Set up DKIM

Gmail users: If you’re getting spam or phishing messages in Gmail, go here instead. If you’re having trouble sending or receiving emails in Gmail, go here instead.

As an administrator, you can set up DKIM (also called a DKIM signature) to authenticate your email and help protect your domain against spoofing.

Without DKIM, messages sent from your organization or domain are more likely to be marked as spam by receiving mail servers.

On this page

How does DKIM work?

To set up DKIM, you generate a pair of DKIM keys for your domain:

  • A public key that is stored in your domain’s DNS TXT record for DKIM. This is the key that you add to your domain.
  • A private key that is uploaded to your email server. This key generates and adds a DKIM signature to all your outgoing email.
1. Sender's email server with a private key.
2. Sender's DKIM TXT record with a public key.
3. Sender's private key adds a DKIM signature to the header of outgoing email.
4. Email is sent to the receiver's domain.
5. Receiver's email server gets the public key from the DKIM TXT record and uses the key to read the DKIM signature and authenticate the email.

If you use outbound mail gateways

Outbound gateways can be set up to modify outgoing messages. For example, some outbound gateways add a footer to the bottom of every outgoing message. This causes messages to fail DKIM because the message content changed after the message was sent.

Make sure your outbound gateway settings don't interfere with DKIM. Before setting up DKIM, set up the gateway so it doesn’t modify outgoing messages, or set up the gateway to change the message content first. See Set up an outgoing gateway to process outgoing mail.

Step 1: Check if DKIM is already set up

How you perform this check depends on whether you are using Google Workspace: 

  • If you are using Google Workspace, follow the instructions in this section. 
  • If you are not using Google Workspace, check with your email and/or ISP ( if your ISP is the domain that sends email). If you manage your own email, use one of the tools available on the internet.
If your domain provider is Google Domains or Squarespace, Google automatically creates a DKIM key and adds the key to your domain’s DNS records. Skip to Turn on & verify DKIM.
  1. Sign in to your Google Admin console.

    Sign in using an account with super administrator privileges (does not end in @gmail.com).

  2. Go to the Google Admin Toolbox.
  3. Enter your domain in the Domain name field.

    Note: In some cases, you might need to enter your DKIM prefix selector, which uniquely identifies the DKIM key. The default is google.

  4. Click Run Checks.
  5. When the test finishes, check for one of these messages:
  • DKIM authentication DNS setup: A DKIM key is set up for the domain and selector. We recommend that you also set up DMARC.
  • DKIM is not set up: There's no DKIM key for your domain with the prefix selector you entered. Set up a new key using the provided selector. Continue with Generate a DKIM key pair.

Step 2: Generate a DKIM key pair

  • If you are using Google Workspace, follow the instructions in this section. 
  • If you are not using Google Workspace, use a tool available from the internet to do the following:
    • Find your DKIM prefix selector. You can send a test email to your inbox, view the message source, and locate the s value in the DKIM-Signature header.
    • Specify your domain name, key length, and DKIM prefix selector to generate a DKIM key pair.
    • Store the private key in your mail server configuration and add the public key to your domain.

Generate a DKIM key for your domain

You must be signed in as a super administrator for this task.

Important: In Google Workspace, after you turn on Gmail for your organization, you must wait 24–72 hours before you can get your DKIM key in the Admin console. If you try to generate a key before this time, you might get an error that the DKIM record was not created.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Appsand thenGoogle Workspaceand thenGmail.
  3. Click Authenticate email.
  4. In the Selected domain menu, select the domain where you want to set up DKIM.
  5. Click the Generate New Record button.
  6. In the Generate new record box, select your DKIM key settings:
    • DKIM key bit length options:
      • 2048—If your domain provider supports 2048-bit keys, select this option. Longer keys are more secure than shorter keys. If you previously used a 1024-bit key, you can switch to a 2048-bit key if your domain provider supports them.
      • 1024—If your domain host doesn't support 2048-bit keys, select this option.
    • Prefix selector options:
      • The default prefix selector is google. If you are using Google Workspace, this is the recommended option.
      • If your domain already uses a DKIM key with the prefix google, enter a different prefix in this field. Read more about DKIM selectors.
  7. Click Generate. On the Authenticate email page, the TXT record value is updated and this message appears: DKIM authentication settings updated.

    Important: The Authenticate email page in your Google Admin console might continue to display this message for up to 48 hours: You must update the DNS records for this domain. If you've correctly added your DKIM key at your domain provider, you can ignore this message.

  8. Copy the DKIM values shown in the Authenticate email window. You’ll add it at your domain provider in the next step:
      1. DNS Host name (TXT record name)—This text is the name for the DKIM TXT record you'll add to your domain provider's DNS records. Enter this name in the Host field.
      2. TXT record value—This text is the DKIM key. You'll add this to your DKIM TXT record. Enter the key in the TXT Value field.
         
         
         
         

Step 3: Add the DKIM key to your domain

Once you have generated your DKIM key pair, add the public DKIM key to your domain by creating a DKIM TXT record.

For help with your domain sign-in information, settings, or TXT records, contact your domain provider. Google doesn't provide technical support for third-party domain providers.

Add DKIM domain key to domain DNS records

Add the DKIM key from your Google Admin console to your domain provider's DNS records.

  1. Sign in to your domain host, typically where you purchased your domain name. If you’re not sure who your domain host is, see identify your domain registrar.
  2. Go to the page where you update DNS TXT records for your domain. For help finding this page, check the documentation for your domain.
  3. Add or update the TXT record with this information (refer to the documentation for your domain): 

    Field name Value to enter
    Type The record type is TXT.
    Host The domain (or subdomain), can also be called Name, Hostname, or Alias. If the Host is the same domain (not subdomain) you are adding the TXT record to, specify the @ symbol.
    Value

    The string that makes up the TXT record:

    TTL (only SPF & BIMI)

    The Time To Live value determines the number of seconds before subsequent changes to the record go into effect.

    You can set this value to 1 hour or 3600 seconds.

    If your domain doesn't let you modify the value for this field, use the current value.

    Note: Some domain providers limit TXT record length. If yours does, read Verify your domain provider's TXT record character limits.
  4. Save your changes.
  5. If you use subdomains, check with your domain provider to find out how to add a TXT record for subdomains. 
  6. If you are setting up DKIM for more than one domain, complete these steps for each domain. You must get a unique DKIM key from the Admin Console for each domain.

After adding a DKIM key, it can take up to 48 hours for DKIM authentication to start working.

Step 4: Turn on & verify DKIM

  • If you are using Google Workspace, follow the instructions in this section. 
  • If you are not using Google Workspace, use one of the tools available on the internet.

Turn on DKIM signing

After you add your DKIM key at your domain provider, turn on DKIM signing in your Google Admin console.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Appsand thenGoogle Workspaceand thenGmail.
  3. Click Authenticate email.
  4. In the Selected domain menu, select the domain where you want to turn on DKIM. 
  5. Click Start authentication. When DKIM setup is complete and working correctly, the status at the top of the page changes to: Authenticating email with DKIM.
  6. Send an email message to someone who is using Gmail or Google Workspace. (You can't verify DKIM is on by sending yourself a test message.)
  7. Open the message in the recipient's inbox and find the entire message header.

    Note: Steps to view the message header differ for different email applications. To show message headers in Gmail, next to Reply, click More and thenShow original.

  8. In the message header, look for Authentication-Results. Receiving services use different formats for incoming message headers, however the DKIM results should say something like DKIM=pass or DKIM=OK.

    If the message header doesn't include a line about DKIM, messages sent from your domain aren't signed with DKIM:

Next steps

  • Google recommends that you also set up DMARC authentication for your organization.
  • If you can't figure out if DKIM is working, or if messages from your domain are going to spam, see Troubleshoot DKIM issues.
  • Optionally, consider setting up BIMI to add your organization's logo to outgoing messages.

Related topics


Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.

Was this helpful?

How can we improve it?
Search
Clear search
Close search
Main menu
1642399384270940281
true
Search Help Center
true
true
true
true
true
73010
false
false