Publishing the private key by mistake
Only the public record (the v=DKIM1 value with p=) goes in DNS. The PEM private key belongs in your sending platform, never in a DNS record. Keep a secure backup of it.
// free tool, no signup
Free DKIM Record Generator
Generate a 2048-bit RSA key pair entirely in your browser, then copy the DKIM TXT record to publish in DNS and the matching private key to install in your sending platform. Nothing is uploaded or stored, and the private key never leaves your device.
Generated a record? Confirm it resolves with the DKIM checker, then see where your mail lands with a free inbox placement test.
What a DKIM record generator does
DKIM (DomainKeys Identified Mail) signs your outgoing messages with a private key so receivers can verify, using a public key you publish in DNS, that the mail really came from your domain and was not altered in transit. This generator creates a fresh 2048-bit RSA key pair with your browser's built-in Web Crypto, formats the public half as a DKIM TXT record (v=DKIM1; k=rsa; p=...) for DNS, and gives you the private half as a PEM file for your mail server or ESP. Because the keys are generated locally, the private key is never transmitted anywhere. You publish the record at selector._domainkey.yourdomain.com, where the selector is a short label you choose.
How to read your result
- Selector
A short label you pick (for example unspam or 2026a) that names this key. You publish the record at selector._domainkey.yourdomain.com and configure your platform to sign with the same selector. Use a new selector when you rotate keys.
- p= public key
The base64 public key inside the TXT record. Receivers fetch it from DNS to verify your signature. It is safe to publish and cannot be used to sign mail.
- The private key
The PEM block you install in your mail server or ESP. It signs your outgoing mail and must stay secret. Anyone who has it can sign mail as your domain, so store it securely and never put it in DNS.
- k=rsa and key length
The generator uses RSA at 2048 bits, the current recommendation. 1024-bit keys are widely treated as too weak, and a growing number of providers reject them.
- t=y testing flag
Optional. While t=y is present, receivers treat the domain as testing and may ignore DKIM failures. Use it briefly during setup, then remove it once signing works.
Common problems and fixes
The TXT value is rejected as too long
A single DNS TXT string is capped at 255 characters and a 2048-bit key is longer. Split the value into multiple quoted strings inside one TXT record; most DNS hosts do this automatically when you paste it.
Selector mismatch
The selector in DNS must match the selector your platform signs with. If they differ, receivers look up the wrong record and DKIM fails. Set both to the same label.
Publishing the record but not enabling signing
The DNS record alone does nothing. You also have to install the private key and turn on DKIM signing for this selector in your mail server or ESP.
Using a 1024-bit key
Older setups still use 1024-bit keys, which are below today's recommendation. Generate a 2048-bit key with a fresh selector and retire the old one.
// FAQ
Questions, answered.
Is it safe to generate a DKIM key in the browser?
Yes. The key pair is created with the Web Crypto API on your own device and is never sent to us or anyone else. Treat the private key like a password: install it in your sending platform and keep a safe backup. Only the public record goes in DNS.
What selector should I use?
Any short label made of letters and numbers, for example unspam or s2026. Pick something you will recognize, and use a new selector each time you rotate keys so the old key keeps working until you remove it.
Where do I publish the DKIM record?
As a TXT record at selector._domainkey.yourdomain.com, using the same selector you configured for signing. After it propagates, verify it with the DKIM checker.
Why a 2048-bit key?
2048-bit RSA is the current standard: strong enough for modern requirements and supported everywhere. 1024-bit keys are increasingly rejected, and very long keys can be awkward to publish in a single TXT record.
How do I confirm DKIM is working?
Publish the record, install the private key, and enable signing, then send yourself a message and check it with the DKIM checker or a full deliverability test. A passing, aligned DKIM signature also satisfies DMARC.
// before you hit send