Free DKIM key generator

Generate a DKIM key pair

The key pair is generated entirely in your browser and never sent anywhere — we literally cannot see your private key. Download it before you leave this page.

This becomes part of the DNS record name — pick something short and memorable, like the year or your sending platform's name.

Key strength

How the key generation works

We use your browser's crypto.subtle API — the same cryptography engine built into every modern browser for things like HTTPS — to generate an RSA key pair locally. The public key is exported and formatted as a ready-to-publish DKIM TXT record; the private key is exported as a standard PEM file for you to download.

Nothing about this process involves a network request beyond loading the page itself. There is no server endpoint that receives, logs, or could ever see the key material, which is a meaningfully different trust model than a generator that creates the key on a server and sends it to you.

Common questions

Is it safe to generate a private key in a website?+

This one, yes — the key pair is generated using your browser's built-in Web Crypto API, running entirely on your device. The private key is never transmitted over the network at any point; there's no server call involved in generating it, only in loading this page's code. That said, generating sensitive keys through a locally-run tool (like OpenSSL) is always a reasonable alternative if you'd rather not rely on any website for this.

What do I do with the public key vs the private key?+

The public key (formatted as a DNS TXT record) goes into your domain's DNS at selector._domainkey.yourdomain.com — it's meant to be public. The private key goes into your email sending platform's DKIM configuration and must stay secret; it's what actually signs your outgoing mail.

Should I use 1024-bit or 2048-bit?+

2048-bit, unless your specific sending platform explicitly requires 1024-bit (some older systems do). 2048-bit is the current standard and considered cryptographically stronger; some large providers have begun phasing out support for verifying 1024-bit DKIM signatures entirely.

What selector name should I pick?+

Anything short, URL-safe, and memorable — many people use the year (mail2026) or a name tied to the sending platform. If you're replacing an existing key, use a different selector than the old one so you can run both briefly during the transition without downtime.

I closed the page before downloading my private key. Can I get it back?+

No — since the key only ever existed in that browser tab's memory and was never sent or stored anywhere, there's nothing to recover. Generate a new key pair and publish the new public key to DNS in its place.