Enhance security for outgoing email (DKIM)

3. Turn on DKIM signing

Help prevent email spoofing on outgoing messages

After you generate your domain key and add the key to your domain record, turn on DKIM signing. 

If you don't turn on DKIM signing for your domain, Gmail will use default DKIM signing. Learn more

Before you turn on DKIM signing

Update your domain DNS records with your DKIM key before you turn on email signing. When you turn on email signing, Gmail verifies you have a DKIM domain key. If the DKIM domain key is not found, Gmail displays a warning message. It might take up to 48 hours for the DNS record updates to take effect.

Start DKIM signing

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Appsand thenG Suiteand thenGmail.
  3. Click Authenticate email.
  4. Select the domain where you want to start email signing.

    The page indicates the status of email signing for the domain you selected.

  5. Click Start authentication.
  6. To confirm that DKIM signing is turned on, send an email message to someone who is using Gmail or G Suite. You can't do this test by sending yourself a test message.
  7. Open the message in the recipient's inbox.
  8. Next to Reply, click and select Show original.

    The entire message header displays.

  9. In the header, find the line starting with "DKIM-Signature", as in this example (d is the sending domain and s is the signing domain):

    DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mydomain.com; s=google;

    This line in the message header confirms that DKIM signing is turned on.

Was this article helpful?
How can we improve it?