DKIM Record Generator
DKIM requires a public/private key pair from your mail provider. This tool generates the exact DNS record name and format to publish in your DNS.
Generate Your DKIM DNS Record Format
Common values: mail, google, s1, default. Use the selector your mail provider specifies.
What Is DKIM and How Does It Work?
DKIM (DomainKeys Identified Mail) is an email authentication method that allows the sender to cryptographically sign each outgoing message. The receiving mail server verifies this signature using a public key published in the sender's DNS. A valid DKIM signature proves two things: the message actually came from the stated domain, and the message was not altered in transit.
Unlike SPF, which checks the sending IP against an allowed list, DKIM works by attaching a digital signature to the message itself. This means DKIM verification survives mail forwarding, where SPF often fails because the forwarding server's IP is not in the original SPF record.
Understanding the DKIM DNS Record Format
A DKIM record is a DNS TXT record published at a specific subdomain: selector._domainkey.yourdomain.com. The selector is a label you choose — common values are mail, google, s1, or default. The record value starts with v=DKIM1; k=rsa; p= followed by your base64-encoded public key.
The private key is kept secret on your mail server or managed by your email service provider. The public key is what you publish in DNS. Receiving servers use the public key to verify signatures created by the private key — the classic public-key cryptography pattern.
Where to Find Your DKIM Public Key
Your DKIM public key is generated by your mail provider when you enable DKIM signing. Here is where to find it for the most common providers:
- Google Workspace:Admin console → Apps → Google Workspace → Gmail → Authenticate email. Generate a new key and copy the TXT record value.
- Microsoft 365:Exchange admin center → Protection → DKIM. Enable DKIM for your domain and copy the CNAME records (Microsoft uses CNAMEs, not direct TXT records).
- Mailchimp:Account → Domains → Verify a domain. Mailchimp provides the DKIM TXT record value to add to your DNS.
- SendGrid:Settings → Sender Authentication → Domain Authentication. SendGrid generates the full DKIM TXT record for you.
- Self-hosted (Postfix, Exim): Use
opendkim-genkeyto generate a key pair. The public key file contains the TXT record value.
DKIM Best Practices
Use a 2048-bit key length when possible — 1024-bit keys are considered weak and may be flagged by some mail systems. Rotate your DKIM keys periodically (at least annually) to limit exposure if a key is ever compromised. Keep the old key in DNS for a few days after rotating to allow in-flight messages to be verified.
DKIM alone does not protect the visible From header. To complete your email authentication setup, add a DMARC policy that aligns DKIM results with the From domain. A clean email list also matters — even authenticated mail lands in spam if it bounces repeatedly. Use email verification to remove invalid addresses, or verify large lists with bulk email verification.
Frequently Asked Questions
1. Do I need to generate a DKIM key pair myself?
No. Major mail providers including Google Workspace, Microsoft 365, SendGrid, Amazon SES, and Mailchimp generate the private and public key pair for you internally. You never handle the private key. Your only task is to copy the public key they provide and publish it in DNS using the record name this tool generates.
2. What is a DKIM selector?
A selector is a short label that prefixes the DNS record name, allowing multiple DKIM keys on the same domain. Google Workspace uses 'google', some providers use 'selector1' and 'selector2', others let you name it yourself. The selector is shown in the DKIM-Signature header of outgoing mail as s=selector.
3. Why does DKIM survive email forwarding when SPF does not?
SPF checks the IP of the server that last delivered the message. Forwarding changes that IP to the forwarder's server, which is not in your SPF record — causing SPF to fail. DKIM's cryptographic signature lives inside the message headers and survives transit unchanged, so DKIM passes even after forwarding.
4. Can I have multiple DKIM keys for one domain?
Yes. Each DKIM key uses a different selector, so you can publish as many keys as you need — one per mail provider or service. Each provider signs mail with its own key. DMARC only requires at least one aligned DKIM pass, so using multiple selectors is both normal and encouraged.
5. How long should a DKIM key be?
RSA-2048 is today's standard. Keys of 1024 bits are considered weak and should be rotated to 2048-bit. Ed25519 keys are also supported in modern implementations and provide equivalent security in fewer bytes.
6. How often should DKIM keys be rotated?
Best practice is to rotate keys every 6 to 12 months. The process involves generating a new key at your provider, publishing the new public key under a new selector, waiting for DNS to propagate, then deleting the old key record. Keeping both keys active during the transition prevents any messages in flight from failing.
Poznaj Więcej Funkcji
Odkryj wszystkie potężne funkcje oferowane przez BillionVerify
Protect your sender reputation with clean lists
Authentication records protect your domain. Clean email lists protect your deliverability. BillionVerify removes invalid addresses before they hurt your sender score.
100 free verifications daily · 99.9% SMTP accuracy · Instant API access · No credit card required