DKIM Key Generator Calculator

DKIM Key Generator

Domain

Use the domain that sends mail (no https).

Selector

Common selectors: default, s1, mail.

Key size

2048 is widely recommended; 4096 is larger.

Hash tag (h=)

Most providers prefer sha256.

Service type (s=)

Use email unless you need a wildcard.

Test mode (t=)

Use test mode while validating DNS.

Split TXT value

Splitting helps providers with TXT limits.

Chunk length

Each quoted TXT segment stays under limits.

Notes (optional)

Stored in downloads only.

Reset

Server requirement: OpenSSL must be enabled in your runtime. If keys fail to generate, check your hosting OpenSSL policy.

Example Output Table

Domain	Selector	Key size	DNS host/name	TXT starts with
example.com	default	2048	default._domainkey.example.com	v=DKIM1; k=rsa; h=sha256; ...
shop.example.com	s1	4096	s1._domainkey.shop.example.com	v=DKIM1; k=rsa; h=sha256; t=y; ...
news.example.net	mail	2048	mail._domainkey.news.example.net	v=DKIM1; k=rsa; s=email; ...

Your real TXT value includes the full public key in p=.

Formula Used

This generator follows the DKIM DNS record structure and RSA keypair method:

p= is the Base64 public key, extracted from the PEM block.
The DNS TXT record is assembled as: v=DKIM1; k=rsa; h=sha256; s=email; t=y; p=PUBLICKEY;
When splitting is enabled, the TXT value is chunked into quoted segments for DNS compatibility.

Note: DKIM signing occurs on your mail server; this page only generates key material and DNS text.

How to Use This Calculator

Enter your sending domain and choose a selector.
Select key size and keep sha256 for modern setups.
Click Generate, then copy the TXT record into DNS.
Install the private key on your mail server and configure signing.
Verify with a DKIM checker, then disable test mode.

FAQs

1) What is a DKIM selector?

The selector is a DNS label that points to your public key record. It lets you rotate keys by changing the selector without changing the domain. Keep it short and unique per mail stream.

2) Which key size should I use?

Most organizations use 2048-bit RSA for compatibility and security. Use 4096-bit if your DNS provider and mail stack handle larger records. Avoid 1024-bit unless required for legacy systems.

3) Why does the TXT record split into quotes?

Many DNS providers limit TXT segment length. Splitting keeps each quoted part below common limits while preserving one logical TXT value. DNS resolvers join the segments automatically during lookup.

4) What does test mode do?

Test mode adds t=y, signaling the key is for testing. Some receivers may treat it differently, but it mostly helps you remember to validate before production. Turn it off after verification.

5) Is the private key safe to share?

No. The private key must stay on your mail server only. Anyone with the private key can sign messages as your domain. Publish only the public key via DNS and protect the private key with strict permissions.

6) Why is sha256 recommended?

SHA-256 is the modern, widely supported DKIM hash algorithm. SHA-1 is considered weak and is often discouraged. If a legacy system demands SHA-1, plan a migration to SHA-256 soon.

7) Will this tool configure my mail server?

No. This page generates keys and record text only. You still need to install the private key and configure a signing service such as OpenDKIM, Postfix integration, or your provider’s DKIM settings.

8) How often should I rotate DKIM keys?

Key rotation depends on policy, but many teams rotate every 6–12 months or after a suspected leak. Rotation is easier if you use a new selector, publish the new record, then switch signing to it.