DKIM Key Generator

DKIM Key Generator: Create Signing Keys in Your Browser

Generating DKIM keys traditionally required command-line tools like OpenSSL or ssh-keygen — tools that many email administrators aren't comfortable with. This browser-based generator uses the Web Crypto API to create RSA and Ed25519 key pairs entirely client-side, with no key material ever transmitted to any server.

How DKIM Key Generation Works

DKIM uses asymmetric cryptography. The tool generates a key pair: a private key that stays on your mail server and signs each outgoing message, and a public key that's published in DNS and used by receiving servers to verify signatures. The private key must remain secret — anyone with access to it can forge DKIM signatures for your domain. The public key is intentionally public; anyone can read it to verify signatures.

RSA Key Size: 2048 vs 4096 Bits

RSA 2048-bit is the current NIST recommendation and is considered secure for 10+ years. RSA 4096-bit doubles the key size, creating a longer public key that may approach DNS TXT record size limits. Some DNS providers truncate TXT records over 255 characters per string, which can break DKIM verification for 4096-bit keys. For new deployments, RSA 2048 is the practical choice. Use RSA 4096 only if your DNS provider explicitly supports long TXT records and your mail server software is tested with it.

After Generating: The Complete Setup Checklist

1. Copy the DNS TXT record value and add it to your DNS at yourselector._domainkey.yourdomain.com
2. Configure your mail server to sign outgoing messages with the private key using your chosen selector
3. Send a test email and wait 5–10 minutes for DNS to propagate
4. Verify the record with the DKIM Checker
5. Send a test email to Gmail and check the Authentication-Results: header for dkim=pass