DKIM Record & Key Generator

Generate a DKIM key pair for your domain. Pick a selector, create an RSA-2048 key in your browser, and get the public-key DNS TXT record plus the private key for your mail server. Keys are made locally and never sent anywhere.

Read the guide: How to Set Up DKIM
Choose a selector and generate a key pair. The keys are made in your browser with WebCrypto and never leave this page.

How it works

  1. 1

    Choose a selector

    Pick a short label such as default or a date like 2026a. It becomes part of the record name and lets you rotate keys later.

  2. 2

    Generate the key pair

    Click generate and the tool creates an RSA-2048 key pair in your browser using WebCrypto.

  3. 3

    Publish and install

    Add the public key as a TXT record at <selector>._domainkey, and install the private key on your mail server.

Instant & 100% private — nothing is uploaded

Everything runs locally in your browser. Your code, text and files are processed on your own device and are never sent to a server — so there are no upload waits, no size limits from us, and nothing is ever stored or logged.

Frequently asked questions

What is a DKIM selector?
A selector is a label that lets a domain hold several DKIM keys at once. It forms the record name: a selector of default publishes at default._domainkey.example.com. Using a new selector each time makes key rotation painless, since the old key keeps working until you remove it.
Are the keys really generated in my browser?
Yes. The key pair is created with the WebCrypto API on your own device, and neither the public nor the private key is uploaded. That is what makes it safe to generate a production key here. The page needs to be on a secure (https) origin for WebCrypto to run.
What do I do with the private key?
Install it on the mail server or service that sends your mail, following its DKIM configuration. Keep it secret and never publish it. Only the public key goes into DNS. If the private key is ever exposed, generate a new pair under a fresh selector and replace the record.
Why RSA-2048 and not a longer key?
RSA-2048 is the practical sweet spot for DKIM: it is strong and is supported everywhere, while its public key still fits comfortably in a single DNS TXT record. Larger RSA keys can overflow the 255-character TXT string limit and need awkward splitting.

More tools

JSON Formatter & ValidatorBeautify, minify, validate JSON with a collapsible tree view.Code Formatter & MinifierPretty-print or minify JS, TS, CSS, HTML, JSON, SQL and more.YAML ⇄ JSON ⇄ TOML ConverterConvert config between YAML, JSON and TOML, both ways.JSON Schema Viewer & ValidatorRender a JSON Schema as a tree and validate data against it.Markdown Editor (Live Preview)Write Markdown with a live, side-by-side HTML preview.Mermaid Live EditorTurn Mermaid text into flowcharts and diagrams, live.

More from the Hivly network

Free sister tools on our other sites.

Color Palette GeneratorShuffle palettes with the spacebar, lock favourites, copy hex codes.Length ConverterMetres, feet, miles, inches, km and more, instantly.Word CounterCount words, characters, sentences and reading time live.