Generating DKIM Keys
Create secure RSA key pairs for DKIM email authentication. Learn proper key sizes, generation methods, and DNS publishing.
What Are DKIM Keys?
DKIM uses public-key cryptography to sign emails. You need two keys:
Private Key
Kept secret on your mail server. Signs outgoing emails.
Public Key
Published in DNS. Receiving servers use it to verify signatures.
Choosing the Right Key Size
DKIM supports different RSA key sizes. Larger keys are more secure but slower to process.
2048-bit RSA
RECOMMENDEDIndustry standard. Excellent security with good performance.
4096-bit RSA
HIGH SECURITYMaximum security. Use for highly sensitive environments.
1024-bit RSA
NOT RECOMMENDEDWeak security. Being deprecated by major providers.
Use 2048-bit RSA keys for the best balance of security and performance. Only use 4096-bit if you have specific compliance requirements.
How to Generate DKIM Keys
There are three main ways to generate DKIM keys:
Using OpenSSL (Command Line)
Best for Linux/Mac servers. Gives you complete control.
openssl genrsa -out dkim_private.pem 2048Creates a 2048-bit RSA private key
openssl rsa -in dkim_private.pem -pubout -outform der 2>/dev/null | openssl base64 -AOutputs base64-encoded public key for DNS
Set strict permissions: chmod 600 dkim_private.pem. Never share this file.
Using Your ESP Dashboard
Easiest method. Most email providers generate DKIM keys automatically.
Admin Console → Apps → Google Workspace → Gmail → Authenticate Email → Generate New Record
Exchange Admin Center → Mail Flow → DKIM → Enable for your domain
Domain Authentication settings → Generate DKIM keys automatically
Benefit: ESP manages key rotation and storage automatically.
Using Online DKIM Generators
Quick option for testing. Use with caution for production.
Online tools see your private key during generation. Only use reputable sources or generate keys locally for production systems.
Publishing DKIM Keys to DNS
After generating keys, publish the public key as a DNS TXT record.
DNS Record Format:
[selector]._domainkey.yourdomain.comExample: default._domainkey.example.com
TXTv=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC...• v=DKIM1 (version)
• k=rsa (key type)
• p=... (public key in base64)
Check your DKIM record is published correctly:
nslookup -type=txt default._domainkey.yourdomain.comTesting Your DKIM Keys
After publishing, verify DKIM is working correctly.
Verification Checklist:
Use DKIM checker tool or command line to verify public key is published
Send to Gmail, check email headers for DKIM=pass
Monitor DKIM alignment in aggregate reports
DKIM Key Rotation Best Practices
Rotate DKIM keys periodically to maintain security.
Recommended Schedule:
Regular rotation for good security hygiene
Rotate if private key is exposed or server is breached