SenderKit
FREEDKIM generator · keys never leave your browser

DKIM Record Generator

Generate an RSA keypair right here — it’s created locally with Web Crypto and never sent anywhere. Publish the public half as a DNS TXT record and install the private key on whatever signs your mail.

Generated locally in your browser with Web Crypto — keys never leave this page.

How to use it

  1. Pick a selector (any short label like s1) and generate the keypair.
  2. Publish the public record as a TXT record at <selector>._domainkey on your domain.
  3. Install the private key on the server or service that sends your mail, configured to sign with the same selector.
  4. Send a test message and confirm DKIM passes (most providers showdkim=pass in the message headers).

RSA 2048 vs 1024

Use 2048-bitunless something you’re integrating with genuinely can’t handle it. 1024-bit keys still work but are increasingly treated as weak, and some receivers discount them. The only real cost of 2048 is that the public key no longer fits in a single 255-character DNS string — which your DNS host splits for you automatically.

Keep the private key private

The private key is what proves a message is really from you — anyone who has it can sign mail as your domain. It’s generated entirely in your browser and never transmitted, but once you copy it, store it like any other secret: in your mail server’s key store or a secrets manager, never in a repo. To rotate, generate a new key under a new selector, publish it, switch signing over, then remove the old record.

DKIM is one of three

DKIM proves a message wasn’t tampered with; SPF says which servers may send for you; and DMARC ties them together and tells receivers what to do on failure. You want all three.

Frequently asked questions

What is a DKIM record?

DKIM (DomainKeys Identified Mail) signs your outgoing mail with a private key. The matching public key is published as a DNS TXT record at <selector>._domainkey.yourdomain.com, so receivers can verify the message wasn't altered and really came from your domain.

Is it safe to generate the key in my browser?

Yes. The keypair is generated locally using the browser's built-in Web Crypto API and never sent anywhere. Still, treat the private key like a password: store it securely on the server that signs your mail and never commit it to source control.

What is a DKIM selector?

A selector is a label (like s1 or mail) that lets you publish more than one DKIM key on a domain — useful for rotating keys or using different providers. It becomes part of the DNS host: <selector>._domainkey.

Why is my DKIM record longer than 255 characters?

A 2048-bit RSA public key encodes to more than 255 characters, and a single DNS TXT string maxes out at 255. The fix is to split the value into multiple quoted strings within one TXT record — most DNS providers do this for you automatically when you paste the value.

Related
DMARC Record Generator

DKIM needs DMARC on top to instruct receivers and unlock reporting.

SPF Record Generator

Authorize your sending servers — the other half of email authentication.

Authentication set. Now ship the email.

SenderKit sends your transactional email, SMS, and push from one API — with SPF, DKIM, and DMARC handled for you. Free up to 3,000 messages a month.

Start for freeHow deliverability works

By creating an account, you agree to our Terms.