DNS Studio tool

DKIM record generator

Create an RSA key pair and the exact TXT record to publish. Keys are generated in your browser and never leave this page.

Key length

Keys are generated in your browser and never leave this page. We cannot see or recover them.

What this tool does

A DKIM setup needs two halves of one key: a private key your mail server signs with, and a public key published in DNS so receivers can verify those signatures. This tool generates both using your browser’s built-in WebCrypto API, then gives you the public half formatted as a ready-to-paste TXT record (v=DKIM1; k=rsa; p=…) and the private half as a standard PKCS#8 PEM file.

Because the keys are generated locally, nothing is sent to us or anyone else — there is no server component at all. That also means we cannot recover a key for you: download the private key and store it somewhere safe before you leave the page.

Which key length should I choose?

2048-bit is the right answer for almost everyone. It is the length RFC 8301 recommends, every mainstream receiver accepts it, and the record fits in DNS without fuss. 4096-bit gives a larger security margin but produces a record long enough that some DNS hosts mangle it, and RFC 8301 only obliges verifiers to support keys up to 4096-bit. 1024-bit remains verifiable but is weaker than recommended — pick it only if a legacy DNS host cannot store a longer value, and treat it as temporary. The trade-offs are covered in detail in our key length guide.

How to publish the record

  1. Choose a selector (the default here is date-based, e.g. s202607).
  2. Generate the key and copy the record value.
  3. At your DNS host, create a TXT record named selector._domainkey.yourdomain.com with that value.
  4. Install the private key on your mail server or sending service and set the same selector.
  5. Wait for DNS to propagate, then confirm the record with the DKIM checker and send yourself a test message.

If you sign with a hosted provider (Google Workspace, Microsoft 365, most sending platforms), you normally do not need this tool — the provider holds the private key and tells you exactly which record or CNAME to publish. This generator is for self-hosted mail servers such as Postfix with OpenDKIM or rspamd, Exim, or appliances that let you import a key.

Related tools

Related reading