correctly.
Key Rotation Strategy
Plan to rotate DKIM keys at least once per year. The process is straightforward: generate a new key pair with a new selector (e.g., increment from google2024 to google2025), publish the new selector's TXT record in DNS, wait for DNS propagation, update your sending infrastructure to sign with the new key, confirm the new selector passes our DKIM Checker, and finally remove the old selector from DNS after a grace period (48 to 72 hours to allow in-transit messages signed with the old key to be delivered and verified). This limits the exposure window if a private key is ever compromised.