DKIM Record Generator

What is DKIM and why do you need it?

DKIM (DomainKeys Identified Mail) adds a cryptographic signature to every email you send. Receiving mail servers check this signature against a public key published in your DNS. If the signature matches, it proves the email came from your domain and was not modified in transit.

Without DKIM, your emails are more likely to be flagged as spam. Google and Yahoo now require DKIM for bulk senders, and DMARC enforcement depends on either DKIM or SPF alignment passing.

How DKIM works

1. Your mail server signs outgoing emails with a private key (stored on your server, never shared).
2. You publish the matching public key in DNS as a TXT record at selector._domainkey.yourdomain.com.
3. When a receiving server gets your email, it fetches your public key from DNS and verifies the signature.
4. If the signature is valid, DKIM passes. If the domain in the d= tag matches your From domain, DMARC alignment also passes.

How to set up DKIM on your mail server

• Google Workspace: DKIM is managed in Admin Console under Apps > Google Workspace > Gmail > Authenticate email. Google generates the key for you.
• Microsoft 365: Set up in Defender portal under Email & Collaboration > Policies > DKIM. Enable DKIM for your domain and publish the CNAME records Microsoft provides.
• Postfix + OpenDKIM: Use this generator to create a key pair. Save the private key to /etc/opendkim/keys/yourdomain/selector.private and publish the DNS record.
• cPanel / Exim: Go to cPanel > Email > Authentication. Enable DKIM and copy the generated TXT record to your DNS.
• SendGrid, Mailgun, Amazon SES: These providers generate DKIM keys internally and give you CNAME or TXT records to add. Use this generator only for self-hosted mail servers.

Common DKIM mistakes

• Wrong selector in the DNS record name
  The DNS record must be at yourselector._domainkey.yourdomain.com exactly. A typo here means the lookup will fail silently.
• Key not matching the selector configured on the server
  If your mail server signs with selector mail but the DNS record is at default, verification fails.
• DNS provider wrapping or truncating the key
  Some DNS panels have a character limit per TXT record. If the public key is truncated, DKIM breaks. Split the key into two quoted strings if needed.
• Using a 1024-bit key
  1024-bit RSA keys are considered weak. Use 2048-bit as a minimum. This generator creates 2048-bit keys.

FAQ

Can I use the same DKIM key for multiple domains?

No. Each domain needs its own DKIM key pair. The DNS record is specific to each domain and the private key should be separate per domain for security.

How many DKIM selectors can I have?

As many as you want. Multiple selectors are common when you use several email platforms (e.g., Google Workspace uses selector google, SendGrid uses a custom one). Each selector has its own DNS record and key pair.

What is the difference between DKIM and SPF?

SPF checks whether the sending IP is authorized for your domain. DKIM checks whether the email content was signed by your domain's key. They protect different parts of the email. DMARC combines both - at least one must pass and align for DMARC to pass.

Does DKIM expire?

DKIM keys do not expire automatically. It is good practice to rotate them every 1-2 years, especially if you suspect a key compromise. Rotation means generating a new key pair, publishing it under a new selector, updating your mail server, and removing the old selector's DNS record after a few days.

Why does DKIM pass but DMARC still fails?

DMARC requires alignment. DKIM alignment means the domain in the DKIM d= tag must match the From header domain. If you send from [email protected] but your DKIM key signs with d=sendingprovider.com, DKIM passes but DMARC alignment fails. Check alignment with the InboxGreen domain checker.