Generate a DKIM keypair and the DNS record needed for signed mail.

DKIM lets receivers verify that a message was signed by a key tied to your domain. This tool keeps key generation local in the browser.

The keypair is generated in your browser and never leaves this page.

How it works

  • The browser generates a 2048-bit RSA keypair with the Web Crypto API.
  • The public key is formatted as a selector-based DKIM TXT record.
  • The private key is shown once so you can install it in the sending system that signs mail.

When to use it

  • When your SMTP service needs a DKIM key for a new sending domain.
  • When rotating a DKIM selector after a key exposure or provider migration.
  • When validating DNS setup before readiness-gated sequencer export.

Common failure cases

  • Installing the private key in the wrong mail server or workspace.
  • Publishing the TXT record at the domain root instead of `selector._domainkey`.
  • Losing track of which selector the sending server uses.

Examples

What good and bad signals look like

Good setup

selector1._domainkey.example.com TXT v=DKIM1; k=rsa; p=...

The public key is published under a selector that matches the signing configuration.

Bad setup

Public key published under selector1, mail signed with selector2

Receivers cannot find the matching key, so DKIM verification fails.

What to do next

  • Store the private key only in the system that signs outbound mail.
  • Publish the DKIM TXT record and verify the selector with the DNS checker.
  • Add DMARC after DKIM and SPF are both aligned for the domain.
Verify the selector after publishing

A generated key is not ready until public DNS returns the matching record.

FAQ

Does the DKIM private key leave my browser?

No. Key generation runs in the browser and the private key is not sent to GTM Inboxes servers.

Is DKIM enough for DMARC alignment?

DKIM can support DMARC alignment when the signing domain aligns with the visible From domain, but DMARC still needs its own DNS policy record.