DKIM Key Generator
Generate an RSA-2048 DKIM key pair in your browser. Copy the public key for DNS and the private key for your mail server — data never leaves your device.
A short label used in the DNS record name. Letters and hyphens only.
Optional — used to generate your exact DNS record name.
Add a TXT record with this exact name in your DNS zone.
This is the full DKIM TXT record string — copy and paste it as the value of your TXT DNS record.
Configure your mail server (Postfix, Exim, OpenDKIM, etc.) with this PEM-encoded private key. Store it securely — never expose it publicly.
What to do next
- Add the DNS TXT record — paste the record name and value into your DNS zone (Cloudflare, Route 53, GoDaddy, etc.). Propagation takes up to 48 hours.
- Upload the private key to your mail server — for Postfix + OpenDKIM, save the PEM file (e.g.
/etc/opendkim/keys/mail.private) and reference it inkeytable/signingtable. For Exim, usedkim_private_keyin your router. - Verify with a DNS lookup — use our DNS / DKIM Inspector to confirm the public key is resolving correctly.
Keys are generated fresh each time. Click Generate DKIM Key Pair again to create a new pair.
Disclaimer: Free tool provided “as is” by MonitorGiant. No warranty or liability for any data loss, security issues, or infrastructure problems arising from use of this tool. Results are for informational purposes only. · A Free Tool by MonitorGiant
How DKIM Key Generator works
DKIM (DomainKeys Identified Mail) lets your mail server attach a cryptographic signature to every outgoing email. Receiving servers verify the signature against your public key in DNS — proving the email genuinely came from your domain and wasn't tampered with in transit.
- 1
Generate an RSA key pair in the browser
Click Generate to create a 2048-bit RSA key pair using window.crypto.subtle — the Web Crypto API built into every modern browser. The keys are generated locally and never transmitted anywhere.
- 2
Add the public key to DNS
Copy the DNS TXT record value and create a TXT record in your DNS zone at {selector}._domainkey.{yourdomain}. Most DNS providers (Cloudflare, Route 53, GoDaddy) let you add TXT records in their dashboard. Propagation typically takes a few minutes to a few hours.
- 3
Configure your mail server with the private key
Paste the PEM private key into your mail server configuration (OpenDKIM, Postfix milter, Mailman, etc.). The server uses this key to sign outgoing emails. Keep it private — anyone with this key can forge email signatures for your domain.
- 4
Verify with a DKIM checker
Send a test email and verify the DKIM signature using a tool like mail-tester.com or our DNS / DKIM Inspector tool. Look for a "dkim=pass" result in the Authentication-Results header.
Both keys are generated entirely in your browser using window.crypto.subtle (Web Crypto API). No keys, no domain names, and no personal data are ever sent to MonitorGiant or any third party. Generate as many key pairs as you need — each click produces a fresh, unique pair.
Looking for a free DKIM key generator online? DKIM (DomainKeys Identified Mail) requires a 2048-bit RSA key pair: the private key goes on your mail server to sign outgoing messages, and the public key goes in a DNS TXT record at a selector subdomain (e.g. mail._domainkey.example.com) so recipients can verify those signatures. This tool generates both keys locally in your browser using the Web Crypto API — no server, no account, no key exposure. The formatted TXT record value is ready to paste directly into your DNS zone.
Frequently asked questions — DKIM Key Generator
What is DKIM and why does my domain need it?
DKIM (DomainKeys Identified Mail) adds a cryptographic signature to every outbound email. The signature is created using a private key stored on your mail server, and verified by receiving servers using a public key published in your DNS. This proves the email genuinely came from your domain and was not modified in transit. Without DKIM, emails from your domain are more likely to land in spam, and DMARC cannot be enforced.
What is a DKIM selector?
A DKIM selector is a short label that lets a domain publish multiple DKIM keys simultaneously — for example, one for your primary mail server and one for a third-party service like SendGrid. The selector becomes part of the DNS record name: selector._domainkey.yourdomain.com. Common selector names include "mail", "google", "smtp", "s1", and "default". Your mail server configuration specifies which selector to use when signing.
Should I use 1024-bit or 2048-bit DKIM keys?
Use 2048-bit whenever possible. 1024-bit keys are considered weak by modern standards — RSA-1024 can be factored with sufficient compute, and some providers (including Gmail) may warn about or reject 1024-bit DKIM signatures. The main reason to use 1024-bit is if your DNS provider has a strict TXT record length limit, since the base64-encoded 2048-bit public key is longer. Cloudflare, Route 53, and most modern providers handle 2048-bit keys without issues.
Where do I put the DKIM public key in my DNS?
Add a TXT record with the name selector._domainkey.yourdomain.com (e.g. mail._domainkey.example.com if your selector is "mail"). The value should be the full DKIM record string generated by this tool: v=DKIM1; k=rsa; p=BASE64PUBLICKEY. Some DNS providers require you to split the value into 255-character chunks — consult your provider's documentation if you see errors.
How do I configure my mail server to use the DKIM private key?
The exact steps depend on your mail server software. For OpenDKIM: save the PEM private key to a file (e.g. /etc/opendkim/keys/mail.private), reference it in /etc/opendkim/KeyTable, and reload the service. For Postfix with an amavis/dkimproxy setup, add the key to the DKIM signing configuration. For Google Workspace, Microsoft 365, or services like SendGrid, upload the private key through their admin dashboard rather than generating your own.
How do I verify my DKIM signature is working?
Send a test email to a Gmail address and open the original message source (More → Show original in Gmail). Look for "dkim=pass" in the Authentication-Results header. Alternatively, use our DNS / DKIM Inspector tool to check that the public key record exists in DNS, or send a test to mail-tester.com for a full SPF/DKIM/DMARC report.
Comments & Feedback
Found a bug? Have a suggestion? We'd love to hear from you.
Related Tools
From the makers of this tool
Need deeper observability?
MonitorGiant tracks real-time AI performance, infrastructure health, and system reliability — far beyond what free utilities can show.