Free Tool

DKIM Record Generator

Create DKIM keys and DNS records for your domain. DKIM (DomainKeys Identified Mail) adds a digital signature to your emails, proving they haven't been modified and truly came from your domain.

Domain

Your sending domain

Email Platform

Google Workspace DKIM Setup

In Google Admin Console, go to Apps → Gmail → Authenticate Email. Click 'Generate new record', choose 2048-bit key length, and copy the TXT record value. Add it to your DNS, then click 'Start authentication' in Google Admin.

DNS Record Name

google._domainkey.yourdomain.com

Add a TXT record with this name to your DNS provider

What is DKIM Record?

DKIM (DomainKeys Identified Mail) is an email authentication method that lets the receiving server verify that an email was authorized by the domain owner and wasn't altered during transit. It works by adding a digital signature to email headers, which receivers validate against a public key published in your DNS.

Why It Matters

DKIM is the tamper-proof seal on your emails. It cryptographically proves that your email content wasn't modified between sending and delivery. Without DKIM, email providers have no way to verify your emails are genuine, which hurts your sender reputation. Gmail, Yahoo, and Microsoft all use DKIM as a key signal when deciding inbox vs. spam.

How to Use This Tool

Generate or Find Your Keys

For managed platforms (Google Workspace, Microsoft 365), follow the platform-specific instructions to get your DKIM keys. For custom setups, use the generator above to create an RSA key pair.

Publish the DNS Record

Add a TXT record in your DNS with the name 'selector._domainkey.yourdomain.com' and paste the public key value. The selector is usually provided by your email platform.

Enable DKIM Signing

Configure your email server or platform to sign outgoing emails with the private key. Most managed platforms handle this automatically once you publish the DNS record.

Common Mistakes to Avoid

Using 1024-bit keys instead of 2048-bit

1024-bit keys are easier to compromise and some providers flag them as weak. Always generate 2048-bit keys for proper security and better deliverability signals.

Not enabling DKIM signing after publishing the DNS record

Adding the public key to DNS is only half the job. You also need to enable DKIM signing in your email platform so outgoing emails actually get signed with the private key.

Using the same selector for multiple services

Each email-sending service needs its own DKIM selector and key pair. Reusing selectors causes conflicts where one service overwrites another's DNS record.

Forgetting to rotate keys periodically

DKIM keys should be rotated every 6-12 months as a security best practice. Publish a new key with a new selector before removing the old one to avoid downtime.

Frequently Asked Questions

A DKIM record is a DNS TXT entry containing your public key. Email servers use it to verify the digital signature attached to emails sent from your domain, confirming the email is authentic and unmodified.

Use 2048-bit keys for the best security. While 1024-bit keys are still accepted, they're considered less secure. Most modern email platforms default to 2048-bit keys.

A selector is a name that identifies a specific DKIM key. It allows you to have multiple DKIM keys for different services. Common selectors include 'google', 's1', 'selector1', or 'default'.

Yes. SPF and DKIM serve different purposes. SPF verifies the sending server is authorized; DKIM verifies the email content hasn't been tampered with. Using both significantly improves deliverability and is required for DMARC.

In Google Admin Console, go to Apps → Gmail → Authenticate Email. Click 'Generate new record', choose your key length, then add the provided TXT record to your DNS. Finally, click 'Start authentication' in Google Admin.

Yes, unlike SPF, you can have multiple DKIM records for the same domain using different selectors. This is useful when multiple services send email on your behalf — each service gets its own selector and key pair.

Related Free Tools

DMARC Record Generator

Generate a DMARC DNS TXT record to protect your domain from email spoofing and phishing.

Try it free

SPF Record Generator

Generate an SPF DNS TXT record to authorize which servers can send email on behalf of your domain.

Try it free

Email Header Analyzer

Paste raw email headers to check SPF, DKIM, and DMARC authentication and trace the email's routing path.

Try it free

DKIM configured? Complete your deliverability setup.

DKIM proves your emails are genuine. Combined with SPF and DMARC, you've built a solid authentication foundation. Now warm up your domain with TrulyInbox.