Enhance security for outgoing email (DKIM)

1. Generate the DKIM domain key

Help prevent email spoofing for outgoing messages

Skip this step if your domain was provided by a G Suite domain host partner

If your domain was provided by a G Suite domain host partner, skip this step. Gmail generates the domain key for you and adds it to your domain's DNS records. Go to Turn on DKIM signing.

Generate the domain key for outgoing email

Important: After you create your G Suite account, you must wait between 24 and 72 hours before generating a DKIM domain key. In some cases, it might be longer than 72 hours.

You must be signed in as a super administrator for this task.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Appsand thenG Suiteand thenGmail.
  3. From Gmail, go to Authenticate email.
  4. Select the domain where you'll use DKIM. You'll generate a domain key for this domain.

    Your primary domain appears by default. To generate a domain key for a different domain, click the Down Arrow to select another domain.

  5. Click Generate new record.
  6. If your registrars don't support 2048-bit keys, change the key length from 2048 to 1024.

    2048-bit domain keys are more secure than 1024-bit domain keys. If your registrars support 2048-bit keys, we recommend using them. There's no impact if you previously used a 1024-bit domain key.

  7. If your domain already uses a DKIM domain key that uses google as the selector prefix, you must change the default selector prefix. You might already have a domain key if you're using another email provider.

    Domain keys include a text string called the selector prefix, which you can modify when you generate the key. The default selector prefix for the Gmail domain key is google. Change the prefix only if your domain already uses a DKIM domain key with the selector prefix google.

  8. Click Generate.

    The text box displays the information you use to update the DNS record. Email servers retrieve the public domain key from the DNS record and use it to validate incoming messages. 

Next steps

Update DNS records

Was this helpful?
How can we improve it?