DKIM Record Generator
Format your DKIM public key as a correctly structured DNS TXT record. Enter your selector, domain, and the public key provided by your email platform.
Where does the public key come from? Your email provider generates the DKIM key pair and gives you the public key to publish in DNS. In Google Workspace, go to Admin Console → Apps → Google Workspace → Gmail → Authenticate email. In Microsoft 365, go to Security → Email & collaboration → Policies → DKIM.
Paste the public key value here to generate the correctly formatted DNS record.
The selector is a prefix for the DNS record name. It is chosen by you or provided by your email platform.
Your root domain (e.g. yourdomain.com).
Paste the public key value from your email provider. PEM headers (-----BEGIN PUBLIC KEY-----) are stripped automatically.
[selector]._domainkey.[yourdomain.com]v=DKIM1; k=rsa; p=[your-public-key]DNS Instructions
- • Record type: TXT
- • Host / Name:
[selector]._domainkey - • TTL: 3600 (1 hour)
- • The DNS value must be a single continuous string — no line breaks in the key.
Frequently Asked Questions
What is a DKIM record and what does it do?
A DKIM (DomainKeys Identified Mail) record is a DNS TXT record that stores the public key used to verify email signatures. When your email server sends a message, it adds a cryptographic signature using the private key. Receiving servers look up your DKIM record to get the matching public key and verify the signature — confirming the email was not altered in transit and genuinely came from your domain.
Where do I get my DKIM public key?
Your email provider generates the DKIM key pair and gives you the public key to publish. In Google Workspace, go to Admin Console → Apps → Google Workspace → Gmail → Authenticate email, then generate a new key. In Microsoft 365, go to Security → Email & collaboration → Policies & rules → Threat policies → DKIM. For other providers, check their DKIM setup documentation — they will provide the exact DNS record to add.
What is a DKIM selector?
A DKIM selector is a prefix added to the DKIM record name in DNS. It allows a domain to have multiple DKIM keys (for different sending services or key rotation). The selector is included in the email signature header so receiving servers know which DNS record to look up. Common selectors include google, mail, selector1, selector2, and dkim. The full DNS record name is [selector]._domainkey.[yourdomain.com].
Should I use RSA or Ed25519 for DKIM?
RSA is the most widely supported DKIM key type and should be used in most cases. Use RSA-2048 for the best balance of security and compatibility. Ed25519 is smaller and more efficient but not yet supported by all email platforms. Unless your provider specifically generates Ed25519 keys, use RSA.
How do I know if my DKIM record is working?
After publishing the DKIM record in DNS, allow up to 48 hours for propagation, then use a DKIM validator to check it. Send a test email to a Gmail or Outlook account and view the email headers — look for Authentication-Results showing dkim=pass. You can also run a Full Audit to check all authentication records at once.