What is a DKIM selector?

A selector is a short label that lets you publish multiple DKIM keys for the same domain. For example, you might have default._domainkey.example.com for your primary MTA, google._domainkey.example.com for Google Workspace, and winnr2026._domainkey.example.com for Winnr — each with its own keypair.

Should I use 1024-bit or 2048-bit DKIM keys?

2048-bit. 1024-bit keys are legacy and considered breakable in 2026; most receivers flag them as weak. Every key generated by this tool is 2048-bit RSA.

Is it safe to generate a DKIM keypair in the browser?

Yes — this tool uses the browser's built-in WebCrypto API (crypto.subtle.generateKey), which produces cryptographically secure keys locally. The private key never leaves your machine and is not stored anywhere by Winnr. For maximum security, use a fresh incognito window and download the private key immediately.

How do I install the private key on my MTA?

Location depends on your mail server: Postfix with OpenDKIM writes it to /etc/opendkim/keys/yourdomain.com/ .private. Exim puts it in /etc/exim/dkim.key. Winnr manages DKIM keys automatically — no manual install needed.

Should I rotate my DKIM keys?

Best practice is to rotate DKIM keys every 6-12 months. Create a new selector (e.g., winnr2026q4), publish the new key, swap your MTA to the new selector, wait 24 hours, then remove the old DNS record. This limits exposure if a private key is ever compromised.

Free DKIM Record Generator for Cold Email (2026)

TL;DR

DKIM signs every outgoing email with a private key and lets receivers verify the signature using a public key published in DNS. To set up DKIM, generate a 2048-bit RSA keypair, publish the public key as a TXT record at <selector>._domainkey.yourdomain.com, and install the private key on your mail server. This tool generates the keypair in your browser using WebCrypto — nothing leaves your machine.

DKIM Keypair Generator

Selector: Any short alphanumeric label. You'll publish the key at <selector>._domainkey.yourdomain.com.

Key size:

2048Recommended

1024Legacy

Keys are generated locally with WebCrypto (crypto.subtle.generateKey). Nothing is sent to any server.

DKIM Lookup

Selector:

Domain:

What Is DKIM?

DKIM (DomainKeys Identified Mail, defined in RFC 6376) is a DNS-based email authentication method. Here's how it works:

You generate an RSA keypair: a public key and a private key.
You publish the public key as a DNS TXT record at <selector>._domainkey.yourdomain.com.
You install the private key on your mail server (MTA).
When your MTA sends a message, it cryptographically signs the headers and body with the private key. The signature goes in a DKIM-Signature header.
Receiving mail servers look up your public key via DNS and verify the signature. If verification succeeds, the message is proven authentic and unaltered.

DKIM is one third of the cold email authentication trio: SPF + DKIM + DMARC. All three are required for cold email in 2026.

Selectors Explained

A selector is a short label (like default, google, winnr2026, or s1) that lets a single domain publish multiple DKIM keys. Each service that signs email on your behalf typically gets its own selector:

Your primary Postfix MTA → default._domainkey.yourdomain.com
Google Workspace → google._domainkey.yourdomain.com
Winnr → winnr2026._domainkey.yourdomain.com
SendGrid → s1._domainkey.yourdomain.com and s2._domainkey.yourdomain.com

Selectors also enable key rotation. To rotate, create a new selector with a fresh keypair, publish the new public key, swap your MTA config, wait 24 hours for mail in flight to verify, then remove the old TXT record.

How to Publish Your DKIM Record

Generate your keypair above.
Copy the public key TXT value.
Log in to your DNS host.
Create a new TXT record with host/name <selector>._domainkey — for example, winnr2026._domainkey.
Paste the v=DKIM1; k=rsa; p=... value. TTL can stay at the default.
Save. Wait 1-15 minutes for propagation.
Download the private key (.pem) and install it on your MTA. Verify with the DKIM Lookup above.

Using Winnr? Skip all of this. Every domain provisioned through Winnr gets a DKIM keypair generated, installed on our MTA, and published as a DNS TXT record automatically.

Related tools: SPF Record Generator · DMARC Record Generator · Inbox Calculator.

Frequently Asked Questions

What is a DKIM record?

A DNS TXT record at <selector>._domainkey.yourdomain.com that publishes your domain's public key. Your mail server signs messages with the matching private key; receivers verify the signature via DNS.

Do I need DKIM for cold email?

Yes. Google/Yahoo 2024 bulk-sender rules require DKIM for domains sending 5,000+ messages/day. Cold email without DKIM fails DMARC and lands in spam.

1024-bit or 2048-bit?

2048-bit. Always. 1024-bit is legacy and considered weak in 2026.

Is it safe to generate keys in the browser?

Yes. This tool uses WebCrypto (crypto.subtle.generateKey) — keys are generated locally with the browser's cryptographic implementation. The private key never leaves your machine.

Does Winnr set up DKIM automatically?

Yes. Every Winnr-provisioned domain gets a DKIM keypair generated, installed on Winnr's MTA, and published as a DNS record automatically.

Should I rotate DKIM keys?

Every 6-12 months is best practice. Create a new selector, publish the new key, swap your MTA, wait 24h, then remove the old record.

How do I check my DKIM record?

Use the DKIM Lookup above — enter selector + domain, we look up <selector>._domainkey.<domain> via Google Public DNS.