Enhance security for outgoing email (DKIM)

2. Add domain key to DNS records

Help prevent email spoofing for outgoing messages

Skip this step if your domain was provided by a G Suite domain host partner

If your domain was provided by a G Suite domain host partner, skip this step. Gmail generates the domain key for you and adds it to your domain's DNS records. Go to Turn on DKIM signing.

Your domain host maintains text settings called DNS records that direct web traffic to your domain.

To turn on DKIM, update your domain DNS TXT record with the key displayed in the Admin console. Update this record at your domain host, not in the G Suite Admin console.

Learn more about working with DNS TXT records.

Add the domain key to your domain's DNS records

  1. In the Admin console, get the values you need to create the TXT record at Apps > G Suite > GmailAuthenticate email. The values appear under the labels DNS Host name (TXT record name) and TXT record value.
  2. Sign in to the management console for your domain host.
  3. Locate the page where you update DNS records.

    Subdomains: If your domain host doesn't support updating subdomain DNS records, add the record to the parent domain. Learn about Updating DNS records for a subdomain.

  4. Add a TXT record:
    • In the first field, enter the text displayed in the Admin console under DNS Host name (TXT record name).
    • In the second field, enter the text string displayed in the Admin console under TXT record value.

    Note: If your domain provider limits the length of TXT records, go to Domain keys and TXT record limits.

  5. Save your changes.

Domain keys and TXT record limits

DNS TXT records can have up to 255 characters in a single string. For TXT records over 255 characters, DNS chains multiple text strings together into a single record.

A 2048-bit domain key is longer than the 255-character limit, so it requires a TXT record created from chained text strings.

Contact your domain host to find out if TXT records longer than 255 characters are supported:

  • Supported: Find out what steps are required to update your DNS records with the domain key. The steps are different for different domain hosting services.  
  • Not supported: Use 1024-bit domain keys for DKIM to stay within the 255-character limit.

Next steps

Turn on DKIM signing

Was this helpful?
How can we improve it?