Free DKIM Generator

DKIM Record Generator

Generate a DKIM key pair and DNS record in your browser. The private key never leaves your device.

Key Settings

Published at default._domainkey

2048-bit is the modern standard.

Generate a DKIM key the safe way

DKIM signs every message you send with a private key, and receivers check that signature against a public key in your DNS. Together with SPF and a DMARC policy, it is what lets Gmail, Yahoo and Microsoft trust that mail from your domain is genuinely yours.

This generator runs the RSA key generation locally in your browser through the Web Crypto API. The private key is shown only to you and is never uploaded — unlike many online generators that create the key server-side. Choose a selector, pick 2048-bit, generate, then publish the public half in DNS and install the private half on your sending platform.

Already configured DKIM and want to confirm it works? Run a full scan on the IntoDNS.ai homepage to check DKIM alongside SPF, DMARC, DNSSEC, MTA-STS and blacklist status, or read the DKIM setup guide.

Frequently Asked Questions

What is DKIM?
DKIM (DomainKeys Identified Mail) is an email authentication method that adds a cryptographic signature to outgoing messages. Receiving servers verify the signature against a public key published in your DNS, proving the message was authorised by your domain and was not altered in transit.
What is a DKIM selector?
A selector is a short label that lets you publish multiple DKIM keys on one domain. The public key is published at <selector>._domainkey.example.com. Common selectors are "default", "s1", "google", or a dated value like "2026a". Your mail server signs messages with the matching private key and names the selector in the signature, so receivers know which public key to look up.
Which key size should I use, 1024 or 2048?
Use 2048-bit. It is the modern standard and recommended by Google, Yahoo and Microsoft. 1024-bit still works but is considered weak. A 2048-bit public key may exceed the 255-character limit of a single DNS string, so it is split into multiple quoted strings inside one TXT record — most DNS providers handle this automatically.
Is my private key safe?
Yes. The key pair is generated entirely in your browser using the Web Crypto API. The private key is never transmitted to IntoDNS.ai or any server. Copy it, install it on your mail server, and store it securely — it cannot be recovered if lost.
How do I install the DKIM key?
Publish the generated TXT record at <selector>._domainkey in your DNS, then configure your mail server or ESP with the matching private key and selector name. After DNS propagates, send a test message and confirm DKIM passes — you can verify it with the IntoDNS.ai DKIM checker.

SPF Generator

Define which servers can send email for your domain.

DMARC Generator

Set a policy and reporting for failed authentication.

BIMI Generator

Display your brand logo in email clients.