How to Use the MxToolbox DKIM Record Generator

Learn how to set up email authentication with the DKIM record generator MxToolbox. Follow simple steps to protect your domain and improve deliverability.

If you’re ready to stop guessing and start securing your email channel, you’re in the right place.

This guide is a no-fluff, actionable walkthrough for creating and implementing a DKIM record from start to finish. We will focus on one of the most reliable and user-friendly tools available for the job: the DKIM record generator MxToolbox.

You will learn how to generate your unique public and private keys, how to correctly format the record for your DNS provider, and most importantly, how to test your setup to confirm it’s working.

This is a foundational step for anyone serious about email marketing, as it directly impacts your ability to reach the inbox and protect your brand’s reputation.

Key Takeaways

• DKIM acts as your email's digital signature: It uses a public and private key system to prove your messages are authentic and unaltered, a critical step for building trust with mailbox providers and protecting your sender reputation.
• The setup process is a straightforward copy-and-paste job: You simply generate your DKIM record with a tool, add the new TXT record to your domain's DNS settings, and then use a lookup tool to verify that everything is working correctly.
• Treat email authentication as an ongoing strategy: DKIM is most powerful when paired with SPF and DMARC. To maintain strong deliverability, make a habit of regularly auditing your records and rotating your keys to keep your security tight.

What is DKIM? (And Why It's Crucial for Email Authentication)

Think of DKIM (DomainKeys Identified Mail) as a digital seal on your emails.

It’s a form of email authentication that proves two critical things: that the email was actually sent by your company and that its contents haven't been altered in transit. When you send an email, this digital signature is added to the message header, acting as a sign of legitimacy.

For receiving mail servers like Gmail and Outlook, this signature is a major trust signal. It helps them distinguish your genuine campaigns from phishing attempts or spam that might be spoofing your domain.

Getting this right is a foundational step for any business that relies on email.

Properly authenticated mail is far more likely to land in the inbox, which is essential for protecting your brand and ensuring your messages get seen.

How DKIM Uses Digital Signatures

The magic behind DKIM lies in a pair of cryptographic keys: one private and one public.

The private key stays on your server and is used to create a unique digital signature for every email you send. This signature is a complex string of characters added to the email's header.

The public key is the other half of the pair, and you publish it in your domain’s DNS records for the world to see.

When an email server receives your message, it looks up your public key. It then uses that key to verify the signature attached to the email. If the keys match, the server knows the email is authentic and hasn't been tampered with. This entire process happens in seconds, providing a seamless layer of security.

Protect Your Sender Reputation and Deliverability

Setting up DKIM isn't just a technical box to check; it's a direct investment in your sender reputation.

Mailbox providers want to deliver emails their users can trust, and a valid DKIM signature is a powerful signal of that trust. Authenticated mail has a much better chance of reaching the inbox, which directly impacts your campaign performance and ROI.

Beyond improving inbox placement, DKIM is also a prerequisite for implementing DMARC, a policy that tells servers what to do with unauthenticated mail.

Together, these protocols form a strong defense against spoofing and phishing attacks that could damage your brand. Consistently monitoring your email deliverability ensures these technical setups are working correctly and protecting your ability to connect with customers.

What's Inside a DKIM Record?

At first glance, a DKIM record can look like a random string of characters. But it’s actually a highly structured DNS TXT record that holds specific instructions for mail servers.

Think of it as a digital ID card for your emails. This record contains a public key that receiving servers use to verify that an email was actually sent by you and that its contents haven't been tampered with along the way.

It’s a core part of modern email authentication, working alongside SPF and DMARC to protect your domain from being used for phishing and spam.

The record is made up of several "tags," which are just small bits of information formatted as tag=value pairs. The most important ones are the v= tag, which specifies the DKIM version (it will almost always be v=DKIM1), the k= tag for the key type (usually RSA), and the p= tag, which contains the long string of characters that is your public key.

When a mail server receives your email, it looks for this record in your DNS to find the public key and run its verification check. Getting this record right is a foundational step in building a strong sender reputation and ensuring your messages land in the inbox. Without it, you're leaving a door open for bad actors and telling mailbox providers that your emails might not be trustworthy.

How Public and Private Keys Work Together

The magic of DKIM lies in a cryptographic method called public-key cryptography. When you set up DKIM, you generate a pair of digital keys: one private and one public. The private key stays on your sending mail server, and you should guard it carefully.

This key is used to create a unique digital signature for every email you send. This signature is a complex, encrypted hash of the email's content and headers, and it gets attached to the email before it leaves your server.

The public key is the one you publish in your DKIM record for the world to see. When a receiving mail server gets your email, it fetches this public key from your DNS. It then uses the key to decrypt the signature.

If the signature decrypts successfully and matches the email's content, the server knows two things: the email genuinely came from your domain, and it wasn't altered in transit.

Set Up DKIM Selectors for Your Domain

A DKIM selector is a simple label that helps receiving servers find the correct public key for a given email. Why do you need one? Most businesses don't send all their emails from a single place. You might use Google Workspace for your team's emails, a platform like Mailchimp for marketing newsletters, and another service for transactional messages.

Each of these services needs its own DKIM key pair to sign emails on your behalf.

The selector acts like a pointer. For example, you might create a selector called "google" for your Google Workspace emails and another called "mc" for Mailchimp. These selectors are included in the email's signature, telling the receiving server exactly which DNS record to look up for the right public key.

This is why it's critical to have a clear view of your entire email infrastructure and ensure every sending service is properly authenticated.

Choose the Right Key Length for Security

When you generate your DKIM key pair, you'll need to choose a key length, typically 1024 or 2048 bits. The length determines how difficult the key is to crack through brute force.

While 1024-bit keys were once the standard, they are now considered less secure. The current industry best practice is to use 2048-bit keys for much stronger encryption. A longer key provides better protection against spoofing and helps future-proof your email security.

Before generating your key, check if your DNS provider supports 2048-bit keys, as some older systems may have limitations. Whenever possible, opt for 2048 bits. Setting up strong authentication from the start is one of the best ways to protect your domain's reputation. If you're managing a complex setup or need guidance, working with an email deliverability consultant can help you implement these best practices correctly.

How Does the MxToolbox DKIM Generator Work?

Think of the MxToolbox DKIM generator as your friendly guide to setting up email authentication.

Its main job is to create the cryptographic keys that form the foundation of your DKIM signature, but its real value lies in how it simplifies the entire process. Instead of leaving you to figure out the technical details on your own, MxToolbox provides a clear path for implementation and tools to check your work along the way.

The process starts with generating a unique public and private key pair for your domain. The private key is kept secret on your email server and is used to create a digital signature for every email you send.

The public key is published in your domain’s DNS records for the world to see. When a recipient's email server gets your message, it looks up your public key to verify that the signature is authentic and that the email hasn't been tampered with.

MxToolbox not only generates these keys but also gives you the tools to make sure they’re set up correctly.

Why MxToolbox Makes It Easy

Let’s be honest, tinkering with DNS records can be nerve-wracking. One small typo can cause big problems for your email delivery.

MxToolbox is popular because it makes the process feel less intimidating. It provides a straightforward interface that walks you through generating your DKIM record without needing a deep understanding of cryptography. This user-friendly approach is perfect for marketers, small business owners, or IT generalists who need to secure their email without a steep learning curve.

For those who want an expert to handle it all, our email deliverability consulting team can manage the entire setup for you.

Key Features of the MxToolbox Generator

At its core, the MxToolbox generator creates the essential public/private key pair needed for DKIM.

You input your domain name and a selector (a label to help identify the key), and the tool produces the exact DNS record you need to publish. But it’s more than just a one-trick pony. The generator is part of a larger suite of diagnostic tools designed to validate your entire email setup.

This integrated approach helps you see how DKIM fits into your broader email deliverability ecosystem and ensures all the technical pieces are working together correctly.

Get Instant Validation and Error Checks

Generating a DKIM record is only half the battle; you also have to confirm it’s working correctly.

This is where MxToolbox really shines.

After you’ve added the record to your DNS, you can use their free DKIM Record Check tool to perform a DNS lookup and verify that your public key is published correctly. This gives you instant feedback, helping you catch common syntax errors or copy-paste mistakes right away. While manual checks are great for setup, consistent email deliverability monitoring is key to catching configuration drift and ensuring your messages always pass authentication checks long-term.

Generate Your DKIM Record with MxToolbox (Step-by-Step)

Creating a DKIM record might sound like a job for a developer, but it’s a task you can absolutely handle yourself.

Think of it as giving your emails a digital signature that proves they’re really from you. This process is a fundamental part of authenticating your emails and showing inbox providers like Gmail and Outlook that your messages are legitimate.

Getting this right is a huge step toward building a strong sender reputation and keeping your emails out of the spam folder.

Once your authentication is set up, you can use a platform to monitor your email deliverability and ensure your messages consistently land where they belong. Let’s walk through how to generate your record right now.

Step 1: Find the DKIM Generator Tool

First things first, you’ll need to open the right tool for the job. Head over to the MxToolbox website to find their DKIM Record Generator.

This tool is designed to do all the complex cryptographic work for you, so you don’t have to worry about generating public and private keys from scratch. It provides a simple interface that takes the guesswork out of the process.

By using a trusted generator, you can be confident that the record you create is correctly formatted and ready to be added to your DNS settings. This is the starting point for making sure your emails are properly signed and authenticated by receiving mail servers.

Step 2: Enter Your Domain and Selector

Once you’re on the generator page, you’ll see two fields: one for your domain name and one for a selector. Your domain is straightforward, it’s just your website address (e.g., yourcompany.com).

The selector is essentially a name you give to this specific DKIM key. It helps differentiate between different keys if you use multiple email services. A common practice is to name it after your email service provider or based on the date, like google or q12024. You can enter this information in two ways: either type your domain followed by a colon and the selector (yourcompany.com:google) or enter the full hostname.

Accuracy here is key, as it tells the tool exactly what record to create.

Step 3: Generate and Copy Your Record

After entering your domain and selector, click the button to generate the record. The tool will instantly produce your DKIM record, which includes the public key.

This public key is what receiving email servers will use to verify that your emails are authentic and haven't been tampered with. The output will be presented as a TXT record that’s ready for you to use. Your next move is to carefully copy the entire generated record. Be sure to select everything, as even a small mistake or a missing character will cause the authentication to fail.

Once you have it copied, you’re ready for the next phase: adding it to your DNS provider.

How to Add the DKIM Record to Your DNS

You’ve successfully generated your DKIM record, and now it’s time to put it to work. The next step is adding this record to your domain’s DNS (Domain Name System) settings. Think of your DNS as your domain’s address book on the internet. By adding the DKIM record here, you’re publicly announcing the key that mail servers can use to verify your emails.

While the exact steps can vary slightly depending on your domain provider (like GoDaddy, Cloudflare, or Namecheap), the core process is the same everywhere. You’ll be logging into your provider’s dashboard, finding the right settings, and adding a new entry. It might sound technical, but it’s a straightforward copy-and-paste job. We’ll walk through exactly what you need to do to get it set up correctly.

Find Your DNS Management Panel

First things first, you need to find where your DNS records live.

This is usually called the DNS Management Panel, DNS Editor, or something similar. To get there, log into the account where you purchased your domain name. Look for a section related to "Domains," "My Domains," or "DNS."

Once you’re in the right place, you’ll see a list of your current DNS records, which might include A, CNAME, and MX records. This is the control panel where you can add, edit, and delete entries.

Getting to this page is the essential first step, as it gives you access to the settings needed to publish your new DKIM key.

Create a New TXT Record

Now that you're in your DNS management panel, look for an option to "Add a new record" or "Create a record." From the list of record types, select "TXT." This is the standard format for DKIM records. You'll see a few fields to fill in, usually labeled "Host" (or "Name") and "Value" (or "Content").

Go back to the record you generated with MxToolbox.

Copy the first part, which includes your selector and domain (e.g., selector1._domainkey.yourdomain.com), and paste it into the "Host" field. Then, copy the long string of characters that starts with v=DKIM1; and paste it into the "Value" field. Double-check that you’ve copied everything correctly, then save your new record.

Verify Your DNS Record Has Propagated

After you save the new TXT record, it needs to propagate. This means it can take some time for servers across the internet to see your update.

While it’s often quick, propagation can sometimes take up to 48 hours.

You don’t have to just wait and hope it worked. You can use a DKIM lookup tool to check if your record is visible online. Once it’s live, it’s a great time to run a comprehensive email deliverability test to see how your new authentication measures are performing. This confirms that your DKIM setup is correct and contributing positively to your sender reputation.

If the record doesn’t appear after a day or two, go back and check for any typos in the Host or Value fields.

Common DKIM Setup Issues (And How to Fix Them)

Setting up DKIM is usually straightforward, but sometimes things don't work on the first try. Don't worry, this is completely normal. Most DKIM issues come down to a few common culprits that are surprisingly easy to fix once you know what to look for.

From a simple typo in your DNS record to a mismatch with a third-party sending service, a small error can prevent your emails from being authenticated correctly.

Think of it as a pre-flight check for your email campaigns. By running through these common problems, you can diagnose the issue quickly and get your emails back on track to the inbox.

Let's walk through the most frequent setup hiccups and how to solve them.

Fix Common DNS and Syntax Errors

One of the most frequent issues with DKIM is a simple copy-and-paste error.

Your DKIM record is a long string of characters, and it’s incredibly easy for a typo or an extra space to sneak in when you're adding it to your DNS. Even a single incorrect character can cause the entire validation to fail.

The fix is simple: be meticulous.

Double-check every character in the TXT record you've added to your DNS provider. Make sure there are no line breaks or extra spaces. To be absolutely sure, you can use a tool like the free MxToolbox DKIM Record Check to verify that your public key is published correctly and the syntax is perfect.

Troubleshoot Selector and Public Key Mismatches

If your syntax is correct but DKIM is still failing, the next place to look is your selector.

The DKIM selector is like a signpost in your email header that tells receiving servers which public key to use for verification. If the selector used by your mail server doesn't exactly match the one in your DNS record, the server won't be able to find the key.

First, confirm that your mail server is configured to use the correct selector. Then, check that the DKIM record in your DNS is publicly accessible and matches that selector precisely. Consistent email deliverability monitoring can help you spot these kinds of technical misalignments before they impact your sender reputation.

Solve ESP Compatibility Issues

Do you use different platforms to send emails? Maybe one for marketing newsletters and another for transactional receipts?

If so, each one needs its own DKIM setup. Many businesses forget that every third-party service sending email on their behalf, from CRMs to help desks, must be authorized with a unique DKIM record.

To solve this, make a list of every tool and service that sends email for your domain. Go through each one and follow their specific instructions for setting up DKIM. This ensures that no matter which platform sends the message, it carries your domain’s verified signature.

Properly configuring all your sending sources creates a unified, trustworthy identity that inbox providers will recognize and respect.

Did It Work? How to Test Your DKIM Setup

You’ve gone through the steps to generate your DKIM record and add it to your DNS.

Great job!

But how do you know if it’s actually working? Simply setting it up isn’t enough. You need to verify that mailbox providers can find and use your DKIM record to authenticate your emails. If they can't, all your hard work won't protect your sender reputation or improve your inbox placement.

Fortunately, you don’t have to guess.

There are free, straightforward tools that can check your work in seconds. Running a quick test confirms that your digital signature is correctly configured and publicly accessible. This simple verification step is the final piece of the puzzle, ensuring your emails are properly authenticated and ready to land in the inbox. Think of it as proofreading your work before hitting send. It catches small errors that can cause big problems down the line.

Use the MxToolbox DKIM Lookup Tool

One of the easiest ways to check your setup is with the MxToolbox DKIM Lookup tool. This free utility lets you look up your DKIM record using your domain and the specific selector you created. It checks whether your public key is published correctly in your DNS and is accessible to receiving mail servers. Just enter your information, and the tool will retrieve the record for you to review. This is a perfect first step to confirm that the TXT record you added to your DNS is live and configured as you intended.

It’s a quick, direct way to see exactly what email providers see when they check your authentication.

Check Your Email Authentication Status

Beyond just looking up the record, you can also get a clear pass-or-fail grade on your setup. The DKIM Check tool from MxToolbox is designed for this exact purpose. It confirms whether the digital signature for your emails is correctly set up for your domain. Instead of just showing you the record, this tool analyzes it to determine if it’s valid and functional. This gives you immediate confirmation that your DKIM authentication is working as it should.

If you get a green light here, you can be confident that your emails are being properly signed and can be verified by recipients.

What to Do If Your Validation Fails

If your DKIM check comes back with an error, don’t panic. The fix is usually simple. One of the most common issues is a small typo or syntax error in the public key record you added to your DNS. Go back and double-check your DKIM TXT record for accuracy, paying close attention to every character. Another frequent problem is that the public key isn't published correctly. If receiving servers can't find your DKIM record in the DNS, they can't verify your signature. Make sure your record exists and is publicly accessible. While these manual checks are helpful, a comprehensive email deliverability test can help you spot these and other issues before they impact your campaigns.

Beyond DKIM: Tools for Complete Email Security

Setting up DKIM is a fantastic step toward better email security, but it’s most powerful when it’s part of a complete authentication strategy.

Think of it as one lock on a door that really needs three. To fully protect your sender reputation and ensure your emails consistently land in the inbox, you need to pair DKIM with other protocols and make monitoring a regular habit. This approach moves you from a simple setup to a robust, long-term email health plan that protects your most valuable communication channel.

Pair DKIM with DMARC and SPF

DKIM works best alongside two other email authentication standards: SPF and DMARC. Together, they form a powerful trio that verifies your identity to mailbox providers.

SPF (Sender Policy Framework) specifies which mail servers are authorized to send email on behalf of your domain. DMARC (Domain-based Message Authentication, Reporting, and Conformance) then tells receiving servers what to do with messages that fail SPF or DKIM checks, like sending them to spam or rejecting them outright.

By implementing all three, you create a layered defense that makes it extremely difficult for phishers to impersonate your domain. This not only protects your brand but also significantly improves your deliverability.

The recommended order is to configure SPF and DKIM first, then implement DMARC to enforce your policies without accidentally blocking legitimate mail.

Continuously Monitor Your Email Health

Email authentication isn't a "set it and forget it" task. Your DNS records can change, keys need to be updated, and configurations can drift over time, leading to unexpected authentication failures.

Regularly auditing your records ensures your messages always pass authentication checks and make it safely to the inbox. This proactive approach helps you catch small issues before they become major delivery problems that hurt your campaign performance.

While one-time checks are useful for the initial setup, a dedicated platform gives you the ongoing visibility you need. With a comprehensive tool, you can get real-time alerts on your domain health and sender reputation. Folderly’s email deliverability monitoring provides a complete overview, helping you maintain perfect email health and ensure your campaigns perform reliably.

How to Maintain Your DKIM Records for the Long Haul

Setting up DKIM is a huge step, but it’s not a one-and-done task.

Think of it like tending to a garden; it needs regular care to stay healthy. Over time, things can change in your email infrastructure or DNS settings that might break your DKIM signature without you even realizing it. Maintaining your records ensures your emails consistently pass authentication checks, protecting your sender reputation and keeping your messages out of the spam folder. Here’s how to stay on top of it for the long haul.

Set a Schedule for Regular Audits

The best way to prevent DKIM issues is to catch them before they cause problems. I recommend setting a recurring calendar reminder, maybe once a quarter, to audit your DNS records. During this check, you’ll want to confirm that your DKIM record is still published correctly and that the syntax is accurate. Configuration drift is common, especially on teams where multiple people have access to DNS settings. A quick, regular audit ensures your messages always pass authentication and land safely in the inbox. You can use an email deliverability test to quickly check your DKIM, SPF, and DMARC configurations and spot any issues.

Rotate Your Keys to Stay Secure

Rotating your DKIM keys is a critical security practice.

Just as you wouldn’t use the same password forever, you shouldn’t use the same cryptographic key indefinitely. Rotating your keys, perhaps every six months or once a year, minimizes the risk if your private key is ever compromised. An old, compromised key could allow malicious actors to send emails that appear to come from you. Furthermore, some keys can have expiration dates, and an expired key will cause immediate signature failures.

By regularly generating a new key pair and updating your DNS, you maintain a strong security posture and ensure your email authentication remains unbroken.

Build a Full Email Authentication Strategy

While DKIM is powerful, it works best as part of a team.

A complete email authentication strategy includes SPF and DMARC working alongside DKIM. SPF (Sender Policy Framework) specifies which mail servers are authorized to send email for your domain. DKIM, as we’ve covered, verifies the message itself hasn’t been altered. DMARC (Domain-based Message Authentication, Reporting, and Conformance) then tells receiving servers what to do if a message fails SPF or DKIM checks.

Implementing all three gives you a layered defense against phishing and spoofing. It also demonstrates to inbox providers that you’re a legitimate sender, which is essential for strong deliverability. Continuous email deliverability monitoring helps you keep all these protocols aligned.

Related Articles

• Guide To Check, Test, and Generate DKIM Record
• Email Authentication and Main DNS Records Aimed at Ultimate Campaign Success
• What Is DMARC? | Folderly Blog
• Complete Guide Into The Pool of SendGrid SPF Record and SendGrid DKIM
• Managing and Setting Up MX Records: A Step-by-Step Guide

Frequently Asked Questions

What happens if I skip setting up DKIM? 

If you don't set up DKIM, you're essentially sending emails without a seal of authenticity. Mailbox providers like Gmail and Outlook will view your messages with more suspicion, which often leads to them landing in the spam folder instead of the inbox. It also leaves your domain vulnerable to being spoofed by phishers, who could impersonate your brand and damage your reputation.

Can you explain the difference between DKIM, SPF, and DMARC in a nutshell? 

Of course. Think of them as three layers of security. SPF is like a guest list for your domain; it tells servers which IP addresses are allowed to send email on your behalf. DKIM is a digital signature that acts as a tamper-proof seal, proving the email's content hasn't been altered. DMARC is the security policy that tells servers what to do if an email fails either the SPF or DKIM check, like sending it to spam or rejecting it completely.

How often should I rotate my DKIM keys? 

Rotating your DKIM keys is a great security habit. A good rule of thumb is to generate a new key pair and update your DNS record every six to twelve months. This practice minimizes the risk if your private key is ever compromised, ensuring that your domain's signature remains secure and trustworthy over time.

Can I have multiple DKIM records for my domain? 

Yes, and it's actually very common. Most businesses use different services to send email, such as a marketing platform, a CRM, and a transactional email provider. Each of these services will require its own unique DKIM record. You use DKIM selectors to create distinct records for each sending source, ensuring all your legitimate mail is properly authenticated.

My DKIM check failed. What's the very first thing I should check?

The most common reason for a failed DKIM check is a simple copy-and-paste error. Before you do anything else, go back to your DNS provider and carefully compare the record you entered with the one you generated. Even a single extra space or a missing character in the host or value fields can cause the entire authentication to fail.