Use the DomainKeys Identified Mail (DKIM) standard to help prevent spoofing on outgoing messages sent from your domain.
Email spoofing is when email content is changed to make the message appear from someone or somewhere other than the actual source. Spoofing is a common unauthorized use of email, so some email servers require DKIM to prevent email spoofing.
DKIM adds an encrypted signature to the header of all outgoing messages. Email servers that get signed messages use DKIM to decrypt the message header, and verify the message was not changed after it was sent.
If you want more email security, we recommend setting up these security methods along with DKIM:
- Sender Policy Framework (SPF)–SPF specifies which domains can send messages for your organization.
- Domain-based Message Authentication, Reporting & Conformance (DMARC)–DMARC specifies how your domain handles suspicious emails.
If you don't set up DKIM, Gmail uses default DKIM
DKIM signing increases email security and helps prevent email spoofing. We recommend you use your own DKIM key on all outgoing messages.
If you don't generate your own DKIM domain key, Gmail signs all outgoing messages with this default DKIM domain key: d=*.gappssmtp.com
Messages sent from servers outside of mail.google.com won't be signed with the default DKIM key.
Steps to set up DKIM
- Generate the domain key for your domain.
- Add the public key to your domain's DNS records. Email servers can use this key to verify your messages' DKIM signatures.
- Turn on DKIM signing to start adding a DKIM signature to all outgoing messages.
Common questions about DKIM
How does DKIM work?DKIM uses a pair of keys, one private and one public, to verify messages.
A private domain key adds an encrypted signature header to all outgoing messages sent from your Gmail domain.
A matching public key is added to the Domain Name System (DNS) record for your Gmail domain. Email servers that get messages from your domain use the public key to decrypt the message signature and verify the signed message sources.
When you turn on email authentication in Gmail, DKIM starts signing the headers of outgoing messages.
If you already use DKIM in your domain (with another email system), you must generate a new, unique domain key to use with Gmail.
Domain keys include a text string called the selector prefix, which you can modify when you generate the key. The default selector prefix for the Google Workspace domain key is google. When you generate the key, you can change the default selector prefix from google to the text of your choice, and use the new selector in parallel with the domain's existing DKIM key configuration.
If you use an outbound mail gateway that changes outgoing messages, the DKIM signature is voided. One example is email servers that add a footer to every outgoing message. To avoid this issue, take one of these actions:
- Set up the gateway so that it does not modify outgoing messages.
- Set up to the gateway to change the message first, then add the DKIM signature after.
If messages from your domain are rejected, contact the administrator for the rejecting email server. Email servers should not reject messages because of missing or unverifiable DKIM signatures (RFC 4871).
