DKIM Record Generator
Use this tool to generate your DKIM record
The tags and their definitions
|v||The version tag indicates the version of DKIM, and should always be set on 1.|
|p (required)||The public key tag is a string of characters generated during DKIM setup. Leaving the value empty deems it invalid.|
|t||This tag lists the flags in a colon-separated sequence. There are two defined flags: y and s. Undefined flags must be ignored.|
|s||This tag lists record-applicable service types. If the appropriate service type misses, the receiving servers must ignore the tag. Same goes with the unrecognized service types.|
|h||This tag defines the acceptable hash algorithms. In its default state, it allows all. Unrecognized algorithms must be ignored. The sender is responsible for determining each entry in the list.|
|k||This is the key type tag with a default value of "rsa". It's crucial that both sending and receiving servers support this value.|
|n||This tag acts like an optional note field for administrators. We recommend that you use this field only if necessary.|
How to generate a DKIM record?
DKIM adds an encrypted signature to the header of all outgoing messages. Email servers that get signed messages use DKIM public key to decrypt the message header and verify the message was not changed after it was sent. Generally, DKIM detects forged header fields and content in emails. As DKIM works with Private and Public keys, there are multiple use-cases for DKIM implementation:
- If you are using Third-Party ESPs (Google, Microsoft365, Mailchimp, etc.) DKIM Public keys are obtained from their portals. ESPs won't share their Private Keys for privacy and security concerns.
- For dedicated servers, EasyDMARC's DKIM Generator tool is particularly made to make the process easy and fast. You will securely store the Private key in your own server while implementing the Public key in your DNS.
How does DKIM work?
DKIM uses a pair of keys, one private and one public, to verify messages. A private domain key adds an encrypted signature header to all outgoing messages sent from your email domain. A matching public key is added to the Domain Name System (DNS) record for your email domain. Email servers that get messages from your domain use the public key to decrypt the message signature and verify the signed message sources.
How to use a DKIM Record Generator?
In order to create private and public keys pair using DKIM Record Generator, you need to specify your domain name, DKIM “selector” name, and the key length.
- A selector can be any given name. Use a name to clearly identify the DKIM Signature in future.
- Enter your domain name, this should match the visible “From” address domain.
- Specify the Key length. We support 1024, 2048, and 4096-bit size keys.
- Once DKIM Record is generated, store the Private Key in your mail server configurations (with .pem file), and implement the Public Key in your DNS Zone.
Do I need to generate a DKIM Record if I’m using a third-party ESP?
No. This is a common misconception. You only need to generate a DKIM Record only for your dedicated mail servers. For Third-Party ESPs such as Google Workspace, Microsoft, Mailchimp, etc. they already store the Private Key in their own mail server configurations and provide only Public Signatures for their users. The only action you need to take is to get the Public Signature from the given ESP portal and implement it in your DNS, and later turn on the “Activation” for DKIM within the ESP portal.