DKIM (DomainKeys Identified Mail) attaches a cryptographic signature to your outgoing email and publishes the matching public key in DNS so receivers can verify nothing was tampered with and the message really came from your domain. This builder formats that public-key TXT record correctly.
How it works
Your mail server signs each message with a private key it keeps secret. The public key half is published as a DNS TXT record at a special hostname:
<selector>._domainkey.<your-domain>
The record value is a list of semicolon-separated tags. The builder assembles them in conventional order:
v=DKIM1— version, always first.k=rsaork=ed25519— the key algorithm.h=sha256— permitted hash algorithms (RSA only; omitted when you allow all).t=...— optional flags:yfor test mode,sto forbid subdomain reuse.s=email— restrict the key to the email service type.p=...— the base64 public key itself, placed last by convention.
The builder strips any PEM -----BEGIN/END----- header lines from your pasted
key, validates that the remainder is clean base64, and warns when an RSA-2048
record crosses the 255-byte single-string TXT limit.
Worked example
For selector s1, domain example.com, an RSA key, and SHA-256, the hostname is:
s1._domainkey.example.com
and the record value looks like:
v=DKIM1; k=rsa; h=sha256; s=email; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB...
Publish that as a TXT record, send a test message, and check the receiving
server’s Authentication-Results header for dkim=pass.
Generating the key pair first
This tool formats the public key into a DNS record — it does not generate the key pair itself. You create the private/public key pair using your mail server’s built-in key-generation command or with OpenSSL:
# Generate a 2048-bit RSA key pair
openssl genrsa -out private.key 2048
openssl rsa -in private.key -pubout -out public.key
Your mail server (Postfix, Exim, SendGrid, Google Workspace, etc.) will typically handle key generation for you and show the public key in its control panel. Copy that public key (the base64 block, without the PEM headers) and paste it into this builder’s p= field.
RSA-2048 and the 255-byte DNS limit
An RSA-2048 public key base64-encodes to roughly 392 characters. With the v=, k=, and other tag overhead, the total DKIM TXT record commonly exceeds 500 bytes — well above the 255-byte single-string DNS TXT limit. DNS resolves this by splitting the record into multiple quoted strings within the same TXT entry:
"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA"
"vJ6sA...rest_of_key..."
Most DNS control panels accept the full value and split it automatically. If yours does not, you may need to split the key string manually into 255-character chunks enclosed in double quotes. The builder warns you when the record length approaches this limit.
Ed25519 as an alternative
Ed25519 public keys are only 44 base64 characters, making the entire DKIM record comfortably within the 255-byte limit. The downside is receiver support: most modern mail servers verify Ed25519, but some older filtering systems do not. Publishing both an RSA key (for compatibility) and an Ed25519 key under different selectors is a robust approach.
Tips for deployment
- Keep the private key secret and on the signing server only — only the public half ever goes in DNS.
- Use a fresh selector when rotating keys so the old key can stay published until in-flight mail is delivered; do not delete the old record immediately.
- Remove
t=yonce verification passes; leaving test mode on tells receivers to ignore failures, undermining DMARC enforcement. - Verify your published record with an online DKIM checker or by sending a test message and inspecting the
Authentication-Resultsheader fordkim=pass. - DKIM is one leg of email authentication. Pair it with SPF and a DMARC policy at
p=quarantineorp=rejectso receivers can take action when alignment fails.