How this DKIM key generator works
DKIM (DomainKeys Identified Mail) signs your outbound email with a private key held by your mail server, and publishes the matching public key in DNS so receivers can verify the signature. To set it up you need two halves of a key pair: the private key goes into your sending platform, and a TXT record at <selector>._domainkey.<domain> carries the public key. This tool generates both. Once published, verify it with the DKIM checker.
Your private key never leaves your browser. The key pair is generated locally with the Web Crypto API, and nothing is sent to our servers. You can confirm this in your browser's Network tab.
Which key type? RSA 2048 is the safe default, and every receiver supports it. RSA 1024 is only for legacy systems that reject larger keys (it is below the modern 2048-bit recommendation). Ed25519 (RFC 8463) is smaller and newer, but not every receiver can verify it yet, so publish it alongside an RSA key rather than on its own.
Selectors and rotation: the selector is just a label (e.g. s1, mail, 2026a) that lets you publish more than one key and rotate them. RSA-2048 public keys exceed the 255-character limit of a single DNS string, so if your DNS host does not auto-split, use our Route 53 / TXT splitter on the generated value (the split version is provided below for convenience).
DKIM Key Generator & Record Builder
Generate a DKIM key pair in your browser and get a copy-ready DNS TXT record. The private key is created locally and never sent to our servers.
s1, mail, 2026a). Lets you rotate keys.
DNS TXT record (public key)
TXT
Split into 255-character strings (for AWS Route 53 and BIND-style zones)
Private key
โ Keep this secret. Paste it into your sending platform (the DKIM signing config) and never share or publish it. It was generated in your browser and is not stored anywhere.
Next steps
- Add the TXT record above to your DNS zone.
- Install the private key in your mail server / sending platform and enable signing with this selector.
- Send a test message, then confirm the signature with the DKIM checker.
- Make sure your DMARC alignment passes once DKIM is live.
Frequently Asked Questions
Common questions about generating DKIM keys.
Is my private key sent to your server?
No. The key pair is generated entirely in your browser using the Web Crypto API (crypto.subtle.generateKey). The private key never leaves your device and is never transmitted or stored. You can verify this by opening your browser's developer tools and watching the Network tab while you click Generate. There are no requests.
RSA or Ed25519: which should I choose?
Use RSA 2048 unless you have a specific reason not to, since every receiver supports it. RSA 1024 only exists for old systems that reject 2048-bit keys; it is weaker and not recommended for new setups. Ed25519 is smaller and newer (RFC 8463), but some receivers still cannot verify it, so publish it next to an RSA key rather than alone.
What is a selector, and how do I rotate keys?
A selector is a label in the DNS name <selector>._domainkey.<domain>. Because the selector is part of the name, you can publish several keys at once. To rotate, generate a new key with a new selector (e.g. 2026b), publish it, switch your mail server to sign with the new selector, then remove the old record once no in-flight mail relies on it.
My DNS host rejects the record as too long.
A single DNS character-string is capped at 255 characters (RFC 1035), and RSA-2048 public keys exceed that. Many hosts (Cloudflare, Google Cloud DNS, Azure) split automatically. For AWS Route 53 and BIND-style zones, use the "Split into 255-character strings" option above, or paste the value into our Route 53 / TXT splitter.
Need help with your email authentication setup?
This tool is provided by OSH.co.za, specialists in email deliverability. For a full scan of your domain (SPF, DKIM, DMARC, MX, blacklists, and more), visit the domain checker.