Set up DKIM

Gmail users: If you’re getting spam or phishing messages in Gmail, go here instead. If you’re having trouble sending or receiving emails in Gmail, go here instead.

DKIM helps protect your domain against spoofing by authenticating your email with a DKIM signature. Set up DKIM by generating a public DKIM key and adding it to your domain. When receiving servers get your public DKIM key, they use it to read the DKIM signature and authenticate email.

On this page

Before you begin

If your domain provider is Google Domains or Squarespace, Google automatically creates a DKIM key and adds the key to your domain’s DNS records. Skip to Turn on & verify DKIM.
  • You might not need to set up DKIM if your domain already has DKIM set up by default, or if you bought your domain from a Google partner when you signed up for Google Workspace. To check if DKIM is already set up for your domain, use one of many free tools available on the internet.
  • If you use outbound gateways, you must verify that the settings don't interfere with DKIM. Outbound gateways can be set up to modify outgoing messages, for example by adding a footer to the bottom of every message. See Set up an outgoing gateway to process outgoing mail

How does DKIM work?

To set up DKIM, you generate a pair of DKIM keys for your domain:

  • A public key that is stored in your domain’s DNS TXT record for DKIM. This is the key that you add to your domain.
  • A private key that is uploaded to your email server. This key generates and adds a DKIM signature to all your outgoing email.
1. Sender's email server with a private key.
2. Sender's DKIM TXT record with a public key.
3. Sender's private key adds a DKIM signature to the header of outgoing email.
4. Email is sent to the receiver's domain.
5. Receiver's email server gets the public key from the DKIM TXT record and uses the key to read the DKIM signature and authenticate the email.

Step 1: Generate a DKIM key pair

  • If you are using Google Workspace, follow the instructions in this section. 
  • If you are not using Google Workspace, use a tool available from the internet to do the following:
    • Find your DKIM prefix selector. You can send a test email to your inbox, view the message source, and locate the s value in the DKIM-Signature header.
    • Specify your domain name, key length, and DKIM prefix selector to generate a DKIM key pair.
    • Store the private key in your mail server configuration and add the public key to your domain.

Generate a DKIM key for your domain

You must be signed in as a super administrator for this task.

Important: In Google Workspace, after you turn on Gmail for your organization, you must wait 24–72 hours before you can get your DKIM key in the Admin console. If you try to generate a key before this time, you might get an error that the DKIM record was not created.

  1. Sign in with an administrator account to the Google Admin console.

    If you aren’t using an administrator account, you can’t access the Admin console.

  2. Go to Menu and then Apps > Google Workspace > Gmail.

    Requires having the Gmail Settings administrator privilege.

  3. Click Authenticate email.
  4. In the Selected domain menu, select the domain where you want to set up DKIM.
  5. Click the Generate New Record button.
  6. In the Generate new record box, select your DKIM key settings:
    • DKIM key bit length options:
      • 2048—If your domain provider supports 2048-bit keys, select this option. Longer keys are more secure than shorter keys. If you previously used a 1024-bit key, you can switch to a 2048-bit key if your domain provider supports them.
      • 1024—If your domain host doesn't support 2048-bit keys, select this option.
    • Prefix selector options:
      • The default prefix selector is google. If you are using Google Workspace, this is the recommended option.
      • If your domain already uses a DKIM key with the prefix google, enter a different prefix in this field. Read more about DKIM selectors.
  7. Click Generate. On the Authenticate email page, the TXT record value is updated and this message appears: DKIM authentication settings updated.

    Important: The Authenticate email page in your Google Admin console might continue to display this message for up to 48 hours: You must update the DNS records for this domain. If you've correctly added your DKIM key at your domain provider, you can ignore this message.

  8. Copy the DKIM values shown in the Authenticate email window. You’ll add it at your domain provider in the next step:
      1. DNS Host name (TXT record name)—This text is the name for the DKIM TXT record. You'll add this name to your domain provider's TXT record in the Host field.
      2. TXT record value—This text is the DKIM key. You'll add this key to your domain provider's TXT record in the TXT Value field.
         
         
         
         

Important: Do not click Start Authentication yet. You'll do that later.

Step 2: Add the DKIM key to your domain

Once you have generated your DKIM key pair, add the public DKIM key to your domain by creating a DKIM TXT record.

For help with your domain sign-in information, settings, or TXT records, contact your domain provider. Google doesn't provide technical support for third-party domain providers.

Add DKIM domain key to domain DNS records

Add the DKIM key from your Google Admin console to your domain provider's DNS records.

  1. Sign in to your domain host, typically where you purchased your domain name. If you’re not sure who your domain host is, see identify your domain registrar.
  2. Go to the page where you update DNS TXT records for your domain. For help finding this page, check the documentation for your domain.

  3. Add or update the TXT record with this information (refer to the documentation for your domain): 

    Field name Value to enter
    Type The record type is TXT.
    Host (Name, Hostname, Alias) The string that makes up the TXT record name. For example: google_domainkey (replace domainkey with your DKIM key). See this step (earlier on this page).
    Value The string that makes up the TXT record value. It should start with something like: v=DKIM1. See this step (earlier on this page).
    Note: Some domain providers limit TXT record length. If yours does, read Verify your domain provider's TXT record character limits.
  4. Save your changes.
  5. If you use subdomains, check with your domain provider to find out how to add a TXT record for subdomains. 
  6. If you are setting up DKIM for more than one domain, complete these steps for each domain. You must get a unique DKIM key from the Admin Console for each domain.

After adding a DKIM key, it can take up to 48 hours for DKIM authentication to start working.

Step 3: Turn on & verify DKIM

  • If you are using Google Workspace, follow the instructions in this section. 
  • If you are not using Google Workspace, use one of the tools available on the internet.

Turn on DKIM signing

After you add your DKIM key at your domain provider, turn on DKIM signing in your Google Admin console.

 

  1. Sign in with an administrator account to the Google Admin console.

    If you aren’t using an administrator account, you can’t access the Admin console.

  2. Go to Menu and then Apps > Google Workspace > Gmail.

    Requires having the Gmail Settings administrator privilege.

  3. Click Authenticate email.
  4. In the Selected domain menu, select the domain where you want to turn on DKIM. 
  5. Click Start authentication. When DKIM setup is complete and working correctly, the status at the top of the page changes to: Authenticating email with DKIM.
  6. Send an email message to someone who is using Gmail or Google Workspace. (You can't verify DKIM is on by sending yourself a test message.)
  7. Open the message in the recipient's inbox and find the entire message header.

    Note: Steps to view the message header differ for different email applications. To show message headers in Gmail, next to Reply, click More and thenShow original.

  8. In the message header, look for Authentication-Results. Receiving services use different formats for incoming message headers, however the DKIM results should say something like DKIM=pass or DKIM=OK.

    If the message header doesn't include a line about DKIM, messages sent from your domain aren't signed with DKIM:

Next steps

  • Google recommends that you also set up SPF and DMARC authentication for your organization. Bulk senders are required to set up DKIM, SPF, and DMARC. For details, see Email sender guidelines.
  • If you can't figure out if DKIM is working, or if messages from your domain are going to spam, see Troubleshoot DKIM issues.
  • Optionally, consider setting up BIMI to add your organization's logo to outgoing messages.

Related topics


Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.

Was this helpful?

How can we improve it?

Need more help?

Try these next steps:

Post to the help community Get answers from community members
Contact us Tell us more and we’ll help you get there
true
Start your free 14-day trial today

Professional email, online storage, shared calendars, video meetings and more. Start your free Google Workspace trial today.

Search
Clear search
Close search
Main menu
8495269280612859962
true
Search Help Center
true
true
true
true
true
73010
false
false
false