Add your DKIM key at your domain provider

Set up DKIM to prevent email spoofing

If your domain is provided by a domain host partner, skip this step

If a Google Workspace domain host partner is your domain provider, you don’t need to add your DKIM key to the DNS record at your domain host. Gmail generates the domain key and adds it to your domain's DNS records.

Go directly to Turn on DKIM signing.

To turn on DKIM, update your domain DNS TXT record with the DKIM domain key you generated in the Admin console. Update the TXT record at your domain host, not in the Admin console.

Learn more about working with DNS TXT records.


Add DKIM domain key to domain DNS records

Add the DKIM key from your Google Admin console to your domain provider's DNS records.


Add the domain key to your domain's DNS records

For these steps, use the DKIM domain key you generated in the Admin console.

Important: If you have more than one domain, complete these steps for each domain. Use a unique DKIM key for each domain.

  1. Sign in to the management console for your domain host.
  2. Locate the page where you update DNS records.

    Subdomains: If your domain host doesn't support updating subdomain DNS records, add the record to the parent domain. Learn about Updating DNS records for a subdomain.

  3. Add a TXT record:

    Note: If your domain provider limits the length of TXT records, read Domain keys and TXT record limits.

    • In the first field, enter the text displayed in the Admin console under DNS Host name (TXT record name).
    • In the second field, enter the text string displayed in the Admin console under TXT record value.
  4. Save your changes.

Important: After you add the TXT record to your domain's DNS records, the DKIM page in your Google Admin console continues to display this message: You must update the DNS records for this domain. If you've correctly added the TXT record to your domain's DNS records, ignore the message. It can take up to 48 hours for email authentication to start.

Domain keys and TXT record limits

DNS TXT records can have up to 255 characters in a single string. For TXT records over 255 characters, DNS chains multiple text strings together into a single record.

A 2048-bit domain key is longer than the 255-character limit, so it requires a TXT record created from chained text strings.

Contact your domain host to find out if TXT records longer than 255 characters are supported:

  • Supported: Find out what steps are required to update your DNS records with the domain key. The steps are different for different domain hosting services.  
  • Not supported: Use 1024-bit domain keys for DKIM to stay within the 255-character limit.

Next steps

Turn on DKIM signing

Was this helpful?
How can we improve it?

Need more help?

Sign in for additional support options to quickly solve your issue

Clear search
Close search
Google apps
Main menu
Search Help Center