Enhance security for outgoing email (DKIM)

About DKIM

Prevent email spoofing for outgoing messages

Use the DomainKeys Identified Mail (DKIM) standard to help prevent email spoofing on outgoing messages.

Email spoofing is when email content is changed to make the message appear from someone or somewhere other than the actual source.

DKIM adds an encrypted signature to the header of all outgoing messages. Email servers that get these messages use DKIM to decrypt the message header,  and verify the message was not changed after it was sent. 

How DKIM works

DKIM uses a pair of keys, one private and one public, to verify messages.

Generate a private domain key, which adds an encrypted header to all outgoing messages sent from your G Suite domain.

2048-bit domain keys are more secure than 1024-bit domain keys. If your registrars support 2048-bit keys, we recommend using them. There's no impact if you previously used a 1024-bit domain key.

Add the matching public key to the Domain Name System (DNS) for your G Suite domain. Email servers that get messages from your domain use the public key to decrypt message headers and verify the message source.

When you turn on email authentication, DKIM starts encrypting the headers of outgoing messages.

Overview -- Set up DKIM

Take these steps for each domain associated with your G Suite account:

Go directly to Step 3 if your domain is provided by a G Suite domain host partner. When you turn on email authentication, G Suite generates the public domain key (Step 1) and adds it to your domain DNS records (Step 2).

  1. Generate the public domain key for your domain.
  2. Add the key to your domain's DNS records so it can be used to read the DKIM headers.
  3. Turn on email signing to add DKIM headers to all outgoing messages.
My domain already has a DKIM key

If you already use DKIM in your domain (with another email system), you must generate a new, unique domain key to use with G Suite. 

Domain keys include a text string called the selector prefix, which you can modify when you generate the key. The default selector prefix for the G Suite domain key is google. When you generate the key, you can change the default selector prefix from google to text of your choice.

Set up DMARC to manage suspicious incoming messages

DKIM does not prevent spoofing of incoming messages from outside email servers. To help prevent email spoofing on incoming messages, use Domain-based Message, Authentication, Reporting & Conformance (DMARC). Learn about DMARC.  

How DMARC works

DMARC helps email senders and receivers verify messages, and defines what action to take on suspicious messages. When an incoming message does not pass the DKIM check, DMARC specifies what happens to these messages:

  • No action on the message
  • Reject the message
  • Hold the message for more processing (quarantine)
Outbound mail servers that modify messages

If you use an outbound mail gateway that modifies outgoing messages (for example, adds a footer to each message), the DKIM signature is voided. To prevent this issue, take one of these actions:

  • Set up the gateway so that it does not modify outgoing messages
  • Set up to the gateway to modify the message first, then add the DKIM signature
See SPF records and Understanding DMARC to learn more about preventing spoofing with G Suite.
Was this article helpful?
How can we improve it?