Live tool

DKIM Selector Helper

Parse an existing DKIM record to see tags, key strength, and revocation status; build a record manually for self-hosted mail servers; or generate a new 2048/4096-bit RSA key pair entirely in your browser. Includes selector reference for popular providers, tag reference, and common DKIM mistakes.

Live 1 records analysed Email Tools Builder DKIM Email Authentication DNS RSA
Open tool

Paste a DKIM record

Paste the TXT value from <selector>._domainkey.<domain>.

DNS often shows the value split into chunks of 255 characters with quotes — paste the whole thing, the parser handles concatenation.

Analysis

Paste a DKIM record to see its tags and any issues.

No record to analyse yet.
Key algorithm
Key length
Status
Length 0 chars

Tags

TagValueWhat it does

Build a DKIM record

Manually assemble a DKIM TXT record. Useful for self-hosted mail servers (postfix + opendkim, exim).

A short identifier you choose. Common: default, mail, s1, 2024.
Used to format the DNS hostname (<selector>._domainkey.<domain>).
The Base64-encoded public key from your DKIM key pair. Strip -----BEGIN/END PUBLIC KEY----- and any newlines — the parser handles common formats.
Tells receivers the domain is testing DKIM and to treat failures as normal mail. Remove before going to production.
Requires the i= identity to match the d= domain exactly (no subdomains).

Generated record

Publish at default._domainkey.yourdomain.com. 

v=DKIM1; k=rsa; p=
default._domainkey.yourdomain.com. IN TXT "v=DKIM1; k=rsa; p="
Selector default
Hostname length 38 chars
Value length 15 chars
DNS chunks needed 1

How to publish

  1. Add a TXT record at the host shown above.
  2. Most DNS UIs handle 255-char splits automatically. Some (BIND zone files, raw nsupdate) require manual splitting into multiple quoted strings — use the zone-file output above.
  3. Verify with dig +short TXT <selector>._domainkey.<domain>.
  4. Send a test email to check-auth@verifier.port25.com or use mail-tester.com to confirm DKIM passes end-to-end.

Generate DKIM key pair

RSA key pair generated locally via window.crypto.subtle.

2048-bit is the modern standard. 4096-bit can exceed common 4000-byte DNS UDP limits.

Generated keys

Copy each value to its destination. Refresh the page to discard from memory.

No key pair generated yet. Click "Generate key pair" on the left.

                                        
Paste this into your mail server (e.g. /etc/opendkim/keys/<domain>/<selector>.private). Set permissions to chmod 600.

                                    


                                    

                                        

                                            
                                            
                                        

                                        

                                    


                                    

                                        

                                            
                                            
                                        

                                        

                                        
Paste this as the TXT value at <selector>._domainkey.<domain>.

                                    


                                

                            

                        

                    

                

            


        


        

            

                

                    

                        

                            
Common selectors by provider

                            

                                Where to look up DKIM records for popular email providers.
                            

                        

                    

                    

                        

                            

                                
                                    
ProviderDefault selector(s)Lookup hostname

                                
                                
                                    
Google Workspace / Gmailgooglegoogle._domainkey.<domain>

                                    
Microsoft 365 / Exchange Onlineselector1, selector2selector1._domainkey.<domain>

                                    
SendGrids1, s2s1._domainkey.<domain>

                                    
Mailchimpk1, k2, k3k1._domainkey.<domain>

                                    
Mailgunmg or custom (e.g. k1)mg._domainkey.<domain>

                                    
Amazon SES3 random tokens (rotated)SES gives you 3 CNAMEs to publish

                                    
Postmark20yymm (year/month)20240101._domainkey.<domain>

                                    
Zoho Mailzoho or zmailzoho._domainkey.<domain>

                                    
HubSpoths1-<id>, hs2-<id>Provided in HubSpot settings

                                    
Brevo (Sendinblue)mailmail._domainkey.<domain>

                                    
Self-hosted (opendkim, exim)default, mail, YYYYYou choose

                                
                            

                        

                    

                

            


            

                

                    

                        

                            
DKIM tag reference

                            
All tags defined by RFC 6376.

                        

                    

                    

                        

                            

                                
                                    
TagDefaultMeaning

                                
                                
                                    
vDKIM1Version. Must be exactly DKIM1 if present.

                                    
krsaKey type. rsa or ed25519.

                                    
pPublic key (Base64). Empty p= means revoked.

                                    
s*Service type. email restricts to email use.

                                    
tFlags. y=testing, s=strict subdomain match.

                                    
nNotes (free text, ignored by receivers).

                                    
hallAcceptable hash algorithms (rarely set).

                                    
g*Granularity. Deprecated in RFC 6376.

                                
                            

                        

                    

                

            

        


        

            

                

                    

                        

                            
Common DKIM mistakes

                            
Top issues seen in real-world deployments.

                        

                    

                    

                        

                            

                                1. Using 1024-bit keys in 2026
                                Google has been blocking 1024-bit DKIM since 2024. Use 2048-bit minimum. If you have a legacy 1024-bit key, rotate it immediately.
                            

                            

                                2. Forgetting to remove t=y
                                Testing flag tells receivers to ignore DKIM failures. If you forget to remove it after rollout, you have DKIM in name only — no actual protection.
                            

                            

                                3. Wrong DNS hostname format
                                DKIM hostname is <selector>._domainkey.<domain>, not <selector>.<domain> or _domainkey.<domain>. The _domainkey part is mandatory.
                            

                            

                                4. Public key broken across multiple TXT records
                                A single TXT record can hold up to 255-char strings concatenated, but not multiple separate TXT records. Publish as ONE record with quoted-string concatenation, not N separate TXT records at the same hostname.
                            

                            

                                5. Including PEM headers in p=
                                DKIM p= takes only the Base64 body, not the -----BEGIN PUBLIC KEY----- markers. Strip them and any line breaks before publishing.
                            

                            

                                6. Empty p= by accident
                                An empty p= tag means "this key is revoked, reject any signature using this selector". Easy to publish accidentally if your provider gives you malformed input.