DKIM Generator

What is DKIM?

DKIM — short for DomainKeys Identified Mail — is an email authentication standard that lets domain owners cryptographically sign outgoing messages. The signature is attached to every email as a special header (DKIM-Signature) and verified by the receiving mail server using a public key published in the domain's DNS.

When a mail server receives an email, it looks up the sender's public key in DNS, recomputes the hash of the message headers and body, and compares it to the signature. If they match, DKIM passes — confirming the message was sent by an authorised server and was not altered in transit.

DKIM is one of the three core email authentication standards alongside SPF and DMARC. Together they form the backbone of modern email deliverability. Without DKIM, major providers like Gmail, Outlook, and Yahoo are more likely to route your messages to spam — especially for cold email and high-volume sending.

How DKIM Works

DKIM uses asymmetric (public/private key) cryptography. Here is the full flow from sending to verification:

1. Key pair generation — you generate an RSA key pair. The private key stays on your mail server; the public key is published in DNS as a TXT record.
2. Message signing — when your mail server sends an email, it uses the private key to generate a cryptographic hash of selected headers (From, Subject, Date) and the message body. This hash is embedded in the DKIM-Signature header.
3. Transmission — the email travels to the recipient's mail server with the DKIM-Signature header intact.
4. DNS lookup — the receiving server extracts the domain and selector from the DKIM-Signature header and queries DNS for the public key at [selector]._domainkey.[domain].
5. Verification — the receiver uses the public key to decrypt the signature and recompute the hash. If they match: DKIM passes. If the message was tampered with or the key doesn't match: DKIM fails.
6. DMARC alignment — DMARC checks whether the DKIM signing domain aligns with the visible From: header, closing the display-name spoofing gap that SPF alone cannot address.

Unlike SPF, DKIM signatures survive email forwarding — the cryptographic signature remains valid even when the message passes through a forwarding server, because it is computed over the message content, not the connecting IP address.

How to Use Our Free DKIM Generator

Generating a DKIM key pair takes under two minutes. No technical background required — the generator handles all the cryptography using PHP OpenSSL on your WordPress server.

1. Enter your domain — type your root domain (e.g. example.com) without any prefix like "www" or "mail".
2. Enter a selector — choose a short alphanumeric label to identify this key pair in DNS (e.g. default, google, s1). The selector is part of the DNS host name.
3. Choose key size — select 2048-bit (recommended) or 1024-bit. Larger keys are more secure but produce longer DNS records.
4. Select your ESP — pick your email service provider. The generator will show provider-specific DKIM setup instructions alongside your key pair.
5. Click Generate DKIM Keys — the generator calls your WordPress server to create the key pair using PHP OpenSSL. Keys are generated fresh and never stored.
6. Add the DNS TXT record — copy the DNS host and DKIM value to your DNS provider as a TXT record.
7. Configure your mail server — upload or paste the private key into your ESP's DKIM configuration panel or mail server settings.
8. Verify — send a test message and check the headers for DKIM=pass.

DKIM Selector Explained

A DKIM selector is a short label that identifies which DKIM public key to look up in DNS. It is included in the DKIM-Signature header of every signed email as the s= tag (e.g. s=default).

The selector forms part of the DNS lookup path: [selector]._domainkey.[domain]. For example, if your domain is example.com and your selector is default, the public key is published at default._domainkey.example.com.

Because selectors are independent, a single domain can publish multiple DKIM keys simultaneously — one per sending service. This avoids key conflicts and lets you rotate keys for individual services without affecting others.

Selector naming tips: Keep selectors short and descriptive. Use only letters, numbers, hyphens, and dots. Avoid spaces or underscores. Common conventions include default, s1, s2, google, mailgun, or a date like 202501 for rotation tracking.

DKIM Public Key vs Private Key

DKIM uses asymmetric RSA cryptography. Two mathematically related keys are generated together — what one key encrypts, only the other can decrypt.

Private key security: Never commit your private key to git, paste it into a public Slack channel, or store it unencrypted. Use your hosting provider's secrets manager, environment variables, or a dedicated vault tool. If you suspect exposure, generate a new key pair immediately and update your DNS and mail server configuration.

Key rotation: Rotate your DKIM private key at least once per year, or immediately after any suspected compromise. Use a new selector for each rotation (e.g. s1 → s2) so you can publish the new key before removing the old one, minimising any delivery gap.

DKIM DNS Setup Guide

Once you have generated your key pair, you need to publish the public key in your domain's DNS as a TXT record. Here is a step-by-step guide.

Step 1: Log in to your DNS provider

Common DNS providers include Cloudflare, GoDaddy, Namecheap, AWS Route 53, Google Domains, and your domain registrar. Log in and navigate to the DNS management section for your domain.

Step 2: Add a TXT record

1. Click Add Record and select type TXT.
2. Set Host / Name to: [selector]._domainkey — for example default._domainkey. Some providers require the full hostname including your domain (default._domainkey.example.com); others handle the domain suffix automatically.
3. Set Value / Content to the full DKIM TXT value generated above. It will look like: v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ...
4. Set TTL to 3600 (1 hour) or your provider's default.
5. Click Save.

Step 3: Wait for DNS propagation

DNS changes typically propagate within 5 minutes to 48 hours. Cloudflare and AWS Route 53 usually propagate in under 5 minutes. Legacy registrars may take up to 48 hours. You can check propagation status using MXToolbox DKIM Lookup.

Step 4: Configure your mail server

Upload the private key to your mail sending software or ESP. The exact process varies by provider — see the ESP-specific recommendations shown after generation.

Step 5: Send a test and verify

Send a test email to a Gmail address, open it, and click the three-dot menu → Show original. Look for DKIM: PASS in the authentication results. Alternatively use Google Admin Toolbox to verify your DNS record directly.

Common DNS Mistakes

• Wrong host format — some providers auto-append your domain. If yours does, use default._domainkey not default._domainkey.example.com.
• Truncated value — 2048-bit public keys are long. Some DNS UIs silently truncate long TXT values. Always verify the full value was saved by querying your DNS record after saving.
• Record type mismatch — DKIM must be a TXT record, not CNAME or A.
• Spaces in the key — copy the DKIM value exactly as shown. Do not add or remove spaces or line breaks.

DKIM Record Examples

Below are examples of valid DKIM DNS records and the corresponding DKIM-Signature headers you would see in a signed email.

DNS TXT Record (what goes in your DNS)

DKIM-Signature Header (what appears in signed emails)

When your mail server signs an outgoing message, it adds a header like this:

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
  d=example.com; s=default;
  h=from:to:subject:date:message-id;
  bh=abc123...;
  b=XYZ456...

The key tags are: d= (signing domain), s= (selector), a= (algorithm — always rsa-sha256), h= (signed headers), and b= (the actual signature).

Setting Up DKIM for Google Workspace

Google Workspace can generate and manage its own DKIM keys, or you can supply a custom key pair. Here are both approaches:

Option 1: Use Google's built-in DKIM (recommended for most users)

1. Go to Google Admin Console → Apps → Google Workspace → Gmail → Authenticate email.
2. Select your domain and click Generate new record.
3. Choose 2048-bit key length (recommended).
4. Copy the DNS host and TXT value shown and add them to your DNS provider.
5. Wait for DNS propagation, then return to Google Admin and click Start authentication.

Option 2: Use a custom key pair from this generator

1. Generate a key pair above using the selector google and 2048-bit key size.
2. Add the DNS TXT record at google._domainkey.yourdomain.com.
3. In Google Admin → Gmail → Authenticate email, enter your custom selector and paste the private key.

Note: Google requires DKIM authentication for all Google Workspace accounts sending bulk email after Google and Yahoo's February 2024 bulk sender requirements. 2048-bit keys are mandatory for new setups.

DKIM for Cold Email Outreach

Cold email deliverability is a constant battle. DKIM is non-negotiable — but it's only one piece of the puzzle. Here is everything you need to know about DKIM in the context of cold outreach:

Why DKIM matters for cold email

• Google and Yahoo require it — since February 2024, senders sending more than 5,000 emails per day to Gmail or Yahoo must have DKIM authentication. Violation means bulk rejection.
• DKIM survives forwarding — unlike SPF, DKIM signatures are computed over the message content and remain valid when email is forwarded. This matters for outreach because many prospects use email forwarding.
• DKIM improves spam scoring — mail servers use DKIM pass/fail as one of many signals. A passing DKIM reduces the probability of spam classification.
• DMARC requires DKIM or SPF — to implement DMARC (which dramatically boosts deliverability and protects your brand), you need at least one of DKIM or SPF passing in alignment with your From domain.

DKIM best practices for cold email

• Use a separate sending domain or subdomain (e.g. mail.yourdomain.com) for cold outreach to protect your primary domain's reputation.
• Warm up new domains and inboxes before sending cold campaigns — use Warmbase to automate this.
• Deploy SPF + DKIM + DMARC on every sending domain, even subdomains used for outreach.
• Rotate DKIM keys periodically — annually at minimum, or after any suspected compromise.
• Monitor your sending reputation with Google Postmaster Tools and Microsoft SNDS.

1024-bit vs 2048-bit DKIM Keys

The key size determines the cryptographic strength of your DKIM signature. Here is a direct comparison:

When to use 1024-bit: Only if your DNS provider has a TXT record length limit that cannot accommodate a 2048-bit key. Some older DNS providers cap TXT records at 255 characters per string — although RFC 4408 allows multiple strings in a TXT record, not all providers handle this correctly.

DNS length workaround for 2048-bit keys: RFC 6376 allows the DKIM public key value to be split across multiple quoted strings in a single TXT record. Most modern DNS providers handle this transparently. If yours doesn't, contact your provider or switch to a provider that supports long TXT records (Cloudflare handles this with no issues).

DKIM Mistakes to Avoid

• Publishing the private key in DNS — only the public key goes in DNS. The private key must stay secret on your mail server. Publishing it completely breaks DKIM security.
• Not enabling signing in your mail server — publishing a DKIM DNS record is only half the job. Your mail server must also be configured to sign outgoing messages with the private key. Without signing, DKIM will never appear in your headers.
• Reusing the same key across multiple domains — each domain should have its own DKIM key pair. Sharing keys across domains means a compromise affects all domains simultaneously.
• Using an outdated 1024-bit key — generate a fresh 2048-bit key pair. Google now flags 1024-bit keys as weak.
• Never rotating keys — DKIM keys should be rotated at least annually. Use a new selector for each rotation so you can publish the replacement before retiring the old key.
• Signing with a mismatched selector — your mail server must sign with the private key that corresponds to the public key published under the selector specified in the DKIM-Signature header. A selector mismatch causes DKIM to fail at verification.
• Modifying signed headers in transit — certain email security gateways rewrite headers like Subject or From. If those headers are included in the DKIM signature hash, any modification will break the signature. Use c=relaxed/relaxed canonicalisation to tolerate minor whitespace normalisation.

SPF vs DKIM vs DMARC

SPF, DKIM, and DMARC are three separate but complementary email authentication standards. Here is how they differ and how they work together:

The right deployment order: Start with SPF → add DKIM → then add DMARC in monitoring mode (p=none) → review aggregate reports → tighten to p=quarantine → then enforce p=reject. Deploying DMARC before SPF and DKIM are fully verified will cause legitimate mail to be rejected.

Troubleshooting DKIM Issues

DKIM=fail in email headers

This means the signature verification failed. Common causes: the public key in DNS does not match the private key used to sign; the DNS TXT record was truncated during copy-paste; or a mail relay modified a signed header in transit.

DKIM=none in email headers

No DKIM signature was found in the message. Your mail server is not signing outgoing mail. Check that your ESP's DKIM signing is enabled and that the correct private key has been uploaded.

DNS record not found

Either DNS has not propagated yet (wait up to 48 hours) or the host name was entered incorrectly. Verify the host is exactly [selector]._domainkey without any extra characters or the wrong domain suffix.

Long TXT record truncated by DNS provider

2048-bit public keys are long. If your DNS provider truncates TXT values at 255 characters, the DKIM record will be invalid. Switch to Cloudflare or AWS Route 53, which correctly handle long TXT records. Alternatively, use 1024-bit as a temporary workaround.

DKIM passes but DMARC still fails

DMARC requires alignment — the DKIM signing domain (d= tag) must match or be a subdomain of the visible From: domain. If your ESP signs with their own domain rather than yours, DKIM alignment fails under DMARC. Enable custom domain signing in your ESP settings.

Useful verification tools

• Free DMARC Checker
• Free DKIM Checker
• Free SPF Checker

Frequently Asked Questions