What is the recommended DKIM key length?

Most industry experts recommend using a 2048-bit DKIM key length for optimal security. While 1024-bit keys are still functional, 2048-bit keys provide a stronger cryptographic defense against potential attacks and are widely accepted by major mailbox providers. Always check if your ESP supports 2048-bit keys.

How do I add the public key to my DNS?

The public key needs to be added as a TXT record in your domain's DNS settings. You'll typically log into your domain registrar or DNS hosting provider's control panel, navigate to the DNS management section, and create a new TXT record. The record will contain the public key data and a specific DKIM selector name (e.g., s1._domainkey ) as the hostname or name of the record. Check your ESP's documentation for specific instructions as they often provide the exact TXT record string.

What happens if my DKIM private key is compromised?

If your DKIM private key is compromised, an attacker could forge emails appearing to originate from your domain, potentially leading to phishing attacks or spam campaigns that damage your sender reputation. It's critical to revoke the compromised key immediately by generating a new key pair and updating your DNS records with the new public key. Regular key rotation helps mitigate the impact of such compromises.

How often should I rotate my DKIM keys?

DKIM key rotation is recommended periodically, typically every 6 to 12 months, or immediately if you suspect a compromise. Rotating keys enhances security by limiting the lifespan of a single key, making it harder for attackers to exploit it. Many ESPs automate this process. If managing manually, plan your rotation schedule carefully to ensure a smooth transition without interrupting email flow.

What tools and methods are available to generate DKIM public and private keys? - Tools - Email deliverability - Knowledge base

Establishing a strong email sending reputation is crucial for deliverability, and DomainKeys Identified Mail (DKIM) is a cornerstone of this effort. DKIM works by signing your outgoing emails with a digital signature, allowing receiving mail servers to verify that the email truly originated from your domain and hasn't been tampered with in transit. This authentication relies on a cryptographic key pair, consisting of a private key and a public key.

The private key is used by your sending server to sign the emails, while the public key is published in your domain's DNS records, allowing recipients to look it up and verify the signature. Generating these keys is the first step in implementing DKIM, and thankfully, there are several reliable tools and methods available to help you create them efficiently.

Suped DMARC monitoring

Free forever, no credit card required

Learn more

Trusted by teams securing millions of inboxes

The role of DKIM public and private keys

Understanding the core components of DKIM keys is fundamental before you start generating them. The security of your email authentication hinges on the strength and proper management of this pair.

The private key

This is the secret half of the key pair. It resides on your mail server or with your Email Service Provider (ESP) and is used to generate the unique cryptographic signature for every outgoing email from your domain. It is crucial to keep this key secure and confidential, as its compromise could allow unauthorized parties to send emails spoofing your domain. The security of your private key directly impacts your domain's sending reputation.

The public key

The public key is the counterpart to the private key and is published in your domain's DNS as a TXT record. When a receiving mail server gets an email purporting to be from your domain, it queries your DNS for this public key. It then uses this public key to decrypt the email's DKIM signature. If the decryption is successful, it confirms that the email has not been altered and was indeed sent by an authorized server using your private key. This verification process plays a significant role in preventing email spoofing and phishing attacks.

The length of your DKIM key is also an important factor. While 1024-bit keys are still supported, the industry standard and recommended length for enhanced security is 2048-bit DKIM keys. Some providers are even starting to consider 4096-bit keys for the future, but they are not widely adopted yet. It's also vital to understand why you should defend your DKIM key size and how Email Service Providers (ESPs) handle them. Remember, a stronger key offers better protection against cryptographic attacks.

Online DKIM key generator tools

For many, online DKIM key generator tools are the simplest and quickest way to create the necessary public and private key pair. These web-based utilities automate the cryptographic process, allowing you to generate keys with just a few clicks.

How they work

Typically, you'll input your domain name and a desired DKIM selector (a unique identifier for your key), select a key length (e.g., 2048-bit), and the tool will instantly provide both the private key and the public key formatted for DNS. Some popular examples include the AutoSPF DKIM Record Generator and other similar utilities that can be found with a quick search. While convenient, it's important to use tools from reputable sources to ensure the cryptographic integrity of the keys generated. Some tools, like SocketLabs' DKIM wizard, even leverage OpenSSL behind the scenes, offering a user-friendly interface to a powerful command-line tool.

These tools are ideal for users who prefer a graphical interface or don't have direct access to a server for command-line operations. They simplify the process of key generation significantly.

Key generation via online tools

Ease of Use: Requires minimal technical knowledge, just input domain details.
Speed: Keys are generated instantly, ready for DNS configuration.
Accessibility: Available from any device with internet access.

Command-line tools: OpenSSL and OpenDKIM

For those with server access or a preference for command-line operations, OpenSSL is a powerful, open-source cryptographic toolkit widely used for generating RSA key pairs, including those for DKIM. This method gives you full control over the key generation process.

Generating keys with OpenSSL

The process involves two main steps: first, generating the private key, and then extracting the corresponding public key from it. You can specify the key length (e.g., 2048 bits) directly in the commands. This approach is commonly used by system administrators and developers who manage their own mail servers or need specific key formats. For more detailed instructions on creating a DKIM a=rsa-sha256 key, consult dedicated guides.

OpenSSL commands for DKIM key generationbash

openssl genrsa -out private.key 2048
openssl rsa -in private.key -outform PEM -pubout -out public.key

After generating the keys, the private key (e.g., private.key) should be securely stored on your mail server, and the public key (e.g., public.key) needs to be formatted and published as a TXT record in your DNS. Sometimes, issues can arise with the key format, such as the PKCS#1 RSA private key in PEM format error, which often indicates an incompatibility with the system you are trying to upload the key to. Proper formatting and adherence to specific system requirements are vital.

Email service providers (ESPs) and mail server solutions

Many Email Service Providers (ESPs) and popular mail server software platforms offer built-in functionality to generate and manage DKIM keys, significantly simplifying the process for their users. This method is often the most straightforward for those already using such services.

ESP-provided key generation

Platforms like Microsoft 365, Google Workspace, Zoho Mail, and various marketing automation tools often have a dedicated section in their administrative interfaces where you can enable or generate DKIM keys for your domain. This typically involves clicking a button or following a guided setup, and the system handles the key pair generation and sometimes even guides you through the DNS record publication.

The primary advantage of this method is its simplicity and integration. ESPs often handle the complexities of key formats and provide the exact TXT record you need to add to your DNS, minimizing errors. Furthermore, many of these services automate DKIM key rotation, a crucial security practice that helps maintain the cryptographic strength of your email authentication over time.

Manual generation

Control: Full oversight of key length, selector naming, and format.
Flexibility: Useful for custom server setups or specific integration needs.
Complexity: Requires technical expertise, potential for formatting errors (e.g., PEM format).
Maintenance: Manual key rotation and management required.

ESP-provided generation

Simplicity: Often a one-click process within the platform's interface.
Integration: Seamlessly integrates with your sending setup.
Automation: Often includes automatic key rotation, enhancing security.
Less Control: Less control over specific key parameters or selector names.

Regardless of the method you choose, always ensure you have a secure way to store your private key and that you publish the public key correctly in your DNS records. Proper identification of DKIM key length and understanding invalid RSA public key errors can prevent common deliverability issues.

Views from the trenches

Here are some valuable perspectives and practical tips on DKIM key generation from the email community.

Best practices

Use 2048-bit key lengths for stronger security, as it is the current industry standard and widely accepted by Mailbox Providers.

Regularly rotate your DKIM keys to minimize the risk of compromise and maintain robust email authentication.

Always store your private key in a secure location, accessible only to authorized personnel and systems.

Before publishing, thoroughly validate your generated public key with an online checker to ensure proper formatting and syntax.

Choose a DKIM selector that is easy to remember and indicates the key's purpose or generation date for better organization.

Common pitfalls

Using 1024-bit keys: While still functional, they offer weaker encryption and may lead to reduced trust by some receiving servers over time.

Incorrect key format: Failing to convert the key to the required PEM or DNS TXT format can lead to upload or verification errors.

Mismatched key pairs: Ensuring the private key on your sending server matches the public key in DNS is critical for successful authentication.

Public key exposure: Sharing your private key or mistakenly publishing it in DNS records compromises your email security.

Neglecting key rotation: Not rotating keys periodically can increase vulnerability if a key is ever compromised without your knowledge.

Expert tips

If your ESP provides DKIM key generation, it's generally the easiest and most reliable method as they handle the complexities.

For advanced control, OpenSSL is a robust command-line tool for generating keys, but be mindful of output formats.

Online generators can be very convenient, but always verify the authenticity and reputation of the tool you are using.

Double-check DNS propagation after publishing your public key. It can take some time to update globally.

Implement DMARC alongside SPF and DKIM to gain visibility into your email authentication status and prevent spoofing.

Expert view

Expert from Email Geeks says Dkimcore.org is a useful tool for generating keys, especially for testing purposes, because of its straightforward interface.

2019-05-07 - Email Geeks

Marketer view

Marketer from Email Geeks says they encountered issues uploading private keys in the correct PEM format, indicating specific system requirements for key format are critical.

2019-05-07 - Email Geeks

Final thoughts on DKIM key generation

Generating DKIM public and private keys is a fundamental step toward securing your email communications and improving deliverability. Whether you opt for user-friendly online tools, the control offered by command-line utilities like OpenSSL, or the integrated solutions provided by your ESP, the core objective remains the same: creating a cryptographically secure pair that authenticates your outgoing emails.

Remember to prioritize key security, use recommended key lengths, and ensure proper DNS publication of your public key. By implementing DKIM correctly, alongside other authentication standards, you can significantly enhance your email's trustworthiness, reduce the likelihood of messages landing in spam folders (or junk folders), and protect your brand's reputation against spoofing and phishing attempts.