DKIM Record Generator
Generate a DKIM keypair in your browser. Copy the public DNS record; the private key never leaves this page.
A DKIM record is a DNS TXT record, published at <selector>._domainkey.yourdomain.com, that holds the public half of a signing keypair. Your mail server signs each message with the matching private key, and receivers fetch this record to verify the signature. This DKIM generator creates the keypair for you: it produces an RSA or Ed25519 key directly in your browser, formats the public half as the v=DKIM1; ...; p=<key> record, and shows you the private key to install on your mail server. The record format is defined by RFC 6376, and Ed25519 keys by RFC 8463.
The key generation runs entirely in your browser through the WebCrypto API. The private key is created locally and is never transmitted, stored, or logged anywhere — we do not see it, and it never reaches our servers. That matters because anyone who holds your private key can forge signed mail as your domain. Generate the pair, copy the public record into DNS, install the private key on the sending server, and keep a backup of the private key somewhere safe. If you lose it, you cannot recover it; you simply generate a new pair under a new selector and republish.
Enter your domain and a selector. The selector is a short label that lets you run more than one key at a time (for rotation, or for separate sending services) — a date like s2026 or a service name works well. Pick a key type: RSA-2048 is the universal default that every receiver verifies, while Ed25519 is shorter and stronger but only newer receivers check it, so most senders publish RSA first and add Ed25519 alongside it. Click Generate; the keypair is built in your browser in a moment.
Publish the public key as a TXT record at the host shown (<selector>._domainkey.yourdomain.com). RSA records are long, so if your DNS provider rejects a value over 255 characters, split it into the quoted segments the tool shows and paste them as one record — most providers join them automatically. Then install the private key on your mail server or sending platform; where it goes depends on the provider, so follow their DKIM-key instructions. After both halves are in place, sign a test message and confirm it with the DKIM checker. Store the private key in your secrets manager or password vault before you close this page — it is shown once and cannot be recovered.
Common questions
What does a DKIM record look like?
A DKIM record is a TXT record at <selector>._domainkey.yourdomain.com whose value names the key type and carries the public key. A DKIM record example reads v=DKIM1; k=rsa; p=MIGfMA0GCSq... for RSA, or v=DKIM1; k=ed25519; p=11qYAYK... for Ed25519. The p= tag holds the base64 public key — SPKI form for RSA, the raw 32-byte key for Ed25519 per RFC 8463.
Where do I put the private key?
The private key goes on the system that sends your mail, never in DNS. Only the public key (the p= value) is published as the DKIM TXT record. Where the private key is installed depends on your setup — a mail server like Postfix reads it from a key file referenced by OpenDKIM, while a sending platform usually has a DKIM settings page to paste it into. Store a backup in a secrets manager or password vault; if you lose it you must generate a new key under a new selector.
RSA or Ed25519 — which should I use?
Use RSA-2048 if you need one key that every receiver verifies; it is the universal default. Ed25519 keys are far shorter and cryptographically stronger, but only receivers that implement RFC 8463 check them, and older systems ignore the signature. The common practice is to publish RSA under one selector and Ed25519 under another, so modern receivers use the stronger key while everyone else still verifies the RSA one.
Is it safe to generate the key here?
Yes. The keypair is generated entirely in your browser through the WebCrypto API. The private key is created on your device and is never sent to us, stored, or logged — it exists only on this page until you copy or download it. We never see it. For the same reason, it cannot be recovered if you lose it, so save it somewhere secure before you leave.