Generate an RSA-2048/4096 or Ed25519 key pair locally; public key as DKIM DNS TXT, private key as PEM download.
What is this, and when do I need it?
What is this?
DKIM (DomainKeys Identified Mail, RFC 6376) cryptographically signs outgoing mail. The
receiving mail server verifies the signature with the public key stored in DNS at <selector>._domainkey.<your-domain>.
Unlike SPF, DKIM survives forwarding because the signature is bound to the mail content -
not the sending IP. That makes DKIM the more robust half of the DMARC verdict.
This tool produces the DNS TXT record format for a given public key. The key pair itself
should be generated by your mail provider (Google Workspace, Microsoft 365, SendGrid, Brevo
etc. all have it in their dashboards) - that is safer than a locally generated key.
When do I need it?
As soon as you send any mail at all. Practically every mail provider supports DKIM with a
one-click toggle in the dashboard, and the DNS record format is always the same.
Key length: RSA 2048 bit is today's standard. Ed25519 already works at Gmail
and many others but is not yet universal - when in doubt, keep a second selector with RSA as fallback.
The key pair is generated in your browser via the Web Crypto API (SubtleCrypto.generateKey). Private and public key only exist in this tab. We do not store, transmit, or log anything.
When you close the page the keys are gone - so download the private key before closing.
The public key is written into the DKIM DNS record as p=<base64-SPKI>. The private
key (PKCS#8 PEM) goes to the MTA that signs outbound mail (Postfix-OpenDKIM, exim4, Microsoft
365 custom domain, Mailgun custom key, ...).
Selector rotation
DKIM best practice: a fresh selector with a new key every 6-12 months. Rollout:
Create a new selector (e.g. k2026q3).
Publish the new DNS record, leave the old one in place.
Switch the MTA so it signs with the new selector.
Wait ~30 days (enough time for receiver DNS caches and later mail analytics).
Revoke the old selector: replace the public key with p= (empty p = revoked) or remove
the DNS entry.
What we deliberately do not do
No key storage. Keys generated here are not retrievable from us. Close the tab and they are
gone.
No MTA configuration. How you install the private key on OpenDKIM/Postfix/Office 365 depends
on the stack - we only deliver key material in standard PEM.
No DNS publishing. You bring the TXT record to your DNS provider yourself.
Inspect an existing DKIM selector
Reads <selector>._domainkey.<domain> and validates v/k/p tags against RFC 6376 + RFC 8463.
Server path: this inspection does NOT run browser-local. We fetch the DNS record or HTTPS response via our server. We do not log the queried domain or the result. 12 requests per minute per IPv4 address or IPv6 /64 subnet.
How to add this record at your DNS provider
The record generated above has three parts: the record type (typically TXT,
occasionally CAA), the host (a subdomain like _dmarc, _smtp._tls or empty for the root domain) and the value (the actual
payload in quotes). Every DNS provider asks for these same three fields - only the menu wording
differs.
Button Add record → pick a type, enter the name (use @ for the
root domain), paste the value.
Save. Propagation typically under 5 minutes.
IONOS (1&1)
Sign in to the IONOS customer center.
Menu Domains & SSL → click the domain → DNS.
Button Eintrag hinzufügen → pick a type, enter the host, paste the value into
the content field.
Save. Propagation typically 15-60 minutes.
Cloudflare
Sign in to Cloudflare, pick the domain.
Tab DNS → Records.
Button Add record → pick a type, enter the name (use @ for
the root domain), paste the value, leave proxy status on DNS only for TXT/CAA records.
Save. Propagation typically under 2 minutes.
Note: If your DNS provider is not listed, you usually find the right place under headings like
"DNS management", "Zone editor", or "Records". When in doubt, your provider's support helps;
the paths shown here are vendor-specific and can shift slightly with redesigns.