DKIM (DomainKeys Identified Mail) is an email authentication standard. Your mail server signs outgoing messages with a private RSA key; receiving servers verify the signature using a public key in DNS.

What key size should I choose?

2048-bit is recommended for all new setups. 1024-bit is still supported by most providers but is considered weaker by modern cryptographic standards.

Where do I install the private key?

Install the private key on your mail server (Postfix, Exim, or your ESP control panel). It never leaves your infrastructure. The public key goes in DNS as a TXT record.

Do I need DKIM alongside SPF and DMARC?

Yes. DKIM, SPF, and DMARC form the email authentication trilogy. Together they prevent spoofing and ensure major ISPs trust your email.

Free Tool

DKIM Key Generator

Generate RSA keypairs for DKIM email signing in your browser. Your private key never leaves your device.

Domain

Selector

Key Size

What is DKIM and why does it matter?

DKIM (DomainKeys Identified Mail), defined in RFC 6376, is an email authentication protocol that lets domain owners cryptographically sign outgoing messages. When your mail server sends an email, it attaches a digital signature in the DKIM-Signature header. Receiving servers query your DNS to retrieve the matching public key and verify the signature — proving the message was not tampered with in transit and genuinely originated from your domain.

Without DKIM, anyone can spoof your domain in the From header, sending phishing emails that appear to come from you. Major ISPs including Gmail, Outlook, and Yahoo factor DKIM pass/fail into spam scoring. A missing or invalid DKIM record routinely pushes legitimate cold outreach and transactional email into junk folders.

DKIM, SPF, and DMARC — the authentication trilogy

DKIM operates alongside two complementary standards. SPF (Sender Policy Framework) restricts which IP addresses are authorised to send mail for your domain. DMARC (Domain-based Message Authentication, Reporting, and Conformance) ties DKIM and SPF together, instructing receivers to quarantine or reject mail that fails both checks and providing aggregate reporting so you can monitor deliverability. All three are now required by Gmail and Yahoo for bulk senders.

Selectors and key rotation

A selector is a DNS label that lets you publish multiple DKIM keys simultaneously. Common selectors include default, google, sendgrid, or date-stamped labels like 2024jan. This lets you rotate keys on a schedule (every 6–12 months is best practice) or assign a separate keypair to each ESP without disrupting other senders.

How this tool generates your keys

All cryptography runs entirely inside your browser using the Web Crypto API (window.crypto.subtle.generateKey). No data is transmitted to any server. The private key is shown once for you to copy — it is never stored or logged.

Frequently asked questions

Is 1024-bit DKIM still acceptable?

Some legacy systems only support 1024-bit keys, but 2048-bit is the modern standard. Google has required at least 1024-bit since 2012. Always choose 2048-bit for new deployments.

My DNS provider truncates long TXT values — what do I do?

Split the key value into multiple quoted strings separated by a space within the same TXT record. Most providers handle this automatically when you paste values longer than 255 characters.

How do I verify my DKIM record is live?

Run: dig TXT selector._domainkey.yourdomain.com. You can also use MXToolbox or Google Admin Toolbox. Allow up to 48 hours for DNS propagation.

Can I reuse the same keypair for multiple ESPs?

No. Each ESP should have its own selector and keypair. This limits the blast radius if one key is compromised and makes key rotation per-provider straightforward.