Free DKIM Record Generator
Configure your selector, paste your public key, and generate a properly formatted DKIM TXT record ready to add to your domain's DNS.
Configure Your DKIM Record
Enter a selector name. Your email provider will tell you which selector to use.
Adds an informational note to the record (n= field). Not used for validation.
Generated DKIM Record
How to Add This Record to Your DNS
- 1Log in to your domain registrar or DNS provider (e.g., Cloudflare, Namecheap, GoDaddy, Route 53).
- 2Navigate to DNS management for your domain.
- 3Add a new TXT record with the name
selector._domainkey.yourdomain.com. - 4Paste the generated TXT record value above into the value field.
- 5Save and wait for DNS propagation (usually 5 minutes to 48 hours).
What is a DKIM Record?
DKIM (DomainKeys Identified Mail) is an email authentication protocol that uses public-key cryptography to verify that an email was sent by an authorized server and has not been modified in transit. It works by adding a digital signature to the email header, which the receiving mail server validates against a public key published in DNS.
The DKIM record itself is a DNS TXT record that contains the public key. When a receiving server gets an email with a DKIM signature, it queries DNS for the public key using the selector and domain from the signature header, then uses that key to verify the signature. A valid signature confirms both authenticity and integrity.
Since February 2024, Google and Yahoo require DKIM authentication for all bulk senders. Without a valid DKIM record, your emails are more likely to be flagged as spam or rejected outright. DKIM also contributes to DMARC alignment, which is required for full email authentication compliance.
DKIM Record Fields Explained
v=DKIM1Version
Identifies the record as a DKIM key record. This tag is required and must be the first tag in the record. The only valid value is DKIM1.
k=rsaKey Type
Specifies the cryptographic algorithm used. rsa is the standard and universally supported. ed25519 is newer and produces shorter keys but has limited receiver support.
p=...Public Key
The base64-encoded public key data. This is the key that receiving servers use to verify DKIM signatures. An empty p= value means the key has been revoked.
t=y / t=sFlags
t=y indicates testing mode — failures should not cause rejection. t=s enforces strict alignment, requiring the signing domain to exactly match the From header domain (no subdomains).
How to Get Your DKIM Public Key
Your DKIM public key is generated by your email service provider. You do not create this key yourself — you copy it from your provider's admin panel and publish it in your DNS. Here is where to find it in common providers:
Provider-Specific Setup
Google Workspace
- Go to Admin Console → Apps → Google Workspace → Gmail
- Click "Authenticate email"
- Select your domain and click "Generate new record"
- Copy the TXT record value (selector is usually
google)
Microsoft 365
- Go to Microsoft Defender portal → Email authentication
- Select DKIM and choose your domain
- Click "Create DKIM keys"
- Publish both CNAME records (selectors
selector1andselector2)
Smartlead
- Go to Settings → Email Accounts
- Select your email account and click "DNS Settings"
- Copy the DKIM TXT record provided
- Add it to your domain DNS with the specified selector
SendGrid
- Go to Settings → Sender Authentication
- Click "Authenticate Your Domain"
- Follow the wizard to generate DNS records
- SendGrid uses CNAME records (selectors
s1ands2)
Frequently Asked Questions
What is a DKIM record?▼
What is a DKIM selector?▼
Where do I find my DKIM public key?▼
Should I enable DKIM testing mode?▼
What is the difference between RSA and Ed25519 DKIM keys?▼
Related Tools
Related Reading
Monitor DKIM Across All Your Domains
This free tool generates DKIM records on demand. Superkabe monitors DKIM, SPF, and DMARC across all your sending domains automatically — every 24 hours — and alerts you before misconfigurations cause deliverability failures.
Start free trial