DKIM DNS Record Generator

Generate the DNS TXT record needed to publish a DKIM (DomainKeys Identified Mail) public key. Paste a PEM or raw base64 public key, set your selector and key type, and get the ready-to-publish DNS host (selector._domainkey) and TXT value (v=DKIM1; k=rsa; p=…). Optionally generate a fresh 2048-bit RSA keypair with WebCrypto — the private key never leaves your browser.

How to use the DKIM DNS Record Generator

You need your DKIM public key in PEM or base64 format. How to get it depends on your setup:

• Most mail services (Google Workspace, Microsoft 365, SendGrid) show you the DNS record directly in their admin UI — you may not need this tool at all for those. Use it if you generate your own keypair.
• Self-managed MTA (Postfix, Exim, OpenDKIM): run opendkim-genkey -s selector -d yourdomain.com — it writes selector.private and selector.txt. Paste the public key from the p= field in selector.txt here.

Or click Generate RSA Keypair to create a fresh 2048-bit RSA key in your browser (WebCrypto). The public key fills the textarea automatically; the private key is shown below with a reminder to store it securely — it is needed by your mail server to sign outgoing messages.

Set your selector — any alphanumeric string (commonly the year, google, s1, mail). The selector is part of the DNS host: selector._domainkey.yourdomain.com. Set testing mode (t=y) while validating — it tells receivers not to enforce DKIM failures yet.

Click Generate Record. The output shows the DNS host, the TXT value, and a BIND-compatible version with the base64 split into 255-character quoted strings (required by most DNS servers).

About DKIM Records

DKIM (DomainKeys Identified Mail, RFC 6376) is an email authentication method that adds a cryptographic signature to outgoing messages. Your mail server holds a private key and uses it to sign a hash of selected headers and the message body. The signature is included in a DKIM-Signature: header. When the receiving server gets the message, it retrieves the corresponding public key from DNS (at selector._domainkey.yourdomain.com) and verifies the signature. If the verification passes, the message body and headers were not altered in transit.

DKIM alone does not prevent spoofing of the visible From: header — a phisher can DKIM-sign a message with their own domain while showing your domain in From:. That is why DMARC (Domain-based Message Authentication, Reporting, and Conformance) is needed alongside DKIM: DMARC checks that the DKIM d= domain aligns with the From: header domain. Together, SPF + DKIM + DMARC provide strong anti-spoofing coverage.

The DNS record format is v=DKIM1; k=rsa; p=<base64-public-key>. The p= value is the base64 DER encoding of the SubjectPublicKeyInfo structure (the same bytes as the body of a PEM public key file). Many DNS providers limit TXT records to 255 characters per string — long RSA keys (2048-bit) produce a ~392-character base64 value, which must be split into multiple quoted strings in a BIND zone file: "chunk1" "chunk2". DNS resolvers automatically concatenate the strings. This tool outputs the split format for BIND and the single-string format for control panels that handle splitting internally.

Common use cases

• Self-managed mail server setup — generate a keypair, configure the private key in OpenDKIM or Postfix, and publish the DNS record from the public key output.
• Key rotation — DKIM best practice recommends rotating keys every 6-12 months. Generate a new keypair under a new selector, publish it, update your MTA config, then remove the old selector after a TTL.
• Testing and staging — use testing mode (t=y) on a new selector while verifying the signature is working before switching to enforce mode.
• Multi-domain DKIM — generate separate records per domain if you sign mail for multiple domains from the same infrastructure.
• Verifying an existing key — paste a public key from your MTA config to double-check that the base64 is well-formed before publishing the DNS record.