Generating DKIM key with openssl

Generating 1024 bit DKIM key

To generate a DKIM key with openssl, do the following - this will generate you a 1024 bit DKIM key:


Your generated public key will remind something like below:

If you need to supply the public.key in the DNS record as follows, you have to "convert" it manually to be in one line, i.e.:


In bind/named compatible format, it will look like below TXT record:

Generating 2048 bit DKIM key

Please note that you may want to use a 2048 bit DKIM key - in this case, use the following openssl commands:


However, 2048 bit public DKIM key is too long to fit into one single TXT record - which can be up to 255 characters. Assuming your full public key is as follows:


...you need to split the text field into parts having 255 characters or less:


There are several limitations to 2048 bit DKIM records:

  • While bind/named supports TXT fields being split into several parts, some DNS hostings may still not support it.
  • If the total size of the DNS record is larger than 512 bytes, it will be sent over TCP, not UDP. Some buggy firewalls may not permit DNS packets over TCP.