Free Tools
DKIM Record Generator
Build a valid DKIM TXT record for your domain. Enter your selector, paste the public key from your email provider, and get a ready-to-publish DNS record — no account required.
Enter your domain
The domain you want to add DKIM signing to.
New to DKIM? DKIM (DomainKeys Identified Mail) adds a cryptographic signature to every outgoing email. Receiving servers verify the signature against a public key stored in your DNS — confirming the message was genuinely sent by you and wasn't altered in transit.
Authentication is just the start
SPF, DKIM, and DMARC get you to the inbox. Warming keeps you there.
Authentication tells providers your domain is legitimate — but inbox placement depends on sender reputation too. MailStrike warms your domain using a network of AI-driven personas that open, reply to, and positively engage with your emails, building the engagement signals that keep you out of spam long term.
What is DKIM?
DKIM (DomainKeys Identified Mail) is an email authentication standard that lets you attach a cryptographic signature to every outgoing message. The signature is generated by your mail server using a private key you keep secret, and verified by receiving servers using a corresponding public key published in your DNS.
When a receiving server sees a DKIM-signed email, it fetches your public key from DNS, verifies the signature, and confirms that the message was sent by an authorised server and wasn't modified after signing. A valid DKIM signature is one of the strongest trust signals you can send to Gmail, Outlook, and other inbox providers.
How DKIM works
Your mail server signs the message
When you send an email, your mail server generates a hash of specific headers and the message body, then encrypts it with your DKIM private key to produce the signature.
The signature travels with the email
The DKIM signature is added as a header (DKIM-Signature:) on the outgoing message. It includes the selector name, the signing algorithm, and the encrypted hash.
The receiving server looks up your public key
When the message arrives, the receiving server reads the selector from the signature header and queries your DNS for the corresponding public key at selector._domainkey.yourdomain.com.
The signature is verified
The receiving server decrypts the signature using your public key, recomputes the hash of the message, and checks that they match. A match means the message is authentic and unmodified.
What is a DKIM selector?
A selector is a short label — like google or s1 — that identifies which public key to use for verification. It forms the first part of the DNS record name: selector._domainkey.yourdomain.com.
Selectors exist so you can have multiple DKIM keys active at the same time — one per email provider or service. Google Workspace uses the selector google, Microsoft 365 uses selector1 and selector2, and SendGrid uses s1 by default. Each service tells you which selector to use when you enable DKIM signing.
Selectors are also used for key rotation — you can publish a new key under a new selector, update your mail server to use the new key, and then remove the old record once traffic has migrated over.
RSA vs Ed25519 — which key type to use?
DKIM supports two key algorithms. For most deployments, RSA is the right choice.
RSA-2048 is the industry standard and is accepted by every major mail server. If you're not sure which to use, choose RSA. It's what Google Workspace, Microsoft 365, SendGrid, and virtually every ESP generate by default.
Ed25519 is a modern elliptic-curve algorithm with much shorter keys (68 characters vs ~350 for RSA-2048) and faster signature verification. It's defined in RFC 8463 and is supported by Postfix, Exim, and most modern mail infrastructure. A small number of older systems may not recognise it.
Frequently asked questions
Where do I get my DKIM public key?
Your email provider or mail server generates the DKIM key pair and gives you the public key to publish in DNS. In Google Workspace, go to Admin > Apps > Gmail > Authenticate email and click Generate new record. In Microsoft 365, it's under Security > Email authentication > DKIM. For self-hosted servers like Postfix or Exim, use a tool like opendkim-genkey to generate the key pair.
Do I need to set up DKIM if I'm already using SPF?
Yes. SPF and DKIM serve different purposes. SPF verifies that the sending server is authorised, but it breaks when email is forwarded. DKIM signs the message content and survives forwarding. DMARC requires either SPF or DKIM alignment to pass — having both gives you a more reliable authentication chain and stronger inbox placement signals.
Why does my DKIM TXT record need to go on a subdomain?
The DKIM record is placed at selector._domainkey.yourdomain.com, not on the root domain. This structure lets you have multiple DKIM keys for different services or selectors simultaneously. The _domainkey subdomain is defined by the RFC and all mail servers know to look there.
Can I have multiple DKIM records for the same domain?
Yes — each record uses a different selector, so there's no conflict. If you use Google Workspace and SendGrid at the same time, you'd publish two DKIM records: google._domainkey.yourdomain.com and s1._domainkey.yourdomain.com. Both can coexist.
What is DKIM key rotation and when should I do it?
Key rotation means replacing your DKIM key pair periodically to limit the damage if a private key is compromised. To rotate: generate a new key pair, publish the new public key under a new selector, update your mail server to sign with the new key, wait for DNS to propagate, then remove the old record. Many organisations rotate annually or after any suspected infrastructure compromise.
How do I verify my DKIM record is working?
Use the command dig TXT selector._domainkey.yourdomain.com (replacing selector with your actual selector) to check the published record. To test end-to-end signing, send a test email to mail-tester.com or check-auth2@verifier.port25.com and look at the DKIM result in the report.
Related free tools
SPF Record Generator
Generate a valid SPF TXT record for your domain. Select your email providers and copy the DNS record.
DMARC Record Generator
Set your DMARC policy, configure aggregate reporting, and get a copy-paste DNS record in seconds.
Blacklist Checker
Check if your domain or IP is listed on any of the 21 most common email blacklists.