DKIM public-key generator

Per RFC 6376 + RFC 8463

Generate an RSA-2048/4096 or Ed25519 key pair locally; public key as DKIM DNS TXT, private key as PEM download.

What is this, and when do I need it?

What is this?

DKIM (DomainKeys Identified Mail, RFC 6376) cryptographically signs outgoing mail. The receiving mail server verifies the signature with the public key stored in DNS at <selector>._domainkey.<your-domain>.

Unlike SPF, DKIM survives forwarding because the signature is bound to the mail content - not the sending IP. That makes DKIM the more robust half of the DMARC verdict.

This tool produces the DNS TXT record format for a given public key. The key pair itself should be generated by your mail provider (Google Workspace, Microsoft 365, SendGrid, Brevo etc. all have it in their dashboards) - that is safer than a locally generated key.

When do I need it?

As soon as you send any mail at all. Practically every mail provider supports DKIM with a one-click toggle in the dashboard, and the DNS record format is always the same.

Key length: RSA 2048 bit is today's standard. Ed25519 already works at Gmail and many others but is not yet universal - when in doubt, keep a second selector with RSA as fallback.

Should already be in place

What happens cryptographically

The key pair is generated in your browser via the Web Crypto API (SubtleCrypto.generateKey). Private and public key only exist in this tab. We do not store, transmit, or log anything. When you close the page the keys are gone - so download the private key before closing.

The public key is written into the DKIM DNS record as p=<base64-SPKI>. The private key (PKCS#8 PEM) goes to the MTA that signs outbound mail (Postfix-OpenDKIM, exim4, Microsoft 365 custom domain, Mailgun custom key, ...).

Selector rotation

DKIM best practice: a fresh selector with a new key every 6-12 months. Rollout:

  1. Create a new selector (e.g. k2026q3).
  2. Publish the new DNS record, leave the old one in place.
  3. Switch the MTA so it signs with the new selector.
  4. Wait ~30 days (enough time for receiver DNS caches and later mail analytics).
  5. Revoke the old selector: replace the public key with p= (empty p = revoked) or remove the DNS entry.

What we deliberately do not do

  • No key storage. Keys generated here are not retrievable from us. Close the tab and they are gone.
  • No MTA configuration. How you install the private key on OpenDKIM/Postfix/Office 365 depends on the stack - we only deliver key material in standard PEM.
  • No DNS publishing. You bring the TXT record to your DNS provider yourself.

Inspect an existing DKIM selector

Reads <selector>._domainkey.<domain> and validates v/k/p tags against RFC 6376 + RFC 8463.

Server path: this inspection does NOT run browser-local. We fetch the DNS record or HTTPS response via our server. We do not log the queried domain or the result. 12 requests per minute per IPv4 address or IPv6 /64 subnet.

How to add this record at your DNS provider

The record generated above has three parts: the record type (typically TXT, occasionally CAA), the host (a subdomain like _dmarc, _smtp._tls or empty for the root domain) and the value (the actual payload in quotes). Every DNS provider asks for these same three fields - only the menu wording differs.

INWX (Dernium default for new customers)
  1. Sign in at www.inwx.de.
  2. Tab Nameserver → pick the domain → Nameserver-Sets verwaltenDNS-Einträge.
  3. Button Neuen Eintrag anlegen.
  4. Pick a type (e.g. TXT), enter the host (empty for the root domain, otherwise e.g. _dmarc), paste the value, leave TTL at 3600.
  5. Save. Propagation typically within 5-15 minutes.
Strato
  1. Sign in to the Strato customer area.
  2. Menu Domains → pick the domain → Verwalten.
  3. Section DNS-VerwaltungNameserver/DNS-Einstellungen anpassen.
  4. Under Eigene DNS-Verwaltung pick the right record type (TXT records have their own block), enter host and value.
  5. Save. Strato typically propagates within 30-60 minutes.
Hetzner DNS Console
  1. Sign in at dns.hetzner.com.
  2. Click on the zone of your domain.
  3. Button Add record → pick a type, enter the name (use @ for the root domain), paste the value.
  4. Save. Propagation typically under 5 minutes.
IONOS (1&1)
  1. Sign in to the IONOS customer center.
  2. Menu Domains & SSL → click the domain → DNS.
  3. Button Eintrag hinzufügen → pick a type, enter the host, paste the value into the content field.
  4. Save. Propagation typically 15-60 minutes.
Cloudflare
  1. Sign in to Cloudflare, pick the domain.
  2. Tab DNSRecords.
  3. Button Add record → pick a type, enter the name (use @ for the root domain), paste the value, leave proxy status on DNS only for TXT/CAA records.
  4. Save. Propagation typically under 2 minutes.

Note: If your DNS provider is not listed, you usually find the right place under headings like "DNS management", "Zone editor", or "Records". When in doubt, your provider's support helps; the paths shown here are vendor-specific and can shift slightly with redesigns.