Skip to main content

DKIM Record Generator

Pick your email service provider and we'll generate the exact DKIM records you need to publish in DNS. Most modern providers use CNAMEs that point to ESP-managed key infrastructure (so they can rotate keys without you re-publishing); a few still require you to publish a raw TXT public key.

Why DKIM matters

DKIM (DomainKeys Identified Mail) is one of the three pillars of modern email authentication, alongside SPF and DMARC. Receiving servers verify the DKIM signature against your published public key to confirm the message wasn't altered in transit and was authorised by your domain. Without DKIM, your DMARC policy can only rely on SPF, which breaks every time a message is forwarded.

For brand protection: a properly DKIM-signed email is much harder to spoof. Combined with DMARC at p=reject, attackers can't impersonate your domain even when they spoof the From header. Scan your domain to see DKIM, SPF, and DMARC together and get the exact records to publish.

Frequently asked questions

Does DKIM use a CNAME or a TXT record?

It depends on the provider. Microsoft 365 and Amazon SES hand you CNAME records that point at keys they host and rotate. Google Workspace and others give you a TXT record containing the public key directly. This generator shows the right record type and selector for each provider.

What is a DKIM selector?

The selector is the label in the record name, before ._domainkey (for example google._domainkey.yourdomain.com). Each sending platform uses its own selector, which lets you run DKIM for several providers on one domain at once.

Where do I publish the DKIM record?

At selector._domainkey.yourdomain.com in your DNS, using the exact selector and value for your provider. After it propagates, enable DKIM signing in the provider's admin console, then confirm with the DKIM checker.

What key length should DKIM use?

2048-bit RSA or Ed25519. 1024-bit keys are effectively deprecated by Google, Microsoft, and Yahoo. Most providers default to 2048-bit now; if yours offers a choice, pick 2048-bit.