How it works
- The browser generates a 2048-bit RSA keypair with the Web Crypto API.
- The public key is formatted as a selector-based DKIM TXT record.
- The private key is shown once so you can install it in the sending system that signs mail.
DKIM lets receivers verify that a message was signed by a key tied to your domain. This tool keeps key generation local in the browser.
The keypair is generated in your browser and never leaves this page.
Examples
selector1._domainkey.example.com TXT v=DKIM1; k=rsa; p=...
The public key is published under a selector that matches the signing configuration.
Public key published under selector1, mail signed with selector2
Receivers cannot find the matching key, so DKIM verification fails.
A generated key is not ready until public DNS returns the matching record.
Check whether the selector can be resolved after publication.
Use DKIM alignment as part of a DMARC rollout.
Connect DNS setup to readiness reports and export gates.
Turn a DNS or authentication check into a conservative inbox-capacity plan.
No. Key generation runs in the browser and the private key is not sent to GTM Inboxes servers.
DKIM can support DMARC alignment when the signing domain aligns with the visible From domain, but DMARC still needs its own DNS policy record.