Set up DKIM to prevent email spoofing

Make your email more secure and protect your domain

Use the DomainKeys Identified Mail (DKIM) standard to help prevent spoofing on outgoing messages sent from your domain.

Email spoofing is when email content is changed to make the message appear from someone or somewhere other than the actual source. Spoofing is a common unauthorized use of email, so some email servers require DKIM to prevent email spoofing.

DKIM adds an encrypted signature to the header of all outgoing messages. Email servers that get signed messages use DKIM to decrypt the message header,  and verify the message was not changed after it was sent. 

If you want more email security, we recommend setting up these security methods along with DKIM:

Why set up email Authentication?

Email authentication helps prevent messages your organization sends from being flagged as spam.

What are SPF and DKIM?

SPF and DKIM help prevent spammers from impersonating your organization.

If you don't set up DKIM, Gmail uses default DKIM

DKIM signing increases email security and helps prevent email spoofing. We recommend you use your own DKIM key on all outgoing messages.

If you don't generate your own DKIM domain key, Gmail signs all outgoing messages with this default DKIM domain key: d=*

Messages sent from servers outside of won't be signed with the default DKIM key.

Steps to set up DKIM

  1. Generate the domain key for your domain.
  2. Add the public key to your domain's DNS records. Email servers can use this key to verify your messages' DKIM signatures.
  3. Turn on DKIM signing to start adding a DKIM signature to all outgoing messages.
Get started now

Common questions about DKIM

Open all   |   Close all

How does DKIM work?

DKIM uses a pair of keys, one private and one public, to verify messages.

private domain key adds an encrypted signature header to all outgoing messages sent from your Gmail domain.

matching public key is added to the Domain Name System (DNS) record for your Gmail domain. Email servers that get messages from your domain use the public key to decrypt the message signature and verify the signed message sources.

When you turn on email authentication in Gmail, DKIM starts signing the headers of outgoing messages.

What if my domain already has a DKIM key?

If you already use DKIM in your domain (with another email system), you must generate a new, unique domain key to use with Gmail. 

Domain keys include a text string called the selector prefix, which you can modify when you generate the key. The default selector prefix for the Google Workspace domain key is google. When you generate the key, you can change the default selector prefix from google to the text of your choice, and use the new selector in parallel with the domain's existing DKIM key configuration.

How do I set up DKIM for a server that modifies the content of outgoing emails?

If you use an outbound mail gateway that changes outgoing messages, the DKIM signature is voided. One example is email servers that add a footer to every outgoing message. To avoid this issue, take one of these actions:

  • Set up the gateway so that it does not modify outgoing messages.
  • Set up to the gateway to change the message first, then add the DKIM signature after.
What if emails from my domain are rejected because they don't pass DKIM?

If messages from your domain are rejected, contact the administrator for the rejecting email server. Email servers should not reject messages because of missing or unverifiable DKIM signatures (RFC 4871).

Was this helpful?
How can we improve it?

Need more help?

Sign in for additional support options to quickly solve your issue

Clear search
Close search
Google apps
Main menu
Search Help Center