Suped

DKIM record generator

Generate a DKIM DNS record and matching secret key with safe defaults.

Available at https://www.suped.com/tools/dkim-record-generator.

Use the DKIM record generator when you need a new DKIM key pair for a sender, selector rotation, or secret key replacement. The tool creates a public DNS TXT value and matching secret key immediately on page load.

If you use a managed email provider, open the provider guides dialog from the full set-up instructions instead of generating your own key pair.

DKIM record generator showing generated DNS TXT value, secret key, advanced options, and regenerate button

Generated values

DNS TXT value

Publish the generated public value as a TXT record at your selector host, such as default._domainkey.example.com. This is the value receivers use to verify DKIM signatures.

Secret key

The secret key is secret. Do not publish it in DNS. Install it only in the mail service or server that signs outgoing mail for that selector.

Advanced options

  • Algorithm defaults to rsa for broad provider and receiver compatibility. Use ed25519 only when your mail provider explicitly supports it.
  • RSA key size defaults to 2048 bits. Use 4096 bits only if your DNS provider and sending service support long DKIM TXT records. Avoid 1024 bit keys except for legacy compatibility.

Publish and verify

Choose a selector name, publish the DNS TXT value at selector._domainkey.yourdomain.com, and install the secret key in the sender that will sign outbound mail.

After DNS updates propagate, verify the live selector with the DKIM checker to confirm the record resolves and has valid syntax.

To rotate keys, publish a new selector first, update your sender to sign with the new secret key, then remove the old selector after old signed messages have aged out.