DKIM Key Generator

Create an RSA keypair and a DNS-ready DKIM TXT record — 100% client-side. No backend.

Selector

Allowed: letters, numbers, underscore, dash. _domainkey will be appended automatically.

Domain

Key size

Algorithm

Usage

Calculated entirely in your browser — keys never leave your machine.

Output

Click any "Copy" to copy to clipboard

Public DNS TXT record (single-line)

—

DKIM public key (raw base64 for p=)

—

Private key (PEM) — keep this secret

—

How to add to DNSSelector + _domainkey

1. Create a TXT record for: default._domainkey.example.com.
2. Paste the TXT value shown above. Many DNS providers accept a single-quoted string; some require splitting into 255-character chunks. Use the split form if the record is rejected.

Recommended checks:

Ensure the selector matches your MTA signing configuration.
Use 2048 bits unless you need extra security and can handle long DNS entries.
Verify DNS propagation and test with external DKIM validators.

Sample DNS TXT record

Single-line example (may be long):

—

Split (safe) example for DNS panels that limit string length:

—

Notes

• This generator uses the Web Crypto API to produce an RSA keypair in your browser. The public key is exported in SPKI (SubjectPublicKeyInfo) format and base64-encoded for use in the DNS p= tag.
• The private key is exported in PKCS#8 PEM format for your MTA signing configuration (e.g. OpenDKIM, Postfix with milter, etc.).
• If you need a different format (PKCS#1, different encodings), export and convert using local tools.

Quick validation

Use any external DKIM checker after DNS propagation. This tool does not perform DNS or signature tests — it only creates the keys and shows the DNS-ready values.