DKIM key generator

Generate a DKIM key pair, get the DNS record and private key it produces — or paste a record you already have and check it. The key pair is generated locally in your browser and never sent anywhere.

What is DKIM?

DKIM (DomainKeys Identified Mail) attaches a digital signature to every message you send, using a private key only your mail server knows. The receiving mailbox looks up the matching public key in your DNS and checks the signature — proof the message really came from you and wasn't altered in transit.

The key pair is generated once. The private key stays on your mail server or your email service provider, where it signs outgoing mail. The public key goes into a DNS TXT record at a location called the selector — that's the only part this tool publishes for you.

Selector

A short name that lets you run more than one key at once — useful for rotating keys or running several sending services side by side.

Public key (DNS)

Published as a TXT record at selector._domainkey.yourdomain.com. Anyone can look it up — that's the point.

Private key (your server)

Kept secret and installed wherever your mail actually gets signed. Never publish it, and never send it anywhere else.

DKIM on its own only proves a message wasn't tampered with — it's DMARC that decides what happens when a message fails. Once DKIM is signing cleanly, the DMARC policy generator is the natural next step.

Generate your key

Fill in your domain and selector, pick a key size, and generate — the DNS record on the right updates with it. Already have a record? Paste it in to check it.

Generate a key pair

Runs entirely in your browser — the private key is never sent anywhere.

Key size

2048-bit is the current recommendation. 1024-bit is weaker but shorter, which matters if your DNS provider struggles with long TXT records.

Restrict hashes to SHA-256

h

Only allow SHA-256 signatures. Leaving this off also accepts the older, weaker SHA-1 — most senders should keep this on.

Restrict to email

s

Limit this key to signing email, so it can't be reused to sign anything else that happens to check the s tag.

Testing mode

t=y

Ask receivers not to act on a signature failure yet. Useful while you roll this out — turn it off once mail is signing and passing cleanly.

Strict subdomain match

t=s

Require the signing domain to match your From domain exactly, so this key can't be used to sign for a subdomain.

Private key

Generate a key pair to see your private key here.

DNS record

Publish this TXT record at your domain.

Type
TXT
Host
mail._domainkey

Add this as a new record at your DNS provider. “Type” and “Host” are the fields it asks for — some providers want just mail._domainkey in the host field and add the domain for you.

Value

Paste an existing record here to check it — it won't recover a private key.

从一个渠道开始。
准备好后,再添加其他渠道。

测试 API 密钥即刻可用。添加支付方式并验证发送者身份后,即可解锁生产环境。

正在使用 Claude Code、Cursor 或 Codex?复制一条设置提示,您的智能代理即可自动安装 Bird CLI 和相关技能。选择您的工具:

Cursor