Why generate a keypair here instead of letting my mail provider do it?

Most managed providers (Google Workspace, Microsoft 365, Mailgun, SendGrid) give you a DKIM key out of the box. But if you run **your own SMTP** (Postfix + opendkim, exim, Haraka, a custom Node mailer), if you are **switching providers** and want to keep signing during the transition, or if you simply want to **rotate** a stale key your hosting panel never exposed, you generate the keypair yourself. This tool does it in one click without you needing to install OpenSSL.

Which key length should I pick: 1024, 2048, or 4096?

**2048-bit is the right answer for almost everyone**. It is the recommendation in **RFC 8301** and the de-facto modern default. **1024-bit** still works at most receivers but is considered weak (NIST deprecated it for RSA signatures years ago) and providers like Google now warn about it. **4096-bit** is technically stronger but produces signatures roughly **5 to 7 times slower** to compute and a public key that some legacy DNS panels struggle to host. The signature is recomputed for every single outgoing message, so 4096-bit can become a measurable CPU cost on high-volume mail servers without any real-world security gain over 2048-bit.

What is a "selector" and how do I pick one?

A **selector** is a short label (typically alphanumeric, e.g. `mail2024`, `s1`, `google`, `mxvault`) that becomes part of the DNS name where you publish the public key: ` ._domainkey. `. The signing message includes the selector in its DKIM-Signature header (`s=mail2024`), so receivers know which key to fetch. The point of selectors is that you can publish **multiple keys simultaneously** under different selectors, which is exactly what enables clean **key rotation** without downtime. Pick something descriptive like `mail-2026-05` if you rotate on a schedule.

Where does the private key go after I download it?

Onto your **mail server**, in a location the SMTP daemon (or its signing module like opendkim) can read. Typical paths: `/etc/opendkim/keys/ / .private` on Linux, or whatever your provider documents. **Permissions matter**: the file should be readable only by the mail-server user (`chmod 600`, owned by `opendkim` or your mailer user). The private key never leaves the server, never gets emailed around, and never gets committed to a git repo. If it does, treat it as compromised and rotate immediately.

How often should I rotate DKIM keys?

Industry guidance from **M3AAWG** and Google is **every 6 months** for production senders. In practice many small senders rotate yearly and it is still fine, while large platforms (transactional providers, big enterprises) often rotate quarterly. Rotation is cheap if you do it right: generate a new selector, publish the new key in DNS, switch the mail-server config to sign with the new key, then **wait at least a week** before retiring the old selector (so mail signed before the switch still verifies, since DKIM signatures are checked at delivery time, which can be hours or days after sending for delayed mail).

How does DKIM relate to SPF and DMARC?

**SPF** says "these IP addresses are allowed to send mail for my domain". **DKIM** says "this specific message was signed with my domain's private key, so the content is authentic". **DMARC** ties them together: it tells receivers "if a message fails both SPF and DKIM, do X" (X is usually `none` for monitoring, `quarantine` for spam folder, or `reject` to drop it). You want **all three**. DKIM is the strongest of the three because the signature covers the message body, so even if an intermediate hop modifies headers, the signature can still verify. SPF breaks the moment a message is forwarded; DKIM survives most forwarding.

What happens if my private key leaks?

Anyone with the key can sign mail as your domain, defeating DKIM's entire purpose. **Treat a leak as serious**: immediately generate a new keypair under a **new selector**, publish the new public key in DNS, switch your mail server to sign with the new key, and **revoke the leaked key** by setting its DNS record's `p=` value to empty (`v=DKIM1; k=rsa; p=`). Receivers that try to verify a signature from the leaked key will see the empty `p=` and reject the signature as revoked. Do not delete the old TXT record outright, leave the revocation in place for a few weeks so receivers see "explicitly revoked" rather than "selector missing".

Why is the TXT record split into multiple quoted strings?

A single character-string in a DNS TXT record is **capped at 255 octets** by **RFC 1035**. A 2048-bit RSA public key in base64 is roughly **400 characters**, and a 4096-bit key is roughly **730 characters**, both well over the cap. DNS solves this by allowing a single TXT record to contain **multiple quoted strings** that the resolver concatenates: `"v=DKIM1; k=rsa; p=MIIBIj..." "...AQAB"`. Some modern DNS UIs (Cloudflare, Route 53) accept the long single string and split it for you automatically; older panels (some cPanel installs, OVH classic, generic registrars) require you to enter the split form yourself. We give you both, paste whichever your provider accepts.

What is the right key rollover strategy with multiple selectors?

The clean pattern: (1) **generate** a new keypair under a new selector, e.g. `s2-2026`; (2) **publish** the new public key in DNS while the old selector `s1-2025` is still there; (3) **wait for DNS propagation** (a few hours to a day); (4) **switch** the mail server to sign with the new selector's key; (5) **wait at least 1 to 2 weeks** so any in-flight or delayed mail signed with the old key still verifies; (6) **revoke** the old selector by emptying its `p=` value; (7) **delete** the old TXT record entirely after another month. This zero-downtime sequence is exactly why DKIM has selectors in the first place, you never have to break signing to rotate.

DKIM Keypair Generator - free

DKIM Keypair Generator

Pick a selector and key length. We return the RSA keypair: install the private key on your mail server and publish the public key as a TXT record in DNS.

Selector

Short DNS label. Pick something descriptive (e.g. mail-2026-05) so rotation is easy.

Key length

Domain (optional)

If you provide a domain we'll show the full DNS record name: '<selector>'._domainkey.'<domain>'

Save the private key NOW

We never keep a copy. Closing this tab loses the key forever. Download it, store it in a password manager, or install it on your server before you leave this page.

Paranoid?

We generate the key on our server and ship it to you over TLS. If the key must never leave your machine, run locally: openssl genrsa -out private.pem 2048 and openssl rsa -in private.pem -pubout -out public.pem.

What a DKIM keypair is

DKIM (DomainKeys Identified Mail) is a way for your mail server to cryptographically sign every outgoing message, so receivers like Gmail and Outlook can verify the message really came from your domain and was not tampered with in transit. To do that, your mail server needs a keypair: a private key that lives on the server and signs each message, and a public key that you publish as a DNS TXT record at `<selector>._domainkey.<your-domain>` so receivers can fetch it.

This tool generates that keypair for you in your browser request, returns the PEM-encoded private key (which you install on your mail server) and the paste-ready TXT record (which you publish in DNS). RSA, 1024 / 2048 / 4096-bit, generated with Node's built-in crypto (OpenSSL bindings under the hood). We never store the key.

How to use it

Pick a selector: a short label like `mail2024`, `s1`, or `google`. It identifies which key signed the message, so a new selector lets you rotate without breaking old mail.
Choose a key length: 2048-bit is the modern default. 1024-bit is legacy (still accepted but discouraged). 4096-bit is overkill for almost everyone and slows down the signing path.
Optional: enter your domain so we can show the full DNS name (`<selector>._domainkey.<your-domain>`). Without it you still get the TXT record body.
Click Generate. We return the private key in PEM format and the TXT record value ready to paste into your DNS panel.
Save the private key now. We never store it. Closing this tab loses it forever. Install it in your mail server (Postfix + opendkim, exim, MTA-STS, Mailgun, SendGrid, Postmark, your own SMTP) according to your provider's docs.
Publish the TXT record at `<selector>._domainkey.<your-domain>` in your DNS. If your provider limits a single TXT string to 255 chars (most do, that is the RFC limit), use the split form we provide: `"part1" "part2"` on one line.
Wait for DNS propagation (a few minutes to a few hours), then send a test mail and check the headers for `dkim=pass`. Gmail shows it under "Show original".

When this is useful

Six typical scenarios where you need a fresh DKIM keypair:

Setting up DKIM for the first time on a new domain or new mail server. You need the keypair before you can configure either side.
Key rotation every 6 to 12 months as a security hygiene practice. Generate a new selector, publish it, switch the signing key on the server, then retire the old selector after a grace period.
Suspected key compromise: if you think the private key leaked (server breach, accidental commit to a public repo, ex-admin still has access), generate a new one immediately and revoke the old by emptying its `p=` value.
Adding a second sending source (a transactional provider like SendGrid alongside your own Postfix). Each source typically wants its own selector and key.
Moving from a 1024-bit legacy key to a 2048-bit modern key. Most providers warn loudly about this in 2026.
Testing DKIM on a staging domain before flipping it on for production mail.

Related tools: Email DNS checker (verify your published record), DNS lookup, Mail header analyzer.

Questions and answers

DKIM (DomainKeys Identified Mail) is an email authentication standard. Your mail server signs each outgoing message with a private key, and receivers fetch your public key from DNS to verify the signature. If the math checks out, the receiver knows the message really came from your domain and the body was not modified in transit. Without DKIM, Gmail and Outlook will mark your mail as suspicious or send it straight to spam. DKIM is one of the three pillars of modern email deliverability, alongside SPF (who is allowed to send for you) and DMARC (what receivers should do when SPF or DKIM fails).

What a DKIM keypair is

How to use it

Pick a selector: a short label like `mail2024`, `s1`, or `google`. It identifies which key signed the message, so a new selector lets you rotate without breaking old mail.

Choose a key length: 2048-bit is the modern default. 1024-bit is legacy (still accepted but discouraged). 4096-bit is overkill for almost everyone and slows down the signing path.

Optional: enter your domain so we can show the full DNS name (`<selector>._domainkey.<your-domain>`). Without it you still get the TXT record body.

Click Generate. We return the private key in PEM format and the TXT record value ready to paste into your DNS panel.

Save the private key now. We never store it. Closing this tab loses it forever. Install it in your mail server (Postfix + opendkim, exim, MTA-STS, Mailgun, SendGrid, Postmark, your own SMTP) according to your provider's docs.

Publish the TXT record at `<selector>._domainkey.<your-domain>` in your DNS. If your provider limits a single TXT string to 255 chars (most do, that is the RFC limit), use the split form we provide: `"part1" "part2"` on one line.

Wait for DNS propagation (a few minutes to a few hours), then send a test mail and check the headers for `dkim=pass`. Gmail shows it under "Show original".

When this is useful

Six typical scenarios where you need a fresh DKIM keypair:

Setting up DKIM for the first time on a new domain or new mail server. You need the keypair before you can configure either side.
Key rotation every 6 to 12 months as a security hygiene practice. Generate a new selector, publish it, switch the signing key on the server, then retire the old selector after a grace period.
Suspected key compromise: if you think the private key leaked (server breach, accidental commit to a public repo, ex-admin still has access), generate a new one immediately and revoke the old by emptying its `p=` value.
Adding a second sending source (a transactional provider like SendGrid alongside your own Postfix). Each source typically wants its own selector and key.
Moving from a 1024-bit legacy key to a 2048-bit modern key. Most providers warn loudly about this in 2026.
Testing DKIM on a staging domain before flipping it on for production mail.

Related tools: Email DNS checker (verify your published record), DNS lookup, Mail header analyzer.

Questions and answers

DKIM Keypair Generator

What a DKIM keypair is

How to use it

When this is useful

Questions and answers

Related tools

Email DNS Checker (SPF/DKIM/DMARC)

DNS Lookup

DNSSEC Chain Validator

Mail Header Analyzer

WHOIS Lookup

DKIM Keypair Generator

What a DKIM keypair is

How to use it

When this is useful

Questions and answers

Related tools

Email DNS Checker (SPF/DKIM/DMARC)

DNS Lookup

DNSSEC Chain Validator

Mail Header Analyzer

WHOIS Lookup