Available at https://www.suped.com/tools/dkim-record-generator.
Use the DKIM record generator when you need a new DKIM key pair for a sender, selector rotation, or secret key replacement. The tool creates a public DNS TXT value and matching secret key immediately on page load.
If you use a managed email provider, open the provider guides dialog from the full set-up instructions instead of generating your own key pair.

Generated values
DNS TXT value
Publish the generated public value as a TXT record at your selector host, such as default._domainkey.example.com. This is the value receivers use to verify DKIM signatures.
Secret key
The secret key is secret. Do not publish it in DNS. Install it only in the mail service or server that signs outgoing mail for that selector.
Advanced options
- Algorithm defaults to
rsafor broad provider and receiver compatibility. Useed25519only when your mail provider explicitly supports it. - RSA key size defaults to 2048 bits. Use 4096 bits only if your DNS provider and sending service support long DKIM TXT records. Avoid 1024 bit keys except for legacy compatibility.
Publish and verify
Choose a selector name, publish the DNS TXT value at selector._domainkey.yourdomain.com, and install the secret key in the sender that will sign outbound mail.
After DNS updates propagate, verify the live selector with the DKIM checker to confirm the record resolves and has valid syntax.
To rotate keys, publish a new selector first, update your sender to sign with the new secret key, then remove the old selector after old signed messages have aged out.