Enhance security for outgoing email (DKIM)

About DKIM

Help prevent email spoofing on outgoing messages

Use the DomainKeys Identified Mail (DKIM) standard to help prevent email spoofing on outgoing messages.

Email spoofing is when email content is changed to make the message appear from someone or somewhere other than the actual source. Spoofing is a common unauthorized use of email, so some email servers require DKIM to prevent email spoofing.

DKIM adds an encrypted signature to the header of all outgoing messages. Email servers that get these messages use DKIM to decrypt the message header,  and verify the message was not changed after it was sent. 

Use DKIM with SPF and DMARC

Along with DKIM,  we recommend setting up Sender Policy Framework (SPF) and Domain-based Message Authentication, Reporting & Conformance (DMARC). DKIM verifies message content is authentic and not changed. SPF specifies domains that can send messages for your organization. DMARC specifies how your domain handles suspicious emails.

If you don't set up DKIM, Gmail uses default DKIM

DKIM signing increases email security and helps prevent email spoofing. We recommend you use your own DKIM key on all outgoing messages.

If you don't turn on email signing with your own domain DKIM key, Gmail signs all outgoing messages with this default DKIM domain key: d=*.gappssmtp.com. Email sent from servers outside of mail.google.com won't be signed with the default DKIM key.

Steps to set up DKIM

  1. Generate the domain key for your domain.
  2. Add the public key to your domain's DNS records. Email servers can use this key to read message DKIM headers.
  3. Turn on DKIM signing to start adding a DKIM signature to all outgoing messages.
Get started now

Common questions about DKIM

How does DKIM work?

DKIM uses a pair of keys, one private and one public, to verify messages.

private domain key adds an encrypted header to all outgoing messages sent from your Gmail domain.

matching public key is added to the Domain Name System (DNS) record for your Gmail domain. Email servers that get messages from your domain use the public key to decrypt message headers and verify the message source.

When you turn on email authentication in Gmail, DKIM starts encrypting the headers of outgoing messages.

What if my domain already has a DKIM key?

If you already use DKIM in your domain (with another email system), you must generate a new, unique domain key to use with Gmail. 

Domain keys include a text string called the selector prefix, which you can modify when you generate the key. The default selector prefix for the G Suite domain key is google. When you generate the key, you can change the default selector prefix from google to text of your choice.

How do I set up DKIM for a server that modifies the content of outgoing emails?

If you use an outbound mail gateway that changes outgoing messages, the DKIM signature is voided. One example is email servers that add a footer to every outgoing message. To avoid this issue, take one of these actions:

  • Set up the gateway so that it does not modify outgoing messages.
  • Set up to the gateway to change the message first, then add the DKIM signature after.
What if emails from my domain are rejected because they don't pass DKIM?

If messages from your domain are rejected, contact the administrator for the rejecting email server. Email servers should not reject messages because of missing or unverifiable DKIM signatures (RFC 4871).

Was this article helpful?
How can we improve it?