Enhance security for outgoing email (DKIM)
Update DNS records for a subdomain
If you send mail from a subdomain, you may not be able to add a TXT record for that subdomain. To use DKIM authentication, you can add the necessary TXT record to the parent domain.
When you generate a domain key for a domain, the Google Admin console displays the name of the TXT record you need to create. The name has the form selector._domainkey, where selector is the selector prefix for the key (google by default). When you want to use the TXT record for mail sent from a subdomain, you add a period and the name of the subdomain to the end of the record name.
For example, suppose you add a TXT record to the domain mydomain.com in order to authenticate mail sent from the subdomain mail.mydomain.com. The record name would be google._domainkey.mail.
To add the TXT record to the DNS records for the parent domain:
- Generate the domain key for the subdomain in the Google Admin console.
The Admin console displays the name and value for the required TXT record.
- Sign in to the administrator console provided by your domain provider.
- Locate the page from which you can update the DNS records for the parent domain.
- Create a TXT record with the name and value from the Google Admin console.
Different domain registrars use different names for the fields associated with a TXT record. For example, GoDaddy has fields named TXT Name and TXT Value, while Name.com calls the same fields Record Host and Record Answer. Regardless of which provider you use, enter the text under DNS TXT record name into the first field and the text under Value into the second field.
If your domain provider supports the 2048-bit domain key length but limits the size of the TXT record value to 255 characters, you can't enter the DKIM key as a single text in the DNS records. In this case, split the key into multiple quoted text strings and enter them together in the TXT record value field. For example, you can split the DKIM key into two records as follows:
- Add a period (.) and the name of the subdomain to the end of the record name.
For example, to authenticate mail sent from the subdomain mail.mydomain.com, the record name would be google._domainkey.mail.
- Save your changes.