Enhance security for outgoing email (DKIM)

1. Generate a DKIM key for your domain

Set up DKIM to prevent email spoofing

Skip this step if your domain was provided by a G Suite domain host partner

If your domain was provided by a G Suite domain host partner, skip this step. Gmail generates the domain key for you and adds it to your domain's DNS records. Go to Turn on DKIM signing.

Important: After you create your G Suite account and turn on Gmail, you must wait 24–72 hours before you can generate a DKIM domain key.

Generate the domain key for outgoing email

You must be signed in as a super administrator for this task.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Appsand thenG Suiteand thenGmail.
  3. From Gmail, go to Authenticate email.
  4. Select the domain where you'll use DKIM. You'll generate a domain key for this domain.

    Your primary domain is selected by default. To generate a domain key for a different domain, click the Down Arrow and select another domain.

  5. Click Generate new record. You'll see these options in the Generate new record box:
    • Select DKIM key bit length: If your domain host doesn't support 2048-bit keys, change the key length from 2048 to 1024. 2048-bit domain keys are more secure than 1024-bit domain keys. If your domain host support 2048-bit keys, we recommend using them. If you previously used a 1024-bit key, there's no impact when you switch to a 2048-bit key.
    • Prefix selector: Domain keys include a text string called the selector prefix, which you can modify when you generate the key. The default selector prefix for the Gmail domain key is google. Change the prefix only if your domain already uses a DKIM domain key with the selector prefix google.
  6. Click Generate.

    The text that appears under TXT record value is the key you use to update the DNS record at your domain host. Remote mail servers retrieve this public key from the DNS record and use it to validate messages from your domain. 

    Important: If you recently set up G Suite or Gmail, you might see this error: "We are unable to process your request at this time. Please try again later. (Error #1000)."

    After you turn on Gmail, you must wait 24–72 hours before you can generate a DKIM domain key.

DKIM for multiple domains

If you're setting up DKIM for more than one domain, repeat Steps 4 and 5 to get a DKIM key for each domain.

Next steps

Update DNS records

Was this helpful?
How can we improve it?