We’re here to help
We’ve tried to simplify DKIM setup, but some steps can be technical. Read these articles thoroughly, and we’ll walk you through the process. We’re confident you can successfully implement DKIM.
If you haven’t yet, watch our email authentication videos. These videos have helpful information about how to set up DKIM and other email authentication methods.
Take these steps before you set up DKIM
Get the sign-in information your domain provider
You’ll add DKIM information from your Google admin console to your domain providers settings. You’ll need the sign-in information for your domain provider.
If you need help with identifying your domain provider, go to Identify your domain host.
Find out if your domain provider supports 2048-bit DKIM keys
The DKIM key bit length can be 2048 or 1024. We recommend 2048 because it’s more secure than 1024.
You set the key bit length when you get your DKIM key in your Admin console. If you don't know which key bit length your domain provider supports, start with 2048. You can change it to 1024 later if there are issues with 2048.
Learn more in DKIM keys and TXT record limits.Understand DNS TXT records
To set up DKIM for your domain, add a DNS text (TXT) record in your domain provider's management console. TXT records are a type of DNS record that has information for servers and other sources outside your domain.
Check your domain provider’s documentation for more information on how to add a DKIM record. Learn more About TXT records.Check outbound gateways settings
If you use mail outbound gateways for your organization, make sure the gateway settings don’t interfere with DKIM authentication.
Outbound gateways can be set up to modify outgoing messages. For example, some outbound gateways add a footer to the bottom of every outgoing message. This causes messages to fail DKIM because the message content changed after the message was sent.
Make sure your outbound gateway settings don't interfere with DKIM:
- Set up the gateway so it doesn’t modify outgoing messages, or
- Set up the gateway to change the message content first, then add the DKIM signature.
(Optional) Check for an existing DKIM key for your domain
DKIM keys have a label called the selector prefix, which uniquely identifies the DKIM key.
If you’re already using a DKIM key for your domain, it could be with Google Workspace or with another email system. We recommend you use a new selector prefix that hasn’t been previously used.
When you generate a new DKIM key in your Admin console, the default selector prefix value is google. However, you can set a different value when creating your key. Read more about DKIM selectors.
Check if DKIM is set up for your domain:
-
Sign in to your Google Admin console.
Sign in using an account with super administrator privileges (does not end in @gmail.com).
- From the Admin console Home page, go to Apps
Google Workspace
- Click Authenticate email.
- In the Selected domain menu, select the domain you want to check.
- Locate the DNS host name (TXT record name) section:
- If you you've never set up DKIM in Google Workspace, this field doesn't have a value. Go to Turn on DKIM for your domain.
- If this field has a value, note the text in front of the ._domainkey. This is the selector prefix. For example, the selector prefix for google._domainkey is google.
- Go to the Google Admin Toolbox.
- Enter your domain in the Domain name field.
- If you have a custom DKIM selector from Step 5, enter it in the DKIM selector (optional) field.
- Click Run Checks.
- When the test finishes, check for one of these messages:
- DKIM authentication DNS setup: A DKIM key is set up for the domain and selector.
- DKIM is not set up: There's no DKIM key for your domain with the prefix selector you entered. Set up a new key using the provided selector. (The default selector is google.)
