A DKIM generator creates the cryptographic key pair (public + private) needed for DKIM email signing. Most ESPs (Google Workspace, Microsoft 365, SendGrid, Mailgun) auto-generate DKIM for you — just enable it in the admin console. For self-hosted infrastructure or custom setups, free DKIM generators from EasyDMARC, PowerDMARC, ZeroBounce, or MXToolbox produce the keys. Use 2048-bit keys. Publish the public key in DNS as a TXT record; keep the private key on your sending server.
DKIM Generator: How to Create a DKIM Key (and Verify It)
What a DKIM Generator Does
A DKIM generator creates two things:
- Private key — kept on your sending server, used to sign outgoing messages
- Public key — published in DNS as a TXT record, used by receivers to verify signatures
Receivers fetch the public key from your DNS, decrypt the signature in the message header, and verify it matches. If it matches, DKIM passes — proving the message came from your domain and wasn't tampered with in transit.
When You Need to Use a DKIM Generator
Most senders don't need a standalone DKIM generator — their ESP handles it:
- Google Workspace: Admin Console → Apps → Google Workspace → Gmail → Authenticate Email → Generate New Record
- Microsoft 365: Defender Portal → Email & collaboration → Policies → Email Authentication → DKIM
- SendGrid: Settings → Sender Authentication → Domain Authentication
- Mailgun: Sending → Domain Settings → DKIM
- Postmark: Settings → DKIM
When you do need a standalone DKIM generator:
- Self-hosted mail server (Postfix, Mailcow, Stalwart)
- Custom application sending mail directly
- Adding DKIM signing in front of an ESP that doesn't support it
- Generating a DKIM selector generator key for testing
Free DKIM Generators
These free DKIM generators all produce valid key pairs:
| Tool | URL | Notes |
|---|---|---|
| EasyDMARC | easydmarc.com/tools/dkim-record-generator | Clean interface, 1024 and 2048-bit options |
| PowerDMARC | powerdmarc.com/dkim-record-generator | Includes selector wizard |
| ZeroBounce | zerobounce.net/dkim-generator | Free DKIM generator, no signup |
| MXToolbox | mxtoolbox.com/dkim.aspx | Generator + verifier in one tool |
| Smartlead | smartlead.ai/free-dkim-generator | Free DKIM tool from a cold email platform |
| Socket Labs Tools | tools.socketlabs.com | Multi-purpose DNS tools |
For port-25 specific use cases, EasyDMARC's DKIM generator port 25 mode produces keys appropriate for direct SMTP sending.
How to Add a DKIM Record (Step by Step)
1. Generate the key pair
Pick a generator (or use your ESP). Generate a 2048-bit RSA key. You'll receive:
- A private key (looks like
-----BEGIN RSA PRIVATE KEY-----...) - A public key in TXT-record format
2. Choose a selector
Use a meaningful name: google for Google Workspace, s1 for service 1, mg for Mailgun, etc. Each sender gets its own selector.
3. Add DKIM record to DNS
Create a TXT record at selector._domainkey.yourdomain.com. Value is the public key string from your generator — usually starts with v=DKIM1; k=rsa; p=....
4. Configure signing
Tell your sending server (or ESP) to sign outgoing messages using the private key. Most ESPs handle this automatically once you publish the DNS record.
5. Verify
Send a test email to [email protected] or use MXToolbox DKIM Lookup. Should show "pass" with your selector.
Generating DKIM with OpenSSL (Command Line)
For self-hosted setups:
# Generate 2048-bit private key
openssl genrsa -out dkim_private.key 2048
# Extract public key
openssl rsa -in dkim_private.key -pubout -out dkim_public.key
# Format public key as DNS TXT value
cat dkim_public.key | grep -v "PUBLIC KEY" | tr -d '\n'
Take the resulting string, prepend v=DKIM1; k=rsa; p=, and publish as TXT at your chosen selector.
DKIM Key Length: 1024 vs 2048
Use 2048-bit keys. 1024 is technically still supported but considered weak. Some providers (Gmail, Microsoft) now flag 1024-bit DKIM as suboptimal. See DKIM key length.
The only reason to use 1024-bit: your DNS provider limits TXT record length and you can't split a 2048-bit key. Modern DNS providers all support long records.
Common DKIM Generator Mistakes
- Wrong selector format: Selectors are alphanumeric (plus
-and_). No special characters. - Publishing key with line breaks: Some DNS interfaces require you to strip line breaks from the public key.
- Wrong record location: It's
selector._domainkey.yourdomain.com, not_dkimordkim. - Missing
v=DKIM1; k=rsa;prefix: The full TXT value needs the version and key type tags. - Old key still active: After rotation, leave the old DKIM key published for 7-14 days so in-flight messages still verify.
Practitioner note: I run into the same DKIM generator confusion repeatedly: senders generate a key with one tool, paste it into DNS, and forget to actually configure their sending server to use the matching private key. The DNS record is half the work. The other half is the server signing with the matching private key.
Practitioner note: For cold email infrastructure with multiple sending domains, generate a unique DKIM key per domain — never reuse keys across domains. Each domain needs its own private key. This is sometimes confused with selectors (which let you have multiple keys per domain), but the principle is one-domain-one-private-key.
Practitioner note: When using a free DKIM generator online, the private key is generated client-side in your browser (for reputable tools). If you're paranoid about a tool seeing your private key, use OpenSSL locally instead. The math is the same; the trust model is different.
If you need help configuring DKIM signing across multiple sending sources, generating keys, or rotating compromised keys, book a consultation. I configure DKIM at scale for senders using multiple ESPs and self-hosted infrastructure.
Sources
- RFC 6376: DomainKeys Identified Mail (DKIM)
- Google: DKIM setup for Workspace
- Microsoft: DKIM configuration for Microsoft 365
- M3AAWG: DKIM Best Practices
v1.0 · May 2026
Frequently Asked Questions
How to configure DKIM?
Three steps: 1) Generate a DKIM key pair (private + public) using your ESP's admin console or a DKIM generator tool. 2) Publish the public key in DNS as a TXT record at selector._domainkey.yourdomain.com. 3) Configure your sending server to sign messages with the private key. Most ESPs handle steps 1 and 3 automatically — you just publish the DNS record they give you.
What is a DKIM record generator?
A DKIM record generator (or DKIM wizard) is a free online tool that creates the public/private key pair needed for DKIM signing. Examples: EasyDMARC, PowerDMARC, ZeroBounce, MXToolbox, Smartlead, and Socket Labs all offer free DKIM generators. The output is a TXT record you publish in DNS plus a private key your sending server uses to sign messages.
How do I create a DKIM record?
Use your ESP's built-in DKIM setup if you have one — Google Workspace, Microsoft 365, SendGrid, Mailgun, and others auto-generate keys. For self-hosted setups, use a free DKIM generator (EasyDMARC, PowerDMARC) or generate with OpenSSL: openssl genrsa -out private.key 2048; openssl rsa -in private.key -pubout. Publish the public key as TXT at selector._domainkey.yourdomain.com.
What's a free DKIM generator I can use?
Free DKIM generators: EasyDMARC (easydmarc.com/tools/dkim-record-generator), PowerDMARC (powerdmarc.com/dkim-record-generator), ZeroBounce DKIM generator, MXToolbox DKIM tool, Smartlead's free DKIM generator, and Socket Labs Tools. All produce the public TXT record and private key needed for DKIM signing.
What's a DKIM selector and how do I name it?
The DKIM selector is a name (string) used to identify which DKIM key applies to a message. Common selectors: 'default', 'google', 's1', 'k1', or a date like '202605'. The selector appears in both the DNS record (selector._domainkey.yourdomain.com) and the DKIM-Signature header (s=selector). Use distinct selectors per sending service so you can rotate keys independently.
Want this handled for you?
Free 30-minute strategy call. Walk away with a plan either way.