Turn on DKIM for your domain

Protect against spoofing & phishing, and help prevent messages from being marked as spam

Follow the steps in this article to get your DomainKeys Identified Mail (DKIM) key, add the key to your domain provider, and turn on DKIM authentication for your domain.

If your domain provider is Google Domains, Google automatically creates a DKIM key, and adds the key to your domain’s DNS records when you set up Google Workspace. Go directly to Turn on DKIM in your Admin console.

We recommend you always set up a DKIM key for your domain, following the steps in this article. If you don't set up your own DKIM key, Gmail signs all outgoing messages with a default DKIM key: d=*.gappssmtp.com. Messages sent from non-Google servers aren't signed with the default DKIM key.

Step 1: Get your DKIM key in your Admin console

You must be signed in as a super administrator for this task.

Important: After you turn on Gmail for your organization, you must wait 24–72 hours before you can get your DKIM key in the Admin console. If you try to generate a key before the waiting period is over, you might get this error: DKIM record not created. You must wait 24 to 72 hours after enabling Gmail with a registered domain before you can create a DKIM record.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Appsand thenGoogle Workspaceand thenGmail.
  3. Click Authenticate email.
  4. In the Selected domain menu, select the domain where you want to set up DKIM.
  5. Click the Generate New Record button.
  6. In the Generate new record box, select your DKIM key settings:
    Setting Options
    DKIM key bit length

    2048If your domain provider supports 2048-bit keys, select this option. Longer keys are more secure than shorter keys. If you previously used a 1024-bit key, you can switch to a 2048-bit key if your domain provider supports them. Read more about domain keys and TXT record limits.

    1024—If your domain host doesn't support 2048-bit keys, select this option.
    Prefix selector

    The default selector prefix is google. We recommend you use the default.

    If your domain already uses a DKIM key with the prefix google, enter a different prefix in this field. Read more about DKIM selectors.

  7. At the bottom of the Generate new record box, click Generate. On the setting page, the text string beneath TXT record value changes to a new value and this message is displayed: DKIM authentication settings updated.
  8. Copy the DKIM values shown in the Authenticate email window. You’ll add it at your domain provider in the next step:
      1. DNS Host name (TXT record name)—This text is the name for the DKIM TXT record you'll add to your domain provider's DNS records. Enter this name in the Host field.
      2. TXT record value—This text is the DKIM key. You'll add this to your DKIM TXT record. Enter the key in the TXT Value field.

Log into your domain provider for the next step.

Step 2: Add the TXT record name & DKIM key to your domain

Log into your domain provider and add the DKIM information you got in Step 1.

Keep these tips in mind:

  • TXT record limits: Some domain providers limit TXT record length. If yours does, read TXT record limits and DKIM keys.
  • DKIM can take up to 48 hours to start: After adding a DKIM key, it can take up to 48 hours for DKIM authentication to start working.
  • Multiple domains: If you’re setting up DKIM for more than one domain, complete the steps below for each domain. You must get a unique DKIM key from the Admin console for each domain.
  • Subdomains: If you need to set up DKIM for a subdomain, read Add a DKIM key for a subdomain.
  • Don't use the DKIM length tag (l=): If you're setting up DKIM for an email system other than Google Workspace, do not use the DKIM length tag in outgoing messages. Messages using this tag are vulnerable to abuse. Learn more in Section 8.2 of RFC 6376.

For help with your domain sign-in information, settings, or TXT records, contact your domain provider. For example, if Google Domains is your domain provider, get help here. Google doesn't provide technical support for third-party domain providers.

  1. Sign in to the management console for your domain provider.
  2. Locate the page where you update DNS settings for your domain.
  3. Add a TXT record for DKIM:
    • In the first field, enter the DNS Host name (TXT record name) shown in the Admin console.
    • In the second field, enter the TXT record value (DKIM key) shown in the Admin console. 
  4. Save your changes.

Go back to your Admin console for the next step.

Step 3: Turn on DKIM signing

Important: The Authenticate email page in your Google Admin console might continue to display this message for up to 48 hours: You must update the DNS records for this domain. If you've correctly added your DKIM key at your domain provider, you can ignore the message.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Appsand thenGoogle Workspaceand thenGmail.
  3. Click Authenticate email.
  4. In the Selected domain menu, select the domain where you want to turn on DKIM. 
  5. Click the Start authentication button. When DKIM setup is complete and working correctly, the status at the top of the page changes to: Authenticating email with DKIM.

Turn off DKIM

We don’t recommend turning off DKIM for your domain. Without DKIM, hackers and other malicious users can impersonate your domain, and send messages that appear to come from your organization or domain. Messages from your domain are also more likely to be sent to spam. If you must turn off DKIM, follow the the steps in Turn off DKIM.

Step 4: Verify DKIM authentication is on

  1. Send an email message to someone who is using Gmail or Google Workspace. (You can't verify DKIM is on by sending yourself a test message.)
  2. Open the message in the recipient's inbox and find the entire message header.

    Note: Steps to view the message header differ for different email applications. To show message headers in Gmail, next to Reply, click More and thenShow original.

  3. In the message header, look for Authentication-Results. Receiving services use different formats for incoming message headers, however the DKIM results should say something like DKIM=pass or DKIM=OK.

If the message header doesn't include a line about DKIM, messages sent from your domain aren't signed with DKIM:

Was this helpful?

How can we improve it?
Clear search
Close search
Google apps
Main menu