DKIM Record Generator

DKIM (DomainKeys Identified Mail) adds a cryptographic signature to every outgoing email, proving it actually came from your domain and wasn't altered in transit. As of February 2024, Gmail and Yahoo require DKIM for any sender doing more than 5,000 emails per day. Without it, your messages either bounce or land in spam. This generator creates the DNS TXT record you need to publish your DKIM public key — just pick your key type, set a selector name, paste your public key, and copy the record.

RSA vs Ed25519: which key type should you use?

RSA-2048 is the safe default. Every major mail provider supports it, and it's been the industry standard for over a decade. The downside is that RSA keys are long — a 2048-bit public key produces a DNS TXT record around 400 characters, which can cause issues with DNS providers that limit record length. Ed25519 is the modern alternative: keys are dramatically shorter (just 44 characters for the public key), signing is faster, and the cryptography is actually stronger. The catch is that a small percentage of older receiving servers don't verify Ed25519 signatures yet. The best approach? Set up both. Use Ed25519 as your primary and RSA as a fallback. Most mail servers will try Ed25519 first and fall back to RSA automatically.

Key generation and selector naming

For RSA-2048, run openssl genrsa -out private.pem 2048 followed by openssl rsa -in private.pem -pubout -out public.pem. For Ed25519, use openssl genpkey -algorithm ed25519 -out private.pem and openssl pkey -in private.pem -pubout -out public.pem. Your selector name identifies which key to use — the DNS lookup follows the pattern selector._domainkey.yourdomain.com. Use descriptive selectors like google for Google Workspace, sg2024 for SendGrid, or seq for Sequenzy. Avoid generic names like default because they make it harder to rotate keys or track which service uses which key.

Why DKIM matters for deliverability

DKIM is one of three pillars of email authentication, alongside SPF and DMARC. Together they form the trust triangle that mailbox providers use to decide whether your email reaches the inbox. DKIM carries the most weight in deliverability scoring — it's worth 25 points in most reputation models compared to 20 for SPF. That's because DKIM survives forwarding, while SPF breaks when an email is relayed through an intermediate server. In practice, emails with valid DKIM signatures see 10-15% better inbox placement rates than unsigned emails from the same domain.

Setting up and verifying your record

After generating your record with this tool, add it as a TXT record in your DNS provider. Keep in mind that DNS propagation can take up to 48 hours, though most providers update within 15-30 minutes. Use our DNS propagation checker to monitor the rollout, then verify the record is correct with our DKIM checker. Once DKIM is live, set up DMARC to tell receiving servers what to do when authentication fails. Finally, run a deliverability score check to see your overall authentication grade.