Skip to main content

New

Test your email deliverability

Send a test email and get a complete diagnosis of your SPF, DKIM and DMARC authentication in seconds.

  • Real send test
  • Instant diagnosis
  • No signup required
Run the test

Free DKIM Generator

Create a DKIM key pair (RSA or Ed25519) in a few clicks

Free DKIM generator supporting RSA (2048/4096 bits) and Ed25519. Instantly get your private key and the DNS TXT record to publish. The private key is generated once and never stored on our servers.

The domain for which to generate the DKIM key

Unique identifier for this key (e.g., default, google, s1)

RSA and Ed25519

Support for RSA (1024/2048/4096 bits) and Ed25519 algorithms. RSA 2048 bits is recommended for maximum compatibility with all mail servers.

Secure private key

The private key is generated server-side and transmitted only once. It's never stored or logged. Download it immediately in PEM format.

DNS validation

Automatic record length validation. Alert if the record exceeds 255 characters (DNS TXT limit) with RSA 4096 bits.

One-click copy

Copy the DNS TXT record directly or download the private key in PEM format. Ready for your mail server configuration.

Provider guides

Deployment instructions for Google Workspace, Microsoft 365, and custom mail servers (Postfix with OpenDKIM).

What is DKIM?

DKIM (DomainKeys Identified Mail) is an email authentication mechanism defined in RFC 6376. It allows you to cryptographically sign outgoing emails to prove their origin and integrity.

Why configure DKIM:

  • Authenticate your emails — Prove that the email actually comes from your domain
  • Protect against tampering — The signature detects any modification to the content
  • Improve deliverability — DKIM-signed emails are better accepted by Gmail, Outlook, Yahoo
  • Prerequisite for DMARC — DKIM is one of the two pillars of DMARC authentication (along with SPF)

How does DKIM work?

DKIM uses asymmetric cryptography (public/private key):

  1. Signing on send: Your mail server calculates a hash of the message and signs it with the private key
  2. DNS publication: The public key is published in a TXT record at selector._domainkey.domain.com
  3. Verification on receive: The receiving server retrieves the public key via DNS and verifies the signature
Send:    Message → Hash → Signature (private key) → DKIM-Signature Header
Receive: Header → Public key (DNS) → Signature verification → Pass/Fail

DKIM record syntax

A DKIM record is a DNS TXT record published at <selector>._domainkey.<domain>:

v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA...

DKIM tags

TagDescriptionRequiredValues
vVersionRecommendedDKIM1
kKey typeNo (default: rsa)rsa, ed25519
pPublic keyYesBase64 DER
hHash algorithmsNosha256, sha1
tFlagsNoy (test), s (strict)
sService typesNoemail, *
nNotesNoFree text

Record examples

RSA 2048 bits (recommended):

default._domainkey.captaindns.com TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkq..."

Ed25519:

default._domainkey.captaindns.com TXT "v=DKIM1; k=ed25519; p=MCowBQYDK2Vw..."

RSA vs Ed25519: which algorithm to choose?

CriteriaRSA 2048RSA 4096Ed25519
SecurityGoodExcellentExcellent
SupportUniversalUniversalPartial (~80%)
Record length~400 chars~800 chars~90 chars
PerformanceGoodSlowVery fast
RecommendationProductionSensitiveAdvanced

Recommendations

  • RSA 2048 bits: Current standard, maximum compatibility. Choose this option by default.
  • RSA 4096 bits: For highly sensitive environments. Be aware of DNS limitations.
  • Ed25519: For advanced configurations. Consider a dual selector (RSA + Ed25519).
  • RSA 1024 bits: Deprecated since 2020. Avoid.

Key lengths and DNS limits

The 255-character limit

DNS TXT records are limited to 255 characters per string. Here's the impact by algorithm:

AlgorithmRecord lengthDNS compatible
Ed25519~90 chars✅ Always
RSA 1024~230 chars✅ Always
RSA 2048~400 chars⚠️ Auto-split
RSA 4096~800 chars⚠️ Check provider

How providers handle long records

Most DNS providers (Cloudflare, AWS Route 53, Google Cloud DNS) automatically split long records into multiple strings. The DNS protocol concatenates them when reading.

If your provider doesn't support long records, prefer RSA 2048 bits or Ed25519.

Practical use cases

New domain: first DKIM configuration

Context: You're setting up a new mail server (Postfix, etc.)

Solution:

  1. Generate an RSA 2048-bit key with the default selector
  2. Download the private key and configure OpenDKIM
  3. Publish the TXT record in your DNS zone
  4. Verify with the DKIM Checker

DKIM key rotation

Context: Your DKIM key is over 12 months old or has been compromised

Solution:

  1. Generate a new key with a new selector (e.g., s2, 202602)
  2. Configure the new key in your mail server
  3. Publish the new DNS record
  4. Wait 24-48 hours for DNS propagation
  5. Remove the old record

Dual selector: RSA + Ed25519

Context: You want to benefit from Ed25519 while maintaining RSA compatibility

Solution:

  1. Generate an RSA 2048 key with the rsa selector
  2. Generate an Ed25519 key with the ed selector
  3. Configure your server to sign with both keys
  4. Modern servers will verify Ed25519, older ones will use RSA

DKIM flags: test and strict modes

Flag t=y (test mode)

Activates DKIM test mode. Verification failures are treated as neutral (neither pass nor fail).

Usage: Test your configuration without risking rejections. Remove the flag once validated.

Flag t=s (strict mode)

Requires strict alignment between the DKIM signing domain and the From domain. By default, relaxed alignment allows subdomains.

Usage: Strengthen security in production. Ensure all your emails are signed from the exact domain.

❓ FAQ - Frequently asked questions

Q: How do I generate a DKIM key for my domain?

A: Use our generator: enter your domain and a selector, choose RSA 2048 bits, click Generate. Download the private key and publish the TXT record in your DNS.

Q: What's the difference between RSA and Ed25519?

A: RSA is supported by all servers. Ed25519 is more modern with shorter keys, but support isn't universal (~80%). Recommendation: RSA 2048 bits for production.

Q: What RSA key length should I choose?

A: RSA 2048 bits is the standard. RSA 1024 is deprecated. RSA 4096 offers more security but generates very long records.

Q: What is a DKIM selector?

A: An identifier allowing multiple DKIM keys. Examples: default, google, s1. The record is published at selector._domainkey.domain.com.

Q: Is the private key stored?

A: No. Generated once, transmitted, then deleted. Download it immediately.

Q: Why does my record exceed 255 characters?

A: RSA 4096 generates 800+ character records. Most providers split automatically. Otherwise, prefer RSA 2048 or Ed25519.

Q: How do I configure DKIM with Google Workspace?

A: Google generates its own keys. Admin Console > Gmail > Authenticate email > Generate new record. Our tool is for custom servers.

Complementary tools

ToolPurpose
DKIM Record CheckVerify your DKIM is published and valid
DKIM Syntax CheckValidate DKIM record syntax
SPF GeneratorCreate your SPF record
DMARC GeneratorConfigure DMARC to complete authentication
Mail TesterTest your email deliverability

Useful resources