DKIM (DomainKeys Identified Mail) requires a cryptographic key pair: a private key that your mail server uses to sign outgoing messages, and a public key published in DNS so receiving servers can verify those signatures. The InboxTooling DKIM Record Generator creates both components and formats the DNS record for immediate publication.
How the DKIM Generator Works
The generator handles the cryptographic and formatting steps that are easy to get wrong when done manually.
Step 1: Configure Your Parameters
- Domain: Enter the domain you send email from (e.g.,
example.com). - Selector: Choose a selector name. This is an arbitrary string that identifies the key pair. Common conventions include date-based selectors (
202603), service-based selectors (mailchimp), or sequential names (dkim1). The selector determines the DNS lookup path:selector._domainkey.example.com. - Key type: Select RSA (2048-bit recommended) or Ed25519. RSA 2048-bit is the most widely supported option. Ed25519 offers smaller keys and faster verification but has limited support among older mail servers.
- Key length (RSA only): Choose 1024-bit or 2048-bit. Always use 2048-bit for new deployments. RFC 8301 deprecates keys shorter than 1024 bits, and major providers are increasingly strict about key length.
Step 2: Generate the Key Pair
The tool produces:
- Private key: A PEM-formatted key to install on your mail server or configure with your ESP. Keep this key confidential.
- Public key DNS record: A formatted TXT record value containing the
v=DKIM1,k=, andp=tags, ready to publish atselector._domainkey.yourdomain.comin your DNS settings.
Step 3: Publish and Verify
Add the TXT record to your DNS zone. After propagation, use the DKIM Check tool to confirm the record resolves correctly and the public key is valid.
DNS Record Format
A standard DKIM TXT record looks like this:
v=DKIM1; k=rsa; p=MIIBIjANBgkqhki...
Key tags defined in RFC 6376:
- v=DKIM1: Version identifier (required).
- k=rsa or k=ed25519: Key type. Defaults to
rsaif omitted. - p=: Base64-encoded public key (required). An empty
p=tag revokes the key. - t=y: Testing mode. Receiving servers should treat DKIM failures as non-fatal. Remove this tag once your setup is confirmed.
- t=s: Strict mode. The signing domain must exactly match the
From:header domain with no subdomain variation.
Best Practices
Rotate Keys Periodically
DKIM keys should be rotated at least annually. Use a new selector for each rotation so you can publish the new key before decommissioning the old one. This ensures uninterrupted signature verification during the transition window.
Use 2048-Bit RSA Minimum
While 1024-bit keys still function, they are within reach of well-resourced attackers. Google Workspace and Microsoft 365 both default to 2048-bit keys for new configurations.
Splitting Long TXT Records
DNS TXT records have a 255-character string limit per chunk. A 2048-bit RSA public key exceeds this, so the record must be split into multiple quoted strings within a single TXT record. The generator handles this formatting automatically. If you publish the record manually, ensure your DNS provider concatenates the strings correctly.
Coordinate with DMARC
DKIM works alongside SPF under the DMARC framework. After generating and publishing your DKIM record, run a Full Report to verify that DKIM alignment passes and your DMARC policy evaluates correctly across both authentication mechanisms.
After Publishing
Verify the record using our DKIM Check tool. Send a test message and inspect the Authentication-Results header to confirm dkim=pass. If you see dkim=temperror or dkim=permerror, the DNS record may not have propagated or may contain formatting errors.
FAQ
How do I generate a DKIM record for my domain?
Use the DKIM Generator to create a key pair and DNS record. Enter your domain name, choose a selector, select your preferred key type and length, and the tool generates both a private key for your mail server and a public key formatted as a DNS TXT record. Publish the TXT record at selector._domainkey.yourdomain.com in your DNS zone.
What is a DKIM selector and how do I choose one?
A DKIM selector is a string that identifies which public key to use when verifying a signature. It forms part of the DNS lookup path: selector._domainkey.yourdomain.com. You can use any naming convention, such as date-based (202603), service-based (google, mailchimp), or sequential (dkim1, dkim2). Using descriptive selectors makes key management and rotation easier, especially when multiple services sign mail for your domain.
Should I use 1024-bit or 2048-bit keys for DKIM?
Always use 2048-bit RSA keys for new deployments. While 1024-bit keys are still technically functional, they are increasingly considered weak and are within reach of well-resourced attackers. RFC 8301 deprecates keys shorter than 1024 bits, and major providers like Google and Microsoft default to 2048-bit. The DKIM Generator defaults to 2048-bit and handles the DNS record splitting required for longer keys automatically.
How do I add a DKIM record to my DNS?
After generating your key pair with the DKIM Generator, log into your DNS provider's control panel and create a new TXT record. Set the hostname to selector._domainkey (replacing selector with your chosen selector name) and paste the generated public key value as the record data. Save the record and allow a few minutes for propagation, then verify with the DKIM Check tool.
Can I have multiple DKIM records for the same domain?
Yes, unlike SPF, you can publish multiple DKIM records for the same domain because each record uses a different selector. This is common when multiple services send mail on your behalf, as each service typically uses its own selector and key pair. For example, Google Workspace might use the selector google while a marketing platform uses mailchimp, each with their own TXT record at their respective selector._domainkey paths.
Stay on top of your email authentication. Sign up for the InboxTooling newsletter for deliverability tips, tool updates, and best practices.