Set up DKIM (original) (raw)

DKIM helps protect your domain against spoofing by authenticating your email with a DKIM signature. Set up DKIM by generating a public DKIM key and adding it to your domain. Receiving servers use your public DKIM key to read the DKIM signature and authenticate messages they get from your domain.

On this page

• Before you begin
• Step 1: Generate a DKIM key pair
• Step 2: Add the DKIM key to your domain
• Step 3: Turn on & verify DKIM
• Next steps
• Related topics

Before you begin

• You might not need to set up DKIM if your domain already has DKIM set up by default, or if you bought your domain from a Google partner when you signed up for Google Workspace. To check if DKIM is already set up for your domain, use one of many free tools available on the internet.
• If you use outbound gateways, you must verify that the settings don't interfere with DKIM. Outbound gateways can be set up to modify outgoing messages, for example by adding a footer to the bottom of every message. SeeSet up an outgoing gateway to process outgoing mail.

How does DKIM work?

To set up DKIM, you generate a pair of DKIM keys for your domain:

• A public key that is stored in your domain's DNS TXT record for DKIM. This is the key that you add to your domain.
• A private key that is uploaded to your email server. This key generates and adds a DKIM signature to each outgoing message.

	Sender's email server with a private key.
	Sender's DKIM TXT record with a public key.
	Sender's private key adds a DKIM signature to the header of outgoing email.
	Email is sent to the receiver's domain.
	Receiver's email server gets the public key from the DKIM TXT record and uses the key to read the DKIM signature and authenticate the email.

Step 1: Generate a DKIM key pair

• If you are using Google Workspace, follow the instructions in this section.
• If you are not using Google Workspace, use a tool available from the internet to do the following:
  • Find your DKIM prefix selector. You can send a test email to your inbox, view the message source, and locate the s value in the DKIM-Signature header.
  • Specify your domain name, key length, and DKIM prefix selector to generate a DKIM key pair.
  • Store the private key in your mail server configuration and add the public key to your domain.

You must be signed in as a super administrator for this task.

Important: In Google Workspace, after you turn on Gmail for your organization, you must wait 24–72 hours before you can get your DKIM key in the Admin console. If you try to generate a key before this time, you might get an error that the DKIM record was not created.

1. In the Google Admin console, go to Menu Apps Google Workspace Gmail.
   Requires having the Gmail Settings administrator privilege.
2. Click Authenticate email.
3. In the Selected domain menu, select the domain where you want to set up DKIM.
4. Click the Generate New Record button.
5. In the Generate new record box, select your DKIM key settings:
   • DKIM key bit length options:
     * 2048—If your domain provider supports 2048-bit keys, select this option. Longer keys are more secure than shorter keys. If you previously used a 1024-bit key, you can switch to a 2048-bit key if your domain provider supports them.
     * 1024—If your domain host doesn't support 2048-bit keys, select this option.
   • Prefix selector options:
     * The default prefix selector is google. If you are using Google Workspace, this is the recommended option.
     * If your domain already uses a DKIM key with the prefix google, enter a different prefix in this field. Read more about DKIM selectors.
6. Click Generate. On the Authenticate email page, the TXT record valueis updated and this message appears: DKIM authentication settings updated.
   Important: The Authenticate email page in your Google Admin console might continue to display this message for up to 48 hours: You must update the DNS records for this domain. If you've correctly added your DKIM key at your domain provider, you can ignore this message.
7. Copy the DKIM values shown in the Authenticate email window. You'll add it at your domain provider in the next step:

Important: Do not click Start Authentication yet. You'll do that later.

Step 2: Add the DKIM key to your domain

Once you have generated your DKIM key pair, add the public DKIM key to your domain by creating a DKIM TXT record.

For help with your domain sign-in information, settings, or TXT records, contact your domain provider. Google doesn't provide technical support for third-party domain providers.

1. Sign in to your domain host, typically where you purchased your domain name. If you're not sure who your domain host is, see identify your domain registrar.
2. Go to the page where you update DNS TXT records for your domain. For help finding this page, check the documentation for your domain.
3. Add or update the TXT record with this information (refer to the documentation for your domain):

   Field name	Value to enter
   Type	The record type is TXT.
   Host (Name, Hostname, Alias)	The string that makes up the TXT record name. For example: google._domainkey See this step (earlier on this page).
   Value	The string that makes up the TXT record value. It should start with something like: v=DKIM1. See this step (earlier on this page).
   Note: Some domain providers limit TXT record length. If yours does, readVerify your domain provider's TXT record character limits.

4. Save your changes.
5. If you use subdomains, check with your domain provider to find out how to add a TXT record for subdomains.
6. If you are setting up DKIM for more than one domain, complete these steps for each domain. You must get a unique DKIM key from the Admin Console for each domain.

After adding a DKIM key, it can take up to 48 hours for DKIM authentication to start working.

Step 3: Turn on & verify DKIM

• If you are using Google Workspace, follow the instructions in this section.
• If you are not using Google Workspace, use one of the tools available on the internet.

1. In the Google Admin console, go to Menu Apps Google Workspace Gmail.
   Requires having the Gmail Settings administrator privilege.
2. Click Authenticate email.
3. In the Selected domain menu, select the domain where you want to turn on DKIM.
4. Click Start authentication. When DKIM setup is complete and working correctly, the status at the top of the page changes to: Authenticating email with DKIM.
5. Send an email message to someone who is using Gmail or Google Workspace. (You can't verify DKIM is on by sending yourself a test message.)
6. Open the message in the recipient's inbox and find the entire message header.
   Note: Steps to view the message header differ for different email applications. To show message headers in Gmail, next to Reply, clickMore Show original.
7. In the message header, look for Authentication-Results. Receiving services use different formats for message headers, however the DKIM results should say something like DKIM=pass or DKIM=OK.
   If the message header doesn't include a line about DKIM, messages sent from your domain aren't signed with DKIM:
   • Verify you completed all the steps in this article.
   • Go to Troubleshoot DKIM issues.

Next steps

• Google recommends that you also set upSPF andDMARC authentication for your organization. Bulk senders are required to set up DKIM, SPF, and DMARC. For details, see Email sender guidelines.
• If you can't figure out if DKIM is working, or if messages sent from your domain are going to spam, see Troubleshoot DKIM issues.
• Optionally, consider setting upBIMI to add your organization's logo to messages sent from your domain.
• Troubleshoot DKIM issues
• Turn off DKIM
• About TXT records

Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.