Enhance security for outgoing email (DKIM)

1. Generate a DKIM key for your domain

Set up DKIM to prevent email spoofing

Skip step 2 if your domain was provided by a Google Workspace domain host partner

If a Google Workspace domain host partner provided your domain, you don’t need to add your DKIM key to the DNS record at your domain host. Gmail generates the domain key and adds it to your domain's DNS records. Go to 3. Turn on DKIM signing.

Important: After you create your Google Workspace account and turn on Gmail, you must wait 24–72 hours before you can generate a DKIM key.

Generate the domain key for outgoing email

You must be signed in as a super administrator for this task.

  1. Sign in to your Google Admin console.

    Sign in using an account with super administrator privileges (does not end in @gmail.com).

  2. From the Admin console Home page, go to Appsand thenGoogle Workspaceand thenGmail.
  3. Click Authenticate email.
  4. Your primary domain is selected by default. Click your primary domain name and select another domain where you’ll use DKIM.
  5. Click Generate new record and you’ll see these options:
    • Select DKIM key bit length—If your domain host supports 2048-bit keys, we recommend using them as they’re more secure. If you previously used a 1024-bit key, there's no impact when you switch to a 2048-bit key.

      If your domain host doesn't support 2048-bit keys, change the key length to 1024.

    • Prefix selector—Domain keys include a text string called the prefix selector which you can modify when you generate the key. The default prefix selector for the Gmail domain key is google. Change the prefix only if your domain already uses a DKIM key with the prefix selector google.
  6. Click Generate.

    Use the text at TXT record value to update the DNS record at your domain host. Remote mail servers retrieve this public key from the DNS record and use it to validate messages from your domain. 

    Important: If you recently set up Google Workspace or Gmail, you might see this error: "We are unable to process your request at this time. Please try again later. (Error #1000)."

    After you turn on Gmail, you must wait 24–72 hours before you can generate a DKIM key.

DKIM for multiple domains

If you're setting up DKIM for more than one domain, repeat Steps 4–6 to get a DKIM key for each domain.

Next steps

To update DNS records, add your DKIM key to your DNS records.

Was this helpful?
How can we improve it?

Need more help?

Sign in for additional support options to quickly solve your issue