MedhaCloud
Full Scan
MX Lookup
SPF
DMARC
DKIM
BIMI
SPF Generator
DMARC Generator
DKIM Generator

DKIM Generator

DKIM Key Generator

Common selectors: default, mail, dkim, google, k1. You can use any value.

✅ Best balance of security and performance

📖 What is DKIM?

DKIM (DomainKeys Identified Mail) adds a digital signature to your emails, proving they haven't been tampered with in transit.

  • The private key signs outgoing emails (installed on your mail server)
  • The public key verifies signatures (published in DNS)
  • Receiving servers check the signature against your DNS record

About DKIM Generator

Generate an RSA-2048 DKIM key pair in your browser. You get the public key formatted as a DNS TXT record (ready to publish at selector._domainkey.yourdomain.com) plus the private key for your mail server. The key generation runs entirely client-side — your private key never leaves your browser. Includes a selector picker so you can rotate keys safely later without disrupting existing signing.

How the DKIM generator works

Generate, publish, sign

01

Generate a key pair

In-browser RSA-2048 key generation via Web Crypto API. Private key never transmitted to a server. Public key formatted as p= tag.

02

Publish public key in DNS

Add a TXT record at selector._domainkey.yourdomain.com with the v=DKIM1; k=rsa; p=... value. Most DNS providers handle long records automatically.

03

Install private key on mail server

Drop the private key into your mail server config (Postfix, Exim, Mailgun, SendGrid, etc.). Mail server signs outgoing messages with the key.

Common gotchas this generator avoids

DKIM mistakes that break signing

Using RSA-1024 instead of RSA-2048

Many receivers no longer accept signatures from 1024-bit keys. The generator defaults to 2048-bit which is the current standard.

TXT record split incorrectly

Long DKIM TXT records often exceed 255 chars and must be split into multiple strings. Some DNS providers concatenate wrong. Verify with our DKIM Checker after publishing.

Publishing public key with extra whitespace

p= tag contains base64 with no whitespace. Adding line breaks or spaces breaks the public key. The generator outputs clean, single-line format.

Wrong selector path

Publish at "selector._domainkey.yourdomain.com" — NOT "selector.yourdomain.com" or "_domainkey.yourdomain.com". The generator labels DNS path correctly.

Reusing a selector across rotations

When rotating keys, use a NEW selector. Don't overwrite the old one immediately — in-flight messages signed with the old key still need to verify.

Storing the private key insecurely

Private keys must be stored with read-only access for your mail server user (chmod 600). World-readable private keys = anyone can sign as your domain.

FAQ

DKIM generator — common questions

What is a DKIM key pair?+
DKIM uses asymmetric cryptography — a private key that lives on your mail server and signs every outgoing message, plus a public key published as a DNS TXT record. Receivers fetch the public key from DNS and verify the signature on each message. If signature verification fails, the message has been altered or wasn't sent by your domain.
Should I use RSA-1024 or RSA-2048?+
RSA-2048 is the current recommendation and what this generator produces. RSA-1024 is still considered secure but is being deprecated by major receivers. Some mail providers won't accept signatures from 1024-bit keys anymore. Always start with 2048.
What is a DKIM selector?+
A DKIM selector is a label that distinguishes between multiple keys on the same domain. Each vendor uses its own: Google uses "google", Microsoft 365 uses "selector1" / "selector2", Mailchimp uses "k1". You publish at selector._domainkey.yourdomain.com. Pick a selector that's unique to this key pair so you can rotate without disrupting other signing services.
How do I install the private key on my mail server?+
Microsoft 365: Go to security.microsoft.com → Email & collaboration → Policies → DKIM, find your domain, click "Enable" — M365 generates and manages keys for you (don't use this tool for M365). Postfix: drop the key in /etc/opendkim/keys/ and reference it in opendkim.conf. Mailgun/SendGrid/Mailchimp: each vendor accepts the private key in their admin UI.
How often should I rotate DKIM keys?+
Annually is a reasonable cadence for security-conscious domains. To rotate without downtime: (1) generate a new key pair with a new selector, (2) publish the new public key in DNS, (3) configure your mail server to sign with the new key, (4) wait 7-14 days for in-flight messages signed with the old key to be verified, (5) remove the old DNS record. Some vendors (M365, Google) automate this.

Other generators

Build your full email auth stack

SPF Generator
Build a valid SPF record
DMARC Generator
Build a DMARC policy + reporting
DKIM Checker
Validate your existing DKIM record
Full email security scan
All 7 checks in one report

Beyond Free Tools

Enterprise Cloud & IT Services

From Microsoft 365 migrations to fully managed infrastructure — we handle every layer of your IT stack.

Migration Tools We Use

Enterprise-grade tooling for every platform

  • BitTitan MigrationWizCloud-to-cloud email & data
  • Microsoft Exchange HybridOn-prem to Exchange Online
  • ShareGate DesktoolSharePoint & OneDrive
  • Microsoft Mover.ioGoogle Drive to OneDrive
  • Entra ID ConnectAD sync & hybrid identity
  • PowerShell & EWS APIAutomation & bulk ops
M365 Migration Services

Our Services

More Services

Contact Us