ValidEmailChecker

How do I use the DKIM Record Generator tool?

Last updated May 19, 2026Free tools

The DKIM Record Generator at Valid Email Checker creates a fresh RSA key pair entirely in your browser using the Web Crypto API and outputs both the public DNS TXT record and the private key (PEM-formatted) ready for paste into your ESP. Use this when your ESP does not generate DKIM keys for you (some self-hosted setups, some smaller providers), or when you want to rotate a key manually.

Step by step

  1. Open /dkim-record-generator.
  2. Enter your apex domain (e.g. example.com).
  3. Choose a selector. Any string of letters, digits, hyphens, or underscores works. Picking something memorable like mail2026 helps when you rotate keys later.
  4. Pick a key length — 2048-bit (recommended, broadly compatible) or 4096-bit (more secure but can hit DNS TXT record size limits).
  5. Click Generate Keys. The Web Crypto API runs in your browser; nothing touches our servers.
  6. Copy the DNS Name (e.g. mail2026._domainkey.example.com) and the DNS Value (v=DKIM1; k=rsa; p=...). Paste into your DNS provider as a TXT record.
  7. Copy the Private Key PEM and paste it into your ESP's custom DKIM key field. Save it somewhere safe — we cannot retrieve it later.

Browser-side key generation

Both keys are generated by window.crypto.subtle.generateKey inside your browser. The private key never leaves your machine — Valid Email Checker does not see it, store it, or log it. If you refresh the page after generating, the key pair is gone. Save the private key somewhere durable (a password manager or your ESP config) before navigating away.

After publishing

DNS propagation takes 15 minutes to a few hours. Once the record is live, plug your domain and selector into the DKIM Record Checker to confirm the record resolves and the parsed tags match what you generated. Also send a test email through your ESP and check the DKIM-Signature header on the delivered message — the s= value should match your selector, and the email should pass DKIM verification in the receiving server's authentication-results header.

Most ESPs generate DKIM for you
If you are using Google Workspace, Microsoft 365, Mailchimp, SendGrid, or any other major ESP, do not use this generator. Those providers generate their own DKIM key pair and only show you the public TXT record to publish — the private key stays on their side. Generating your own DKIM key only makes sense if your ESP explicitly asks for one (a few self-hosted Postfix/exim setups do this).

For the matching SPF and DMARC records, the SPF Record Generator and DMARC Record Generator take you through the same flow for the rest of the authentication trio.

Related questions

What key length does the Valid Email Checker DKIM Generator use?
How do I use the DKIM Record Checker tool?
Which DKIM selector should I enter in the DKIM Checker?
What free email tools does Valid Email Checker offer?
Back to all FAQs

Still stuck? Email support