Suped

Log inSign up

Email deliverability

/

Technical

How do I generate an a=rsa-sha256 key for DKIM?

8 marketer opinions

2 expert opinions

4 technical articles

5 resources

Summary

Generating an a=rsa-sha256 key for DKIM involves using OpenSSL. The process typically starts with the command `openssl genrsa -out <your_domain>.private <key_length>`, where `<key_length>` is either 1024 or, more commonly, 2048 for better security. This generates a private key that must be securely stored. To extract the corresponding public key, the command `openssl rsa -in <your_domain>.private -pubout -out <your_domain>.public` is used. This public key is then added to your DNS records. Key length impacts security, with longer keys providing greater security. Be cautious when using online DKIM generators; it is safer to use OpenSSL locally. Many ESPs recommend dkimcore.org for additional information. RFC 6376 specifies the use of RSA for DKIM.

Key findings

  • OpenSSL: OpenSSL is the most recommended tool for generating DKIM keys.
  • Key Length: 2048 key length is generally preferred for enhanced security.
  • Private Key Security: Securely store the generated private key to maintain DKIM integrity.
  • Public Key in DNS: The extracted public key must be correctly placed in the DNS records.

Key considerations

  • Online Generators: Exercise caution when using online DKIM generators due to security risks.
  • Command Syntax: Ensure accurate syntax when using OpenSSL commands to avoid errors.
  • Resource: Refer to dkimcore.org and RFC 6376 for detailed DKIM specifications and guidance.

What email marketers say

8 marketer opinions

Generating an a=rsa-sha256 key for DKIM primarily involves using OpenSSL. The common command is `openssl genrsa -out <your_domain>.private <key_length>`, where `<key_length>` is either 1024 or 2048 (2048 is recommended for better security). This generates a private key, which must be securely stored. A corresponding public key is then extracted for placement in your DNS records. Caution is advised when using online DKIM generators; creating keys locally using OpenSSL is generally recommended.

Key opinions

  • OpenSSL: OpenSSL is the recommended tool for generating DKIM keys.
  • Key Length: A key length of 2048 is generally recommended for better security.
  • Private Key Security: The private key must be stored securely.
  • Public Key Placement: The public key must be added to your DNS records.

Key considerations

  • Tool Choice: Avoid untrusted online generators; use OpenSSL locally.
  • Command Syntax: Pay careful attention to the OpenSSL command syntax.
  • Key Management: Implement proper key management practices.

Marketer view

Marketer from Email Geeks shares that for key length, the maximum length equals maximum security.

18 Jan 2024 - Email Geeks

Marketer view

Marketer from Email Geeks suggests being cautious when using websites to generate DKIM keys, and advises to use OpenSSL to create a script for generating your own keys.

8 Jun 2022 - Email Geeks

What the experts say

2 expert opinions

Generating an a=rsa-sha256 key for DKIM primarily involves using OpenSSL to create the key. Many Email Service Providers (ESPs) direct customers to dkimcore.org for further information. The process includes using a command such as `openssl genrsa -out example.com.private 2048` to generate the private key, which should be kept secret. After generating the private key you need to extract the public key which is then used in your DNS record.

Key opinions

  • OpenSSL: OpenSSL is the tool to generate a private key for DKIM.
  • Key Length: A key length of 2048 or more is typically recommended when generating.
  • Key Pair: You need a private and public key pair. The private key is kept secret, the public key is in your DNS.

Key considerations

  • Resource: DKIMCore.org is a recommended resource for further DKIM information.
  • Private Key Security: The private key needs to be securely stored and not exposed.

Expert view

Expert from Spam Resource (John Levine) explains that generating an RSA key for DKIM typically involves using OpenSSL with a command like `openssl genrsa -out example.com.private 2048`. This creates a private key, and you then extract the public key for your DNS record.

6 May 2022 - Spam Resource

Expert view

Expert from Email Geeks mentions that many ESPs direct customers to dkimcore.org for DKIM information and shares a link to the specification page.

17 Jun 2024 - Email Geeks

What the documentation says

4 technical articles

Generating an a=rsa-sha256 key for DKIM involves using OpenSSL. The primary command is `openssl genrsa -out <your_domain>.private <key_length>`, where `<key_length>` is typically 1024 or 2048. This creates a private key. The corresponding public key is extracted using `openssl rsa -in <your_domain>.private -pubout -out <your_domain>.public`. The public key is then added to your DNS records. RFC 6376 specifies the use of RSA for DKIM but leaves the specific implementation details to standard practices and tools like OpenSSL.

Key findings

  • OpenSSL: OpenSSL is the standard tool for generating DKIM keys.
  • Private Key Generation: The command `openssl genrsa` generates the private key.
  • Public Key Extraction: The command `openssl rsa` extracts the public key from the private key.
  • RFC 6376: RFC 6376 defines the use of RSA for DKIM but defers to standard practices for key generation.

Key considerations

  • Key Length: Adjust the key length (1024 or 2048) as needed for security requirements.
  • DNS Record: Ensure the extracted public key is correctly added to your DNS records.
  • Security: Keep the private key secure.

Technical article

Documentation from dkimcore.org explains that DKIM keys can be generated using OpenSSL with commands like `openssl genrsa -out example.com.private 1024` to generate a private key and `openssl rsa -in example.com.private -pubout -out example.com.public` to extract the public key.

24 Mar 2023 - dkimcore.org

Technical article

Documentation from OpenSSL Wiki details that to generate an RSA key for DKIM using OpenSSL, you use `openssl genrsa -out dkim.private 2048` (adjust 2048 for key length).

14 Nov 2024 - OpenSSL Wiki

hash algorithm rsa-sha256 not supported? · Issue #41 · lieser ...

hash algorithm rsa-sha256 not supported? · Issue #41 · lieser ...

One of my domains: DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=dialog.photo; s=mail; always gives invalid signing alerts (invalid hash algorithm in DKIM key record). Within the DNS it ha...

GitHub

DKIM b= signature field is empty - ℹ️ Support - phpList Discuss

DKIM b= signature field is empty - ℹ️ Support - phpList Discuss

I’ve configured in PHPMailer.php the DKIM variables ($DKIM_selector, $DKIM_identity, and so on …) I get a dkim email as follows DKIM-Signature: v=1; d=mydom.com; s=dkimsel; a=rsa-sha256; q=dns/txt; l=30; t=1573568421; c=relaxed/simple; h=Date:To:From:Subject:Message-ID:Content-Type; i=sender@mydom.com; bh=qw8RdF6sfjj2XXXXXXXXYYYYYYJ5C5mav6ijQn4kYgctWY=; b= and the signature field is empty. My DKIM configuration is OK. I can send without problems with other software dkim-signed emails. ...

phpList Discuss

Mimecast outbound DKIM signing - Email - Spiceworks Community

Mimecast outbound DKIM signing - Email - Spiceworks Community

Hi all, I am trying to setup DMARC/DKIM and am confused with what I am seeing from Mimecast. We use Exchange Online and route all email through Mimecast via a connector and is working fine. I want outbound emails to be signed by Mimecast so I followed Mimecasts guide to create an Outbound DNS Authentication Definition (generating the DKIM keypair) and enabled. I also created an Outbound DNS Authentication Policy targeting the definition I created and enabled. The guides I followed: https://c...

Spiceworks Community

DKIM key was provided incorrect - Support - Discourse Meta

DKIM key was provided incorrect - Support - Discourse Meta

Hi there, I’m a business user. http://forum.brightstorm.com I set up our domain and SPF, DKIM. But it is only sending a email to user@brightstorm.com I tried to my personal Gmail account. but I can not receive it. It is also not on spam box. I think discourse hosted server has a problem. Moreover, I couldn’t change mail server. I’d just like to change sending server to mandrill instead of discourse hosted mail server. https://github.com/discourse/discourse/blob/master/docs/INSTALL-email.md H...

Discourse Meta

Spf / dkim / dmarc - Mail-in-a-Box Forum

Spf / dkim / dmarc - Mail-in-a-Box Forum

Hello. I am running a MIAB on Linode VPS. I have a domain at Wix. Wix hosts my website and hence the nameservers are wix’s nameservers. I have changed my MX at Wix to point to my MIAB, so that my mail in a box deals with all my email. I can receive mail at my MIAB without any problem, however if I send any mail from my MIAB, it goes into the Spam folder of the recipient. I have looked at the source code of the received email (below) and it seems to be SPF / DMARC that is causing this. I have tr...

Mail-in-a-Box Forum

Are people using 4096-bit DKIM keys, and what is the recommended DKIM key length?

Can DKIM be set up on a subdomain, and which domain should be used for signing?

Do DKIM selectors affect email reputation?

Do I need multiple DKIM records if I use multiple ESPs like HubSpot, Sendgrid and ActiveCampaign?

Does the DKIM domain need to align with the List-Unsubscribe domain?

How do I find the DKIM selector for my domain in Dmarcian or Hubspot?

How do I set up DKIM on G Suite for outgoing mail, especially when using multiple email services?

How to add DKIM record for owned domain in Salesforce Marketing Cloud (SFMC)?

Start improving your email deliverability today

Sign up

Product

Sign up

Log in

Resources

Blog

Email deliverability

Email tester

Company

About

Trust and security

Suped

Privacy policy

Terms of service

© 2025 Suped Pty Ltd

LinkedInX