DKIM Record Generator

Generate and check a DKIM record.

Format DKIM TXT public-key records and provider CNAME targets for Google Workspace, Microsoft 365, SendGrid, Amazon SES, Resend, Postmark, Mailchimp, HubSpot, and custom senders.

  • No signup
  • TXT and CNAME
  • Live DNS check

Build your DKIM record

Pick your provider, then paste the DKIM key or target it gave you. We format the exact DNS record to publish, and can check that your selector is already live.

Which service sends your email?

What did your provider give you?

DKIM record

Needs provider value

Type
TXT
Host
google._domainkey
Value
v=DKIM1; k=rsa; p=PASTE_PUBLIC_KEY_HERE

Publish this at google._domainkey, then verify DKIM in your provider.

Findings

  • Domain not set

    Info

    Add your sending domain to build the full selector host and check DNS.

    Enter the domain used in your From address.

  • Public key required

    Warning

    DKIM TXT records need the public key generated by your email provider.

    Paste the public key before publishing this TXT value.

  • Provider value needed before publishing

    Info

    DKIM values are provider-generated. Use this tool to format and check them, but publish only real provider values.

Provider notes

  • Google Workspace / Gmail

    Public key needed

    Generate the key in Google Admin, paste the public key here, then publish the TXT record.

    TXT at google._domainkey

Basics

What is a DKIM record?

A DKIM (DomainKeys Identified Mail) record is a DNS record at a selector host, such as google._domainkey.example.com, that holds the public key your email provider signs messages with. Receiving servers use it to confirm a message really came from your domain and was not changed on the way.

You don't create the key yourself. Your email provider generates it, and you publish the value it gives you. This tool formats that value into the exact DNS record and checks the live selector for you.

How to

How do you create a DKIM record?

Turn on DKIM in your email provider, copy the selector and value it gives you, then publish that value at selector._domainkey. Your provider makes the key, so you only publish and verify it.

  1. 1

    Turn on DKIM in your email provider

    In your provider's admin area (Google Admin, Microsoft 365, SendGrid, and so on), start DKIM or domain authentication. The provider creates the key pair for you.

  2. 2

    Copy the selector and DNS value

    Your provider shows a selector, like google or selector1, plus either a TXT public key or a CNAME target. Copy them exactly.

  3. 3

    Pick TXT or CNAME

    Use the record type your provider gives you. A TXT record holds the public key after p=, while a CNAME points to a value the provider hosts.

  4. 4

    Publish the record at selector._domainkey

    Add it in your DNS at the host selector._domainkey.yourdomain.com, using the exact host and value from your provider.

  5. 5

    Verify DKIM in your provider

    After DNS updates, go back and verify or enable DKIM so outgoing mail gets signed. Send a test email and check the headers for dkim=pass.

Provider setup

What DKIM record do I need for each provider?

Your provider generates the value and tells you whether to publish a TXT public key or a CNAME target. Copy the selector, record type, and value exactly, then find your provider below.

ProviderDKIM recordWhat to do
Google WorkspaceTXT at google._domainkeyUse the google selector unless Google Admin shows a different selector. Paste the generated public key into a TXT record at google._domainkey.
GmailTXT at google._domainkeyFor a custom domain sending through Gmail or Google Workspace, create the DKIM key in Google Admin. Personal @gmail.com addresses do not use your domain's DKIM record.
SendGridCNAME at s1._domainkeySendGrid domain authentication commonly gives s1 and s2 CNAME records. Copy the selector hosts and targets exactly.
Microsoft 365CNAME at selector1._domainkeyMicrosoft 365 usually gives selector1 and selector2 CNAME targets. Publish the exact targets before enabling DKIM signing.
Amazon SESUse the SES token as selectorAmazon SES generates token-like DKIM CNAME records. Use the selector token and target SES shows for the identity.
ResendUse Resend's generated CNAMEResend shows DKIM DNS records during domain setup. Paste the generated host selector and target exactly.
PostmarkTXT at pm._domainkeyPostmark gives you a DKIM TXT value. Paste the public key portion or copy the provider value exactly in DNS.
MailchimpCNAME at k1._domainkeyMailchimp authentication uses provider-generated DNS values. Use the exact selector and target Mailchimp shows.
HubSpotUse HubSpot's generated CNAMEHubSpot generates DKIM records per sending domain. Paste the exact selector and target from HubSpot.

Common mistakes

What to avoid before you publish DKIM.

Publishing a placeholder key

A DKIM TXT record must contain the real provider-generated public key after p=. Do not publish a placeholder value.

Using the wrong selector

The selector is part of the DNS host. A valid key at google._domainkey will not help if your provider signs with selector1.

Changing TXT to CNAME, or CNAME to TXT

Publish the exact record type your provider gives you. DKIM providers are not interchangeable here.

Skipping provider verification

After DNS propagates, enable or verify DKIM in the provider so outgoing mail is actually signed.

Common questions

DKIM record questions, answered.

Short answers for setup, selectors, record types, and verification.

What is a DKIM record?
A DKIM record is a DNS record at a selector host such as google._domainkey.example.com. It lets receivers verify that an email was signed by a system authorized for your domain.
Should DKIM be a TXT record or a CNAME record?
Use the record type your provider gives you. Some providers use a TXT value that starts with v=DKIM1. Others give you a CNAME target for the selector host.
Can a DKIM generator create my public key?
No. Your email provider generates the DKIM key pair or CNAME target. Use this tool to format, validate, and check the DNS value before publishing it.
What DKIM selector should I use?
Use the selector shown by your email provider, such as google, selector1, s1, k1, or a provider-generated token.
How do I know DKIM is working?
Publish the DNS record, wait for DNS to propagate, then verify the domain in your provider. You can also send a test email and inspect Authentication-Results for dkim=pass.

References

DKIM and sender authentication references

Fix it with Dreamlit

Sender authentication is only one part of production email.

Dreamlit handles the rest. It turns your database changes into end-to-end email workflows you describe in plain English, then previews them with live data before you publish. No cron jobs, no webhooks, no notification plumbing to wire up by hand.

Build email workflows