DNS Records
      Back to home
      1. Help Center
      2. Google Workspace
      3. DNS Records

      Help prevent spoofing and spam with DKIM

      DomainKeys Identified Mail (DKIM)


      DKIM is a standard email authentication method that adds a digital signature to outgoing messages. Receiving mail servers that get messages signed with DKIM can verify messages came from the sender, not someone impersonating the sender. DKIM also checks to ensure message contents aren’t changed after the message has been sent.

      When receiving servers can verify messages are from you, your messages are less likely to be marked as spam.

      With DKIM authentication, you improve the likelihood that legitimate messages are delivered to recipients’ inboxes. Receiving servers can verify messages are actually from your domain and aren't forged.

      Turn on DKIM for your domain

      1) Get your DKIM key in your Admin console

      You must wait 24 to 72 hours after enabling Gmail with a registered domain before creating a DKIM record.


      Log in to the Admin console as the Super Admin> Go to Apss> Google Workspace> Gmail

      • Click Authenticate email.
      • In the Selected Domain menu, select the domain where you want to set up DKIM.
      • Click the Generate New Record button.
      • In the Generate new record box, select your DKIM key settings:
        1. DKIM key bit length: 2048—If your domain provider supports 2048-bit keys, select this option. Longer keys are more secure than shorter keys.
        2. Prefix selector: The default selector prefix is Google. We recommend you use the default.
      • At the bottom of the Generate new record box, click Generate. On the setting page, the text string beneath the TXT record value changes to a new value, and this message is displayed: DKIM authentication settings updated.
      • Copy the DKIM values shown in the Authenticate email window. You’ll add it to your domain provider in the next step.



      2) Add the TXT record name & DKIM key to your domain

      • Log into your domain provider and add the DKIM information you got in Step 1.
      • Locate the page where you update DNS settings for your domain.
      • Add a TXT record for DKIM:
        • In the first field, enter the DNS Hostname (TXT record name) shown in the Admin console.
        • In the second field, enter the TXT record value (DKIM key) shown in the Admin console. 
      • Save your changes.

      Go back to your Admin console for the next step.

      3) Turn on the DKIM signing

      • In the Admin console, go to Menu > Apps> Google Workspace> Gmail.
      • Click Authenticate email.
      • In the Selected Domain menu, select the domain where you want to turn on DKIM. 
      • Click the Start authentication button. When the DKIM setup is complete and working correctly, the status at the top of the page changes to Authenticating email with DKIM.

      4) Verify DKIM authentication is ON

      • Send an email message to someone who is using Gmail or Google Workspace. (You can't verify DKIM is on by sending yourself a test message.)
      • Open the message in the recipient's inbox and find the entire message header.
        Note: Steps to view the message header differs for different email applications. To show message headers in Gmail, next to Reply, click More Show original.
      • In the message header, look for Authentication-Results. Receiving services use different formats for incoming message headers, however, the DKIM results should say something like DKIM=pass or DKIM=OK.
        If the message header doesn't include a line about DKIM, messages sent from your domain aren't signed with DKIM: