Speak to an Email Deliverability Consultant FOR FREE

Free DKIM Generator

Q: What is a DKIM record?

A DKIM record is a DNS TXT record containing your domain's public key. Mail servers use this key to verify the cryptographic signature attached to your outgoing emails. DKIM stands for DomainKeys Identified Mail — an email authentication protocol that proves message integrity.

Q: Can I have multiple DKIM records for one domain?

Yes. Multiple DKIM records are standard practice — you create different selectors for each record (like s1._domainkey, s2._domainkey, google._domainkey). Use multiple DKIM records for key rotation, different ESPs, or separate business units sending from the same domain.

Q: What is a DKIM selector?

A DKIM selector is the unique identifier you choose when generating keys — it appears in your DNS hostname as selector._domainkey.yourdomain.com and in email headers as s=selector. Selectors let mail servers know which public key to use when verifying signatures from domains with multiple DKIM records.

Q: Do I need to generate DKIM records if I use Google Workspace or Microsoft 365?

No — third-party ESPs manage DKIM signing on their infrastructure. Google and Microsoft provide pre-generated DKIM keys through their admin consoles. You'll copy their public key into your DNS, not generate your own. (Use our generator only if you run your own mail server or use a service that requires you to provide the keys.)

Q: How do I check if my DKIM record is working?

Send a test email to a Gmail or Outlook address you control. View the message source/headers and search for dkim=pass in the authentication results. Or use EmailWarmup.com's free DKIM checker — enter your domain and selector, and the tool validates your record instantly.

Q: What's the difference between DKIM and SPF?

SPF authorizes which IP addresses can send email for your domain. DKIM proves the message content hasn't been tampered with during transit. Both work together — SPF checks the sending server's identity, and DKIM verifies email integrity. You need both for complete email authentication.

Q: How strict should my DKIM policy be?

Start with testing mode (t=y) while you confirm everything works correctly — receiving servers will check signatures but won't reject failed messages. Switch to strict mode (t=s) once you've verified your configuration. Most domains don't set a testing flag at all, which defaults to strict enforcement.

Generate Your DKIM Record in Under 60 Seconds

Our free DKIM generator creates valid, cryptographically secure key pairs that authenticate your emails in DNS in under 60 seconds.

Generate your DKIM Record
Enter details to generate DKIM for your domain

Trusted by 1000+ companies

How to Publish Your Generated DKIM in DNS

Publishing a DKIM record means creating a TXT record with a selector-specific hostname in your domain's DNS zone. Most domain registrars and DNS hosting providers (GoDaddy, Cloudflare, Route 53, Namecheap) have a DNS management console where you add records manually.

Step 1: Log in to your DNS provider

Access your domain registrar or DNS hosting control panel. Look for "DNS Management," "Zone Editor," or "Advanced DNS."

Step 2: Navigate to your domain's DNS zone

Find the domain you're configuring DKIM for. Select it to open the record editor.

Step 3: Create a new TXT record

Choose "Add Record" or "Create Record." Set the record type to TXT.

Step 4: Set the hostname with your selector

Enter your DKIM hostname in this format: selector._domainkey.yourdomain.com — replace "selector" with your chosen selector name (like s1, default, or mail) and "yourdomain.com" with your actual domain.

Step 5: Paste your generated public key

Copy the public key value from EmailWarmup.com's DKIM generator and paste it into the "Value" or "TXT Content" field. Enclose the entire value in double quotes.

Step 6: Set TTL (Time to Live)

Use the default TTL (usually 3600 seconds / 1 hour) or set a custom value. Lower TTL values propagate changes faster, but increase DNS query load.

Step 7: Configure your mail server with the private key

Store the private key securely on your mail server or ESP. Configure your email system to sign outgoing messages using this key and your selector. (Third-party ESPs like Google Workspace or Microsoft 365 often provide their own DKIM keys — check their documentation.)

Step 8: Verify your DKIM record

Wait 10-30 minutes for DNS propagation. Use EmailWarmup.com's free DKIM checker to confirm the record is published correctly, and the signature validates properly.

DKIM Record Tags That Authenticate Your Emails

A DKIM record contains cryptographic and policy tags published as a DNS TXT record. The receiving mail server retrieves these tags to verify your email's digital signature.

Tag	What It Does	Example Value	Required
v	Protocol version (always DKIM1)	v=DKIM1	Yes
p	Public key string (RSA or Ed25519)	p=MIGfMA0GCSqGSI...	Yes
k	Key type algorithm	k=rsa or k=ed25519	No (defaults to rsa)
a	Signing algorithm used	a=rsa-sha256	No
t	Testing mode flag	t=y (testing) or t=s (strict)	No
s	Service types allowed	s=email or s=*	No
h	Acceptable hash algorithms	h=sha256	No
n	Notes for administrators	n=Production key 2025	No
g	Granularity (local-part matching)	g=support or g=*	No

DKIM Key Length and Security Considerations

DKIM key length determines encryption strength. Longer keys provide stronger security but may hit DNS record size limits on some providers.

Key Length	Security Level	DNS Compatibility	Recommendation
1024-bit	Basic protection	Universal support	Deprecated — vulnerable to modern attacks
2048-bit	Strong protection	Supported by 99% of providers	Recommended — best balance of security and compatibility
4096-bit	Maximum protection	May exceed DNS limits on some hosts	Use only if your DNS provider supports large TXT records

DKIM Alone Won't Authenticate Your Domain

Your DKIM signature proves you sent the email — but it doesn't prevent attackers from sending emails that look like they're from you using a different domain (like yourcompany-secure.com instead of yourcompany.com).

You need a complete email authentication setup to protect your brand and maximize inbox placement. At EmailWarmup.com, you can talk to an email deliverability consultant for free and let our team:

Configure SPF, DKIM, and DMARC for bulletproof authentication

Remove you from email blacklists and repair sender reputation damage

Audit your email infrastructure and close security gaps that attackers exploit

Fix the technical issues killing your inbox rate (before you lose more deals)

Book your time today and make sure your email security is 100% locked down — so spoofed emails get rejected instead of reaching your customers' inboxes.

Frequently asked questions
about our FREE DKIM Generator

Here’s everything you need to know about our SPF Generator:

What is a DKIM record?

Can I have multiple DKIM records for one domain?

What is a DKIM selector?

Do I need to generate DKIM records if I use Google Workspace or Microsoft 365?

How do I check if my DKIM record is working?

What's the difference between DKIM and SPF?

How strict should my DKIM policy be?