Enhance security for outgoing email (DKIM)

About DKIM

You can help prevent spoofing by adding a digital signature to outgoing message headers using the DKIM standard. This involves using a private domain key to encrypt your domain's outgoing mail headers, and adding a public version of the key to the domain's DNS records. Recipient servers can then retrieve the public key to decrypt incoming headers and verify that the message really comes from your domain and hasn't been changed along the way.

G Suite's digital signature conforms to the DomainKeys Identified Mail (DKIM) standard.

How DKIM works

To add a digital signature to outgoing mail, you generate a domain key that G Suite uses to create signed mail headers that are unique to your domain. You add the public key to the Domain Name System (DNS) records for your domain. Recipients can then verify the source of a mail message by retrieving your public key and using it to confirm your signature.

For enhanced security, you can now generate a 2048-bit domain key instead of a 1024-bit domain key. We recommend that you generate the stronger 2048-bit key if your registrars support the longer key length.

If you have a previously-generated 1024-bit domain key, it will not be affected by this change.

Overview of steps

Repeat these steps for each domain associated with your G Suite account.

  1. Generate the public domain key for your domain.
  2. Add the key to your domain's DNS records so recipients can retrieve it for reading the DKIM header.
  3. Turn on email signing to begin adding the DKIM header to outgoing mail messages.

Skip the first 2 steps if you purchased your domain from one of our domain host partners while signing up for G Suite. Google automatically generates the domain key and adds the necessary DNS record when you turn on authentication.

Next: Generate the domain key

Our domain already has a DKIM key

If you already have a DKIM domain key for your domain—for example, if your legacy mail server signs outgoing mail—you still need to generate a separate key for G Suite to use. The G Suite domain key is distinguished from any other key by a string known as a selector prefix. The selector prefix for the G Suite domain key is "google" by default, but you can enter a new selector prefix when you generate the key.

Set up DMARC to handle messages that fail DKIM checks

When a message fails the DKIM record check, your email carrier decides how to handle the failed message. To control how your carrier handles failures, you can create a Domain-based Message, Authentication, Reporting & Conformance (DMARC) record for your G Suite domain. With DMARC, you specify a policy to either take no action, quarantine the message, or reject the message. Learn more about DMARC.

Using an outbound mail server

If you use an outbound mail gateway that modifies outgoing messages, such as adding a compliance footer, the change invalidates the DKIM signature. You need to prevent the gateway server from modifying messages or have the gateway server subsequently DKIM sign the messages.

For other anti-spoofing measures available through Google, see SPF records and Understanding DMARC.
Was this article helpful?
How can we improve it?