DKIM Record Generator

DKIM (DomainKeys Identified Mail) is an email authentication protocol that adds a digital signature to the headers of outbound email messages. The domain owner publishes a corresponding cryptographic public key as a DNS TXT record under a specific selector. When a receiving mail server gets an email, it retrieves the public key from the sender's DNS zone and uses it to verify the signature. If the signature matches the message contents, it mathematically guarantees that the email was genuinely authorized by the domain owner and was not altered or forged in transit.

A DKIM selector is a string used to identify and locate a specific DKIM public key in your domain's DNS records. It allows domain owners to publish multiple distinct public keys for different sending systems (such as marketing platforms, internal office suites, and transactional email providers) without them overriding one another. Standard selectors are often default words like `default`, `google`, `mail`, or `k1`. The selector is prepended to the DNS host name in the format `[selector]._domainkey.yourdomain.com`.

A 2048-bit RSA key offers significantly greater cryptographic strength than a 1024-bit key, making it exponentially more resistant to brute-force factorization attacks. Leading security guidelines from Google, Yahoo, and security agencies recommend deploying 2048-bit keys for email signing. While some older DNS hosting platforms have historically struggled to support the long text strings required by 2048-bit keys, modern DNS providers support them seamlessly. You should only use 1024-bit keys if your domain registrar enforces strict character limit constraints.

Standard DNS TXT records have a character limit of 255 characters per string. Because a 2048-bit public key string is approximately 390 characters long, it will fail validation if entered as a single block in legacy systems. To bypass this, the DNS standard supports "string concatenation" where the value is broken into multiple double-quoted strings separated by spaces, e.g., `"v=DKIM1; ... p=Part1..." "Part2..."`. Our advanced compiler formats both the standard single-line and concatenated variants to guarantee seamless registration.

Generating keys on traditional web servers presents high security risks, as the private key (which controls email signing authority) is transmitted over the network and could be cached or logged. To solve this, our DKIM Record Generator operates **100% locally client-side** using the browser's secure native Web Cryptography API (`window.crypto.subtle.generateKey`). Your private key is compiled directly in your device's local RAM sandbox and never exits your browser, guaranteeing absolute confidentiality.

Once you generate your keypair, copy the private key block (including the BEGIN and END wrappers) and paste it into your email server's configuration files or hosting administration dashboard. For example, in cPanel under "Email Deliverability", in Postfix using OpenDKIM config sheets, or directly within transactional providers like Mailgun, SendGrid, or Amazon SES. The private key must remain highly secured, as anyone with access to it can sign emails claiming to originate from your domain.

A standard DKIM record value is a semicolon-separated string containing specific tag-value pairs. The primary tags are: `v=DKIM1` (Version, indicating the DKIM specification version; must be defined first), `k=rsa` (Key Type, declaring the cryptographic algorithm used; defaults to RSA), and `p=[base64_string]` (Public Key, holding the base64url-encoded public key). Other optional tags include `g` (granularity), `s` (service types), and `t` (flags). The public key `p` tag is required, and leaving it empty effectively revokes the key.