How do I generate an a=rsa-sha256 key for DKIM?

Summary

Generating an a=rsa-sha256 key for DKIM involves using OpenSSL. The process typically starts with the command `openssl genrsa -out <your_domain>.private <key_length>`, where `<key_length>` is either 1024 or, more commonly, 2048 for better security. This generates a private key that must be securely stored. To extract the corresponding public key, the command `openssl rsa -in <your_domain>.private -pubout -out <your_domain>.public` is used. This public key is then added to your DNS records. Key length impacts security, with longer keys providing greater security. Be cautious when using online DKIM generators; it is safer to use OpenSSL locally. Many ESPs recommend dkimcore.org for additional information. RFC 6376 specifies the use of RSA for DKIM.

Key findings

  • OpenSSL: OpenSSL is the most recommended tool for generating DKIM keys.
  • Key Length: 2048 key length is generally preferred for enhanced security.
  • Private Key Security: Securely store the generated private key to maintain DKIM integrity.
  • Public Key in DNS: The extracted public key must be correctly placed in the DNS records.

Key considerations

  • Online Generators: Exercise caution when using online DKIM generators due to security risks.
  • Command Syntax: Ensure accurate syntax when using OpenSSL commands to avoid errors.
  • Resource: Refer to dkimcore.org and RFC 6376 for detailed DKIM specifications and guidance.

What email marketers say
8Marketer opinions

Generating an a=rsa-sha256 key for DKIM primarily involves using OpenSSL. The common command is `openssl genrsa -out <your_domain>.private <key_length>`, where `<key_length>` is either 1024 or 2048 (2048 is recommended for better security). This generates a private key, which must be securely stored. A corresponding public key is then extracted for placement in your DNS records. Caution is advised when using online DKIM generators; creating keys locally using OpenSSL is generally recommended.

Key opinions

  • OpenSSL: OpenSSL is the recommended tool for generating DKIM keys.
  • Key Length: A key length of 2048 is generally recommended for better security.
  • Private Key Security: The private key must be stored securely.
  • Public Key Placement: The public key must be added to your DNS records.

Key considerations

  • Tool Choice: Avoid untrusted online generators; use OpenSSL locally.
  • Command Syntax: Pay careful attention to the OpenSSL command syntax.
  • Key Management: Implement proper key management practices.
Marketer view

Marketer from Email Geeks shares that for key length, the maximum length equals maximum security.

January 2025 - Email Geeks
Marketer view

Marketer from Email Geeks suggests being cautious when using websites to generate DKIM keys, and advises to use OpenSSL to create a script for generating your own keys.

June 2022 - Email Geeks
Marketer view

Email marketer from StackExchange responds to a user stating to generate your public and private keys with openssl by using the following command `openssl genrsa -out example.com.private 1024`.

September 2023 - StackExchange
Marketer view

Email marketer from EmailOnAcid explains to generate a DKIM key using OpenSSL, the command to use is `openssl genrsa -out domain.private 2048`. This command creates the private key; a corresponding public key can then be extracted for use in your DNS settings.

July 2021 - EmailonAcid
Marketer view

Email marketer from EasyDMARC explains the process of generating DKIM keys with OpenSSL involves using the command `openssl genrsa -out yourdomain.private 2048`. They also highlight the importance of securing the private key.

June 2021 - EasyDMARC
Marketer view

Email marketer from MXToolbox explains that DKIM keys are generated using a cryptographic algorithm, and OpenSSL is commonly used with commands similar to `openssl genrsa -out private.key 2048`. This tool generates a private key to be kept secret and a public key for DNS records.

March 2024 - MXToolbox
Marketer view

Email marketer from AuthSMTP advises using OpenSSL to generate the DKIM key. The command they recommend is `openssl genrsa -out private.pem 2048`, noting that the private key must be securely stored and the public key added to your DNS records.

December 2022 - AuthSMTP
Marketer view

Email marketer from Reddit shares that when generating the DKIM key, a key size of 2048 is recommended for better security, using the `openssl genrsa -out dkim.private 2048` command.

December 2023 - Reddit

What the experts say
2Expert opinions

Generating an a=rsa-sha256 key for DKIM primarily involves using OpenSSL to create the key. Many Email Service Providers (ESPs) direct customers to dkimcore.org for further information. The process includes using a command such as `openssl genrsa -out example.com.private 2048` to generate the private key, which should be kept secret. After generating the private key you need to extract the public key which is then used in your DNS record.

Key opinions

  • OpenSSL: OpenSSL is the tool to generate a private key for DKIM.
  • Key Length: A key length of 2048 or more is typically recommended when generating.
  • Key Pair: You need a private and public key pair. The private key is kept secret, the public key is in your DNS.

Key considerations

  • Resource: DKIMCore.org is a recommended resource for further DKIM information.
  • Private Key Security: The private key needs to be securely stored and not exposed.
Expert view

Expert from Spam Resource (John Levine) explains that generating an RSA key for DKIM typically involves using OpenSSL with a command like `openssl genrsa -out example.com.private 2048`. This creates a private key, and you then extract the public key for your DNS record.

October 2023 - Spam Resource
Expert view

Expert from Email Geeks mentions that many ESPs direct customers to dkimcore.org for DKIM information and shares a link to the specification page.

November 2021 - Email Geeks

What the documentation says
4Technical articles

Generating an a=rsa-sha256 key for DKIM involves using OpenSSL. The primary command is `openssl genrsa -out <your_domain>.private <key_length>`, where `<key_length>` is typically 1024 or 2048. This creates a private key. The corresponding public key is extracted using `openssl rsa -in <your_domain>.private -pubout -out <your_domain>.public`. The public key is then added to your DNS records. RFC 6376 specifies the use of RSA for DKIM but leaves the specific implementation details to standard practices and tools like OpenSSL.

Key findings

  • OpenSSL: OpenSSL is the standard tool for generating DKIM keys.
  • Private Key Generation: The command `openssl genrsa` generates the private key.
  • Public Key Extraction: The command `openssl rsa` extracts the public key from the private key.
  • RFC 6376: RFC 6376 defines the use of RSA for DKIM but defers to standard practices for key generation.

Key considerations

  • Key Length: Adjust the key length (1024 or 2048) as needed for security requirements.
  • DNS Record: Ensure the extracted public key is correctly added to your DNS records.
  • Security: Keep the private key secure.
Technical article

Documentation from dkimcore.org explains that DKIM keys can be generated using OpenSSL with commands like `openssl genrsa -out example.com.private 1024` to generate a private key and `openssl rsa -in example.com.private -pubout -out example.com.public` to extract the public key.

June 2023 - dkimcore.org
Technical article

Documentation from OpenSSL Wiki details that to generate an RSA key for DKIM using OpenSSL, you use `openssl genrsa -out dkim.private 2048` (adjust 2048 for key length).

August 2021 - OpenSSL Wiki
Technical article

Documentation from RFC 6376 (section 3.1) specifies the use of RSA for DKIM and implies the usage of standard tools like OpenSSL to generate the necessary private and public key pairs. The document outlines the requirements for key length but doesn't provide specific commands, deferring to standard cryptographic practices.

May 2022 - RFC-Editor
Technical article

Documentation from Mailhardener explains how to create a DKIM record with OpenSSL using the command `openssl genrsa -out example.com.private 2048` to generate the private key and then extracting the public key using `openssl rsa -in example.com.private -pubout -out example.com.public`. The public key is then used in your DNS record.

August 2024 - Mailhardener.com