Home / Tools / DKIM Record Generator

DKIM Record Generator

Get an embed

Create a valid DKIM record to add it to your DNS configuration and complete the second step of email authentication.

  • 1024
  • 2048
  • 4096

What is DKIM and How Does it Work?

DomainKeys Identified Mail or DKIM is an email authentication method that uses a pair of public-private DKIM keys to cryptographically ‘sign’ all outgoing emails. It protects email senders from phishing, spam, and spoofing by allowing recipient servers to verify the authenticity of the senders’ emails. Read more about DKIM specifications here.

DKIM uses a pair of cryptographic keys, one private and one public, to verify messages. A private DKIM key adds an encrypted signature header to all outgoing messages sent from your email domain. A matching public DKIM key is added to your email domain's Domain Name System (DNS) via a DKIM record. You must add a DKIM record to your DNS to set this up.

Email recipient servers then retrieve the public key from your DKIM record to decrypt the message signature, validate the message’s origin, and verify that it wasn’t changed in transit. Generally, DKIM detects forged header fields and content in emails. Learn more about how a DKIM record works here.

DKIM Record Checker

What is a DKIM Record and Why is it Important?

A DKIM record is a crucial element of email authentication, helping to verify the legitimacy of messages sent from a domain. It is stored as a TXT record in the domain’s DNS and contains a public key used to validate DKIM signatures. Each DKIM record is associated with a unique selector, which directs receiving mail servers to the correct key for verification. To create a DKIM record, senders often use a DKIM key generator, which produces a unique pair of cryptographic keys.

The importance of a DKIM record goes beyond authentication – it enhances email security, domain reputation, and deliverability. By implementing DKIM, organizations can prevent cybercriminals from forging their email headers or modifying messages in transit. Without DKIM authentication, emails may be rejected or marked as spam. Using a DKIM key generator ensures a secure and properly formatted DKIM key, strengthening a domain’s protection against phishing and spoofing while improving email deliverability.

How Does DKIM Work

Ensure You’re Using a Valid DKIM Record

  • The validity of your DKIM record is important for making sure your email goes through authentication. DMARC is built on both SPF and DKIM, and if one of them is missing, the other will fail. If your DMARC fails, or is not compliant, all protection through DMARC, DKIM, and SPF will also fail. That’s why it’s so important to make sure you use a quality DKIM creator and add DKIM records to your DNS.
  • DKIM is fundamental in protecting your email recipients and senders from malicious communication, forged messages, phishing, and spoofing attempts. It adds a digital signature to each email that can only be decrypted with a specific private key. Don’t ignore this vital domain protection.

How Do I Use EasyDMARC’s DKIM Record Generator?

  • It’s easy! Our DKIM generator platform allows you to create a DKIM record and DKIM keys in just a few clicks. In the fields provided, specify your domain name, DKIM “selector” name, and the key length:
    • Name the selector something you can easily identify in the future.
    • Enter your domain name; this should match the visible “From” address domain.
    • Specify the key length. We support 1024, 2048, and 4096-bit length keys.
    • Once the DKIM record is generated, store the private key in your mail server configurations (with .pem file), and implement the public key in your DNS Zone.
What is a DKIM Record Check

Frequently
Asked Questions

Have more questions?
Ask via Live Chat or Contact Us

TAGTAG DESCRIPTION
vThe version tag indicates the version of DKIM, and should always be set on 1.
p (required)The public key tag is a string of characters generated during DKIM setup. Leaving the value empty deems it invalid.
tThis tag lists the flags in a colon-separated sequence. There are two defined flags: y and s. Undefined flags must be ignored.
sThis tag lists record-applicable service types. If the appropriate service type misses, the receiving servers must ignore the tag. Same goes with the unrecognized service types.
hThis tag defines the acceptable hash algorithms. In its default state, it allows all. Unrecognized algorithms must be ignored. The sender is responsible for determining each entry in the list.
kThis is the key type tag with a default value of "rsa". It's crucial that both sending and receiving servers support this value.
nThis tag acts like an optional note field for administrators. We recommend that you use this field only if necessary.

How to create a DKIM Record?

You can generate a DKIM record for your email sending domain(s) quickly and easily with EasyDMARC’s DKIM Record Generator tool.

To create a DKIM record, follow these steps:

  • Enter your domain name, and EasyDMARC’s DKIM Record Generator tool will generate a private/public key pair.
  • The private key is used to sign outgoing emails, while the public key is what you’ll add to your DNS as a TXT record.
  • The tool will also provide the selector name.

Be sure to create DKIM records for all the sending domains authorized to send mail on your organization’s behalf. If you’re using a third-party email service provider (ESP) like MailChimp, Google, Microsoft365, etc., you must go to your ESP portal to obtain your DKIM key. ESPs store their private DKIM key on their servers and provide a public DKIM key to be stored in users’ DNS zones.

You can manually add your DKIM record by doing the following:

  • Use EasyDMARC’s DKIM key generator to create a private/public key pair.
  • Publish the DKIM Public key in the DNS by adding the TXT record with these details:
    • Name/Host: <selector>._domainkey.<yourdomain.com>
    • Replace <selector> with the value provided by your email provider (e.g., default) and <yourdomain.com> with your domain name.
    • Value: v=DKIM1; k=rsa; p=<PublicKey>
    • Replace <PublicKey> with the content of your public key.
    • TTL: Set to the default value.
  • Configure the email server by adding the private key to your mail server's configuration. Specify the selector and enable DKIM signing for outgoing messages.
  • Test your DKIM configuration with EasyDMARC’s DKIM Lookup tool.

The exact process of adding a DKIM record can vary depending on your email provider and domain host. Read our blogs on adding a DKIM record to Namecheap and Cloudflare.

You can use EasyDMARC’s DKIM Record Generator to generate DKIM keys for your own dedicated email servers. As DKIM works with private and public keys, there are multiple use cases for DKIM implementation:

  • If you’re using a third-party ESP (Google, Microsoft365, Mailchimp, etc.), public DKIM keys are obtained from their portals. ESPs won't share their private keys for privacy and security reasons.
  • For dedicated servers, EasyDMARC's DKIM Generator tool is specifically designed to make the process quick and easy. Once generated, you’ll need to securely store the private key in your own server while implementing the public key in your DNS.

No. This is a common misconception. You only need to generate a DKIM record for your own dedicated mail servers. Third-party ESPs, such as Google Workspace, Microsoft, and Mailchimp, already store a private DKIM key in their own mail server configurations and provide only public signatures for their users. You need to get the public signature or key from your given ESP portal, implement it in your DNS, and later turn on the “Activation” for DKIM within your ESP portal.

Join the 83,500+ companies and 175,000+ domains secured with us