ToolBelt

DKIM Key Generator

Generate an RSA key pair and the matching DKIM DNS TXT record.

Open tool

Overview

The DKIM key generator creates a fresh RSA key pair and formats the public half as the DNS TXT record you publish to authorise outgoing mail. Pick a selector and a key size (1024 or 2048 bits), and the tool returns both the private key — which you import into your mail server — and the exact v=DKIM1; k=rsa; p=... string to paste into your zone file.

Email administrators bringing up a new domain, marketing teams setting up a transactional mail provider, and developers configuring Postfix or a Lambda mailer all need to generate a DKIM key pair without command-line OpenSSL gymnastics. Long-tail keywords covered: generate DKIM RSA key online, create DKIM DNS TXT record from public key, and choose DKIM selector for new domain.

How it works

DomainKeys Identified Mail (DKIM) is defined in RFC 6376. The sending mail server signs outgoing messages with a private key; receivers fetch the matching public key from DNS using the selector and domain in the signature header (selector._domainkey.example.com). The signature covers selected headers and the body hash, so any in-flight modification breaks verification.

Key size matters. 1024-bit RSA is the legacy minimum; 2048-bit is now the recommended default for new deployments and what every major provider checks for. Some legacy receivers still cap support at 2048 bits. The public key is published as a TXT record split into 255-character quoted strings if it exceeds that length, with the runtime DNS resolver concatenating them back.

Examples

  • Selector mail2026, 2048-bit key → DNS record mail2026._domainkey.example.com IN TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAA...".
  • Rotate keys every 6–12 months by publishing a new selector alongside the old one and switching the signer.
  • Use distinct selectors per sending service: mailchimp._domainkey, postmark._domainkey, ses._domainkey.
  • Test with dig +short TXT mail2026._domainkey.example.com before sending live mail.

FAQ

Should I pick 1024 or 2048 bits?

  1. Some receivers warn or downgrade results when they encounter 1024-bit keys, and the additional computational cost is negligible for any modern mail server.

Where does the private key go?

Into your mail server's DKIM module — OpenDKIM, Rspamd, Postfix's milter, or your transactional provider's UI. Treat it like any other secret: file permissions 600, never committed to source control.

How often should I rotate the key?

Every 6–12 months is standard practice. Publish the new selector first, switch signing, then retire the old TXT record after a few days of overlap.

Can I use ed25519 instead of RSA?

DKIM2 (RFC 8463) defines ed25519. Support among receivers is still uneven — publish RSA as the primary and ed25519 as a secondary selector if you want to experiment.

Try DKIM Key Generator

An unhandled error has occurred. Reload ×