Authenticate email with DKIM

Spammers can forge the From address on mail messages so that the spam appears to come from a user in your domain. To help prevent this sort of abuse, Google Apps enables you to add a digital "signature" to the header of mail messages sent from your domain. Recipients can check the domain signature to verify that the message really comes from your domain and that it has not been changed along the way. (If your domain has an SPF record, recipients can also verify that the message came from an authorized mail server.)

Google Apps' digital signature conforms to the DomainKeys Identified Mail (DKIM) standard. To add a digital signature to outgoing mail, you generate a 1024-bit domain key that Google Apps uses to create signed mail headers that are unique to your domain. You add the public key to the Domain Name System (DNS) records for your domain. Recipients can verify the source of a mail message by retrieving your public key and using it to confirm your signature.

If you use an outbound mail gateway that modifies outgoing messages, such as when Postini adds a compliance footer, the change invalidates the DKIM signature. You need to prevent the gateway server from modifying messages or turn off DKIM authentication.

If you already have a DKIM domain key for your domain — for example, if your legacy mail server signs outgoing mail — you need to generate a separate key for Google Apps to use. The Google Apps domain key is distinguished from any other key by a string known as a selector prefix. The selector prefix for the Google Apps domain key is "google" by default, but you can enter a new selector prefix when you generate the key.

There are three major steps required to add the DKIM signature to outgoing mail:

If you purchased your domain from one of our registration partners while signing up for Google Apps, the first two steps are not necessary. Google will automatically generate the domain key and add the necessary DNS record when you turn on authentication.

If you have multiple domains associated with your Google Apps account, you need to repeat these steps for each domain.

See SPF records and Understanding DMARC for other anti-spoofing measures available to you through Google.