How to Set Up DKIM

Set up DKIM for your domain: generate a key pair, publish the public key as a TXT record at the selector, install the private key on your mail server, and rotate keys safely.

Updated 6 min read By CodingEagles
Free tool DKIM Record & Key Generator Generate a DKIM key pair and its DNS TXT record locally. Open tool

DKIM adds a cryptographic signature to your outgoing mail that lets receivers confirm the message really came from your domain and was not changed in transit. It works with a key pair: your mail server signs with a private key, and receivers verify against a public key you publish in DNS. The DKIM record generator creates the pair in your browser; this guide explains how to put it to work.

How DKIM works

When your server sends a message, it hashes the headers and body and signs that hash with the private key. It attaches the signature in a DKIM-Signature header that names your domain and the selector it used.

The receiver reads the selector, looks up the matching public key in your DNS, and checks the signature. If it verifies, the receiver knows the message was signed by something holding your private key and that the signed parts were not altered. Because the signature travels with the message, DKIM survives forwarding, which is where SPF often falls down.

Generating and publishing

The two halves of the key go to two different places.

  1. Pick a selector. This is a short label such as default or a date like 2026a. It becomes part of the record name and lets you hold more than one key at a time.
  2. Generate the pair. The generator creates an RSA-2048 key pair locally with WebCrypto, so neither key is ever uploaded. RSA-2048 is the right size for DKIM: strong, supported everywhere, and small enough to fit one DNS TXT record.
  3. Publish the public key. Add it as a TXT record at <selector>._domainkey on your domain. The value starts with v=DKIM1; k=rsa; p= followed by the long base64 key.
  4. Install the private key. Put it on the mail server or service that sends your mail and configure that service to sign with your selector. Keep it secret and never share it.

After both are in place, send a test message and check the headers for a dkim=pass result.

Keeping the private key safe

The private key is the whole game. Anyone who holds it can sign mail as your domain, so it belongs only on your sending server, never in a repository, a backup people can read, or a chat message. If you suspect it has leaked, treat it as compromised: generate a new pair under a fresh selector, publish it, switch the server over, and remove the old record once mail in flight has cleared. Selectors make this rotation painless, since the old and new keys can coexist during the switch.

DKIM is part of a set

DKIM proves a message is intact and genuinely signed, but on its own it does not say what receivers should do when verification fails, nor does it cover the visible From address. That is the job of the surrounding records. How to create an SPF record authorizes the servers allowed to send for you, and how to set up DMARC ties SPF and DKIM to your From domain and sets the failure policy. Publishing all three is what gets mail delivered reliably and shuts down spoofing.

When you are ready, open the DKIM record generator, choose a selector, generate your key pair, and publish the public half.

Frequently asked questions

What is a DKIM selector?
A selector is a label that lets one domain hold several DKIM keys. It forms the record name: a selector of default publishes at default._domainkey.example.com. Using a fresh selector for each new key makes rotation simple, since the old key keeps working until you remove it.
Where do the DKIM keys go?
The public key goes into DNS as a TXT record at <selector>._domainkey on your domain. The private key goes on the mail server or service that sends your mail, where it signs each message. Never publish the private key.
How often should I rotate DKIM keys?
Rotating once or twice a year is good practice, and immediately if a private key is ever exposed. Generate a new pair under a new selector, publish it, switch the server to sign with it, then remove the old record after mail in flight has cleared.

Ready to try it?

Generate a DKIM key pair and its DNS TXT record locally. Free, in-browser, and 100% private — your data never leaves your device.

Open the DKIM Record & Key Generator

Related guides

How to Create an SPF Record An SPF record lists who is allowed to send mail as your domain. Here is how to build one that passes, with the limits that trip people up. How to Set Up DMARC DMARC ties SPF and DKIM to your From address and tells receivers what to do on failure. Here is the monitor-first rollout that avoids losing real mail.

More tools

JSON Formatter & ValidatorBeautify, minify, validate JSON with a collapsible tree view.Code Formatter & MinifierPretty-print or minify JS, TS, CSS, HTML, JSON, SQL and more.YAML ⇄ JSON ⇄ TOML ConverterConvert config between YAML, JSON and TOML, both ways.JSON Schema Viewer & ValidatorRender a JSON Schema as a tree and validate data against it.Markdown Editor (Live Preview)Write Markdown with a live, side-by-side HTML preview.Mermaid Live EditorTurn Mermaid text into flowcharts and diagrams, live.

More from the Hivly network

Free sister tools on our other sites.

Color Palette GeneratorShuffle palettes with the spacebar, lock favourites, copy hex codes.Length ConverterMetres, feet, miles, inches, km and more, instantly.Word CounterCount words, characters, sentences and reading time live.