DKIM Record Builder & Parser

How to use

1. Choose Build mode and enter your selector (e.g. 'mail', 'google', 's1') and domain.
2. Pick key type (RSA or Ed25519) and paste the base64 public key — PEM headers (-----BEGIN ...-----) are stripped automatically.
3. Optionally toggle flags (y = testing, s = strict subdomain) and set service (email / any) and notes.
4. Copy the record body for your DNS provider. If it exceeds 255 chars, use the DNS-chunked version (quoted strings) — most providers accept it.
5. Use Parse mode to decode any existing DKIM TXT record into labeled tags.

Frequently asked questions

What is the selector?

A short label you choose that lets a domain publish multiple DKIM keys at the same time — e.g. one for transactional email ('s1') and one for marketing ('mailgun'). It appears as the leftmost label of the DNS name: `selector._domainkey.example.com`. Rotate keys by publishing a new selector and switching the signer.

Why does my record need to be split into multiple quoted strings?

A single DNS TXT string can be at most 255 octets. Modern keys (RSA 2048 and above) produce a base64 body longer than that, so the value is split into multiple adjacent quoted strings. Resolvers concatenate them automatically. The DNS-chunked output here does that split for you.

What's the difference between t=y and t=s?

`t=y` (testing) tells receivers the domain is still trying DKIM out — failures are not significant. Leave it off in production. `t=s` (strict) means the `i=` identifier on signed messages must be in exactly this domain — no subdomain inheritance.

RSA or Ed25519?

RSA 2048 is the universally supported default; pick it unless you're sure your receivers handle Ed25519. Ed25519 produces much shorter records (a single TXT string fits) and uses smaller signatures, but support is still rolling out.

Related tools