DKIM Record Generator

What is DKIM?

DomainKeys Identified Mail (DKIM) is an email authentication protocol defined in RFC 6376. It allows a sending mail server to cryptographically sign outgoing messages using a private key. The corresponding public key is published in a DNS TXT record at <selector>._domainkey.<domain>. Receiving servers retrieve the public key, verify the signature, and confirm the message was not altered in transit.

DKIM is one of the three pillars of email authentication alongside SPF and DMARC. While SPF validates the sending server, DKIM validates the message content itself. This makes DKIM resilient to email forwarding, where SPF typically breaks.

Key Types

RSA keys are universally supported and remain the standard choice. RFC 8301 requires a minimum of 1024 bits (2048 recommended). Larger keys provide more security but may exceed DNS TXT record size limits at 4096 bits.

Ed25519 keys (RFC 8463) offer equivalent security to RSA-3072 with much smaller 32-byte keys. DNS record size is never an issue. However, not all receivers verify Ed25519 signatures yet, so a dual-key setup (RSA + Ed25519 under different selectors) is recommended during the transition period.

Selectors

A selector is a label that identifies which DKIM key to use. It appears in the s= tag of the DKIM-Signature email header and in the DNS lookup path. Common patterns include default, google, selector1, or date-based names like 20260301 for key rotation.

Each email provider uses its own selector. You can find the selector for a message by examining its DKIM-Signature header. Multiple selectors can coexist for the same domain, enabling key rotation without downtime.

DNS Record Format

Read the complete DKIM guide to learn more.