DKIM Record Generator

Build a valid DKIM DNS record for your domain. Enter your selector and public key, choose your key type, and copy the TXT record to publish in your DNS.

Select your email provider

Domain

Selector

The prefix for your DKIM DNS record. Common values: default, google, selector1, s1

Key type

RSA (default)Most widely supported

Ed25519Smaller keys, newer standard

Public key

Paste the public key from your email provider or key pair. PEM headers are removed automatically.

Testing mode (t=y): receivers will not enforce this key

DNS record name

default._domainkey.yourdomain.com

TXT record value

v=DKIM1; p=YOUR_PUBLIC_KEY_HERE

Common selectors by provider

Google Workspace: google
Microsoft 365: selector1, selector2
Amazon SES: varies (check SES console)
Mailchimp: k1
SendGrid: s1, s2

Verify your DKIM is working

After publishing this record, use our DMARC Checker to verify DKIM alignment. The ShieldMarc dashboard shows DKIM pass rates across all your sending sources in real time.

Start monitoring free

What is DKIM?

DKIM (DomainKeys Identified Mail) is an email authentication method that uses cryptographic signatures to verify that an email was sent by an authorised server and has not been tampered with in transit. The sending server signs each email with a private key, and the receiving server verifies the signature using the public key published in DNS.

How DKIM Records Work

A DKIM record is a TXT record published at selector._domainkey.yourdomain.com. The selector allows you to have multiple DKIM keys for different sending services. When a receiving server gets an email with a DKIM signature, it looks up the selector from the signature header and retrieves the public key from DNS to verify the signature.

RSA vs Ed25519

RSA (2048-bit): The most widely supported key type. 2048-bit is the minimum recommended size — 1024-bit is deprecated and insecure. RSA public keys are long and may need to be split across multiple quoted strings in the TXT record.
Ed25519: A newer, more compact key type with equivalent security at a fraction of the key length. Not yet supported by all receiving servers. If you use Ed25519, consider also publishing an RSA key with a different selector as a fallback.

Where to Get Your Public Key

Your email provider generates the DKIM key pair. You keep the private key (they hold it on their sending servers) and publish the public key in DNS using this tool.

Google Workspace:Admin Console → Apps → Google Workspace → Gmail → Authenticate email. Google generates the key pair and gives you the TXT record value.
Microsoft 365:Microsoft uses CNAME records (not TXT) for DKIM. Go to Security → Email & Collaboration → Policies → Email authentication settings. Microsoft publishes the public key on their servers — you only add CNAME records pointing there.
Other providers: Most email platforms (Mailchimp, SendGrid, HubSpot, Mailgun) generate a key pair and provide the TXT record value in their DKIM setup wizard. Copy the public key value and paste it into this tool, or add their provided record directly to your DNS.

Frequently Asked Questions

What selector name should I use?

The selector can be any alphanumeric string. Most providers have a default (Google uses google, Mailchimp uses k1, SendGrid uses s1 and s2). If you are setting up DKIM manually, use something descriptive like mail or default. You can have multiple selectors — use a new one each time you rotate keys.

Can I have multiple DKIM records?

Yes — unlike SPF, you can publish as many DKIM records as you need, each with a different selector. This is how you configure DKIM for multiple sending providers simultaneously. Each provider's emails will be signed with their own private key and verified against their corresponding selector record.

My DKIM record is too long — what do I do?

DNS TXT records have a 255-character string limit, but most DNS providers handle multi-string records automatically. If your DNS provider requires you to split the record manually, break the value into multiple quoted strings separated by a space — DNS resolvers will concatenate them. Switching to Ed25519 also produces much shorter keys.

How do I verify DKIM is working?

After publishing, use our DMARC & SPF Checker to verify DKIM signing is detected on your domain. You can also send a test email to a Gmail address and check the headers — look for dkim=pass in the Authentication-Results header. Our Email Header Analyser will display this clearly.

How often should I rotate DKIM keys?

Best practice is to rotate DKIM keys annually or after any suspected key compromise. To rotate: generate a new key pair, publish the new public key under a new selector, update your sending provider to use the new private key, then remove the old selector record after a few days to allow in-flight messages to be verified.