DKIM key generator

Generate a DKIM key pair, get the DNS record and private key it produces — or paste a record you already have and check it. The key pair is generated locally in your browser and never sent anywhere.

What is DKIM?

DKIM (DomainKeys Identified Mail) attaches a digital signature to every message you send, using a private key only your mail server knows. The receiving mailbox looks up the matching public key in your DNS and checks the signature — proof the message really came from you and wasn't altered in transit.

The key pair is generated once. The private key stays on your mail server or your email service provider, where it signs outgoing mail. The public key goes into a DNS TXT record at a location called the selector — that's the only part this tool publishes for you.

Selector

A short name that lets you run more than one key at once — useful for rotating keys or running several sending services side by side.

Public key (DNS)

Published as a TXT record at selector._domainkey.yourdomain.com. Anyone can look it up — that's the point.

Private key (your server)

Kept secret and installed wherever your mail actually gets signed. Never publish it, and never send it anywhere else.

DKIM on its own only proves a message wasn't tampered with — it's DMARC that decides what happens when a message fails. Once DKIM is signing cleanly, the DMARC policy generator is the natural next step.

Generate your key

Fill in your domain and selector, pick a key size, and generate — the DNS record on the right updates with it. Already have a record? Paste it in to check it.

Generate a key pair

Runs entirely in your browser — the private key is never sent anywhere.

Key size

2048-bit is the current recommendation. 1024-bit is weaker but shorter, which matters if your DNS provider struggles with long TXT records.

Restrict hashes to SHA-256

h

Only allow SHA-256 signatures. Leaving this off also accepts the older, weaker SHA-1 — most senders should keep this on.

Restrict to email

s

Limit this key to signing email, so it can't be reused to sign anything else that happens to check the s tag.

Testing mode

t=y

Ask receivers not to act on a signature failure yet. Useful while you roll this out — turn it off once mail is signing and passing cleanly.

Strict subdomain match

t=s

Require the signing domain to match your From domain exactly, so this key can't be used to sign for a subdomain.

Private key

Generate a key pair to see your private key here.

DNS record

Publish this TXT record at your domain.

Type
TXT
Host
mail._domainkey

Add this as a new record at your DNS provider. “Type” and “Host” are the fields it asks for — some providers want just mail._domainkey in the host field and add the domain for you.

Value

Paste an existing record here to check it — it won't recover a private key.

Starten Sie mit einem Kanal.
Fügen Sie die anderen hinzu, wenn Sie bereit sind.

Ein Test-API-Key steht Ihnen sofort zur Verfügung. Der Produktivzugang wird freigeschaltet, sobald Sie eine Zahlungsmethode hinzufügen und einen Absender verifizieren.

Sie nutzen Claude Code, Cursor oder Codex? Kopieren Sie einen Setup-Prompt und Ihr Agent installiert die Bird CLI und Skills für Sie. Wählen Sie Ihren:

Cursor