Free local DKIM tool
Generate a DKIM key pair without sending the private key anywhere.
Create RSA 2048, 3072, or 4096-bit keys—or Ed25519 when your browser and signing platform support it—then export the signer key, public key, and exact DNS publication record.
Browser-only generation
WebCrypto creates the pair in this tab. No key material is uploaded, stored, logged, or backed up by MailDNS.
Correct key encodings
Export PKCS#8 private PEM, SPKI public PEM, RSA SPKI DER for DNS, or the raw 32-byte Ed25519 DNS key.
Exact DNS output
Copy one logical TXT value or a BIND-style record split into character-strings no larger than 255 octets.
Private-key boundary
- • The key is extractable because you asked to export it.
- • MailDNS does not send, persist, log, or back up the key.
- • Browser extensions, malware, injected scripts, clipboard managers, downloads, and screenshots remain outside this tool's control.
- • Clearing the UI drops its references, but JavaScript cannot promise immediate memory erasure by the browser.
Safe deployment sequence
- 1. Store the private key in the signing system.
- 2. Publish the matching TXT record under a new selector.
- 3. Wait for DNS propagation and verify the public key.
- 4. Start signing with the new selector and inspect a real message.
- 5. Retire the old selector only after the overlap window.
A published key does not prove that mail is signed, aligned, accepted, delivered, or placed in the inbox.
Encoding references
RSA DNS output follows the SPKI public-key export used in the DKIM reference example. Ed25519 DNS output follows RFC 8463 and uses only the raw 32-byte public key. For compatibility, deploy Ed25519 on a parallel selector rather than mixing algorithms under one selector.