Security Tools

DKIM Record Generator

Build a valid DKIM TXT record, generate an RSA or Ed25519 keypair locally in your browser, and validate any DKIM record. No signup required.

Quick presets

Tap a preset to load a common DKIM starting point. Domain and any generated keypair are preserved.

Selector and domain

DKIM records live at <selector>._domainkey.<domain>. The selector is just a label you choose so you can rotate or run several keys in parallel.

Selector

Domain

Host: default._domainkey.example.com

Key type

Hash algorithms

SHA-256 (recommended)Current standard. The default for receivers when h= is omitted.SHA-1 (deprecated)Allowed by RFC 6376 but treated as failure by major receivers. Avoid.

Public key

Paste a base64 SubjectPublicKeyInfo (or a 32-byte raw key for Ed25519), or generate a fresh keypair below. The private key never leaves your browser.

Flags and metadata

t=y test modeReceivers treat verification failures as if no signature was present. Useful during rollout.t=s strict subdomainReject signatures whose i= identity is in a subdomain of d=. Recommended for shared infrastructure.s=email service typeLimit the key to email signatures. The default * accepts any service.Revoke selector (empty p=)Publish the record with an empty p= value so receivers stop verifying signatures using this selector.

n= notes (optional)

Free text. Receivers ignore the value; semicolons are converted to commas to keep the record valid.

Generated DKIM TXT record

Publish at default._domainkey.example.com. Record size: 18 bytes

v=DKIM1; k=rsa; p=

Receivers fetching the TXT record at default._domainkey.example.com will treat it as a DKIM v1 selector for RSA signatures. Only SHA256 signatures are accepted.

error Public key is empty. Paste a base64 public key, generate a keypair below, or check Revoke selector to publish an empty p= on purpose.

DNS provider snippets

Drop into your DNS host or zone file. Replace placeholder zone IDs and resource groups.

BIND zone file

default._domainkey.example.com.	IN	TXT	"v=DKIM1; k=rsa; p="

Cloudflare DNS (UI)

Type: TXT
Name: default._domainkey.example.com
Content: v=DKIM1; k=rsa; p=
TTL: Auto (or 3600)
(Cloudflare accepts the full record as a single string; it splits internally.)

Route 53 (AWS CLI)

aws route53 change-resource-record-sets \
  --hosted-zone-id ZXXXXXXXXXXXXX \
  --change-batch '{"Changes":[{"Action":"UPSERT","ResourceRecordSet":{"Name":"default._domainkey.example.com.","Type":"TXT","TTL":3600,"ResourceRecords":[{"Value":"\"v=DKIM1; k=rsa; p=\""}]}}]}'

Google Cloud DNS / Workspace

Record type: TXT
DNS name: default._domainkey.example.com
TTL: 3600 seconds
Value: v=DKIM1; k=rsa; p=
(Google Cloud DNS accepts the full record; the UI auto-splits over 255 bytes.)

Azure DNS (CLI)

az network dns record-set txt add-record \
  --resource-group MY-RG \
  --zone-name example.com \
  --record-set-name default._domainkey \
  --value "v=DKIM1; k=rsa; p="

Quick reference

v=DKIM1

Required first tag. Receivers ignore TXT records that do not start with v=DKIM1, so a record without it is invisible.

k=rsa | k=ed25519

Key type. RSA is the legacy default and the most widely supported. Ed25519 (RFC 8463) has a 32-byte public key but only newer receivers verify it.

p=<base64>

Required. Base64-encoded SubjectPublicKeyInfo for RSA, or 32 raw bytes for Ed25519. Empty p= means the selector has been revoked.

h=sha256

Restricts the hash algorithms accepted by this selector. The default is sha256. Sha1 is deprecated and treated as failure by major receivers.

t=y, t=s, t=y:s

Flags. y is test mode (failures are ignored by receivers). s requires the i= identity to be inside d= rather than a subdomain. They combine with a colon.

s=email

Restricts the key to email signatures. The default (omitted) is * which accepts any service.

<selector>._domainkey.<domain>

The DNS host. Choose a unique selector per key so you can rotate without breaking previous signatures. default and google are common.

255-byte TXT limit

DNS character-strings cap at 255 bytes. RSA 2048 records sit just under; RSA 4096 must be split into multiple consecutive quoted strings in the same RR.

How to use

Pick a preset (RSA 2048 standard, RSA 2048 strict subdomain, RSA 2048 test mode, Ed25519, RSA 4096, or revoke selector) to load a known-good starting record, or skip presets and build from scratch.
Enter the selector you want (default, google, mailgun, smtp, k1, and so on) and your domain. The host field shows the resulting DNS name, for example default._domainkey.example.com.
Pick a key type. RSA 2048 is the modern default. Ed25519 needs a recent browser for in-page key generation; the parser handles existing Ed25519 keys regardless. Pick the hash algorithms you want (sha256 only is the recommendation).
Either paste an existing public key (base64 SubjectPublicKeyInfo for RSA, or a 32-byte raw key for Ed25519), or click Generate keypair to make one in your browser via window.crypto.subtle. Save the PEM private key shown in the warning panel; the page does not keep a copy.
Optionally toggle t=y test mode, t=s strict subdomain alignment, s=email service type, or Revoke selector (publishes the record with empty p=). Add an n= note if you want.
Copy the generated TXT value and publish it at the host shown above using the BIND, Cloudflare, Route 53, Google, or Azure snippet underneath. RSA 4096 records over 255 bytes also show a pre-split multi-string version for DNS hosts that need it.
Switch to Parse and explain to paste any existing DKIM record (yours or someone else's) and see tag-by-tag validation, decoded key length, and effective behavior.

About this tool

DKIM Record Generator is a two-mode tool for the DomainKeys Identified Mail (DKIM) DNS TXT record defined in RFC 6376. The Build mode lets you assemble a record from scratch: pick a selector and domain, choose a key type (RSA 1024, RSA 2048, RSA 4096, or Ed25519 per RFC 8463), set the accepted hash algorithms (sha256 is the recommended default; sha1 is allowed but deprecated), restrict the service type with s=email if you need to, set the t= flags (y for test mode during rollout, s for strict subdomain alignment), add a free-text n= note, and either paste an existing public key or generate a fresh keypair on the fly with window.crypto.subtle. The generated public key is base64-encoded and dropped into p= automatically; the matching private key is shown as a PKCS#8 PEM you can hide, copy, and save to your mail server. The browser does not keep a copy after you leave the page, and nothing is uploaded. The Parse mode accepts any DKIM TXT record value (with or without the v=DKIM1 prefix, with or without the surrounding double quotes some DNS providers display, and with or without the multi-string concatenation DNS uses for records over 255 bytes), tokenizes the tags on semicolons, validates each one against RFC 6376, decodes the public key length (parsing the RSA SubjectPublicKeyInfo with a tiny DER walker, or counting Ed25519 key bytes per RFC 8463), and explains the policy in plain English. Quick presets cover the most common scenarios: RSA 2048 standard, RSA 2048 strict subdomain, RSA 2048 test mode for rollout, Ed25519 modern, RSA 4096 stronger, and an empty p= revocation marker. Output appears as a normalized v=DKIM1; ... TXT record value plus copy-paste DNS provider snippets for BIND zone files, Cloudflare, Route 53 (AWS CLI), Google Cloud DNS, and Azure DNS (CLI). The 255-byte TXT character-string limit is computed automatically and the record is also shown pre-split into multiple consecutive quoted segments for DNS hosts that do not split internally. The issue list flags every problem the spec calls out: missing v=DKIM1, missing p=, RSA modulus under 2048 bits (which most mailbox providers downgrade), 1024-bit keys, sha1-only h= lists, unknown tags, duplicate tags, malformed base64, Ed25519 keys that are not exactly 32 bytes, and selector or domain labels that violate DNS rules. Useful for new domains turning on DKIM for the first time, devops rotating an exposed selector after an incident, security teams adding Ed25519 alongside RSA for forward compatibility, marketers onboarding a new ESP without breaking existing signatures, and anyone debugging a 'dkim=fail' or 'dkim=neutral' Authentication-Results header. Everything runs locally in your browser. The selector, domain, and any keypair generated here never leave your device, and no DNS queries are issued.

Free to use. Works in your browser. No signup, no login.

Related tools

DKIM Record Generator

How to use

About this tool

You may also like

SPF Record Generator

DMARC Record Generator

Email Header Analyzer

Email Validator

SHA-256 Hash Generator