Gmail users: If you’re getting spam or phishing messages in Gmail, go here instead. If you’re having trouble sending or receiving emails in Gmail, go here instead.
As an administrator, you can set up DKIM (also called a DKIM signature) to authenticate your email and help protect your domain against spoofing.
Without DKIM, messages sent from your organization or domain are more likely to be marked as spam by receiving mail servers.
On this page
- How does DKIM work?
- If you use outbound mail gateways
- Step 1: Check if DKIM is already set up
- Step 2: Generate a DKIM key pair
- Step 3: Add the DKIM key to your domain
- Next steps
- Related topics
How does DKIM work?
To set up DKIM, you generate a pair of DKIM keys for your domain:
- A public key that is stored in your domain’s DNS TXT record for DKIM. This is the key that you add to your domain.
- A private key that is uploaded to your email server. This key generates and adds a DKIM signature to all your outgoing email.
Sender's email server with a private key. | |
Sender's DKIM TXT record with a public key. | |
Sender's private key adds a DKIM signature to the header of outgoing email. | |
Email is sent to the receiver's domain. | |
Receiver's email server gets the public key from the DKIM TXT record and uses the key to read the DKIM signature and authenticate the email. |
If you use outbound mail gateways
Outbound gateways can be set up to modify outgoing messages. For example, some outbound gateways add a footer to the bottom of every outgoing message. This causes messages to fail DKIM because the message content changed after the message was sent.
Make sure your outbound gateway settings don't interfere with DKIM. Before setting up DKIM, set up the gateway so it doesn’t modify outgoing messages, or set up the gateway to change the message content first. SeeSet up an outgoing gateway to process outgoing mail.
Step 1: Check if DKIM is already set up
How you perform this check depends on whether you are using Google Workspace:
- If you are using Google Workspace, follow the instructions in this section.
- If you are not using Google Workspace, check with your email and/or ISP ( if your ISP is the domain that sends email). If you manage your own email, use one of the tools available on the internet.
If your domain provider is Google Domains orSquarespace, Google automatically creates a DKIM key and adds the key to your domain’s DNS records. Skip to .
-
Sign in to your GoogleAdminconsole.
Sign in using an account with super administrator privileges(does not end in @gmail.com).
- Go to the Google Admin Toolbox.
- Enter your domain in the Domain name field.
Note: In some cases, you might need to enter your DKIM prefix selector, which uniquely identifies the DKIM key. The default is google.
- Click Run Checks.
- When the test finishes, check for one of these messages:
- DKIM authentication DNS setup: A DKIM key is set up for the domain and selector. We recommend that you also set up DMARC.
- DKIM is not set up:There'sno DKIM key for your domain with the prefix selector you entered. Set up a new key using the provided selector. Continue withGenerate a DKIM key pair.
Step 2: Generate a DKIM key pair
- If you are using Google Workspace, follow the instructions in this section.
- If you are not using Google Workspace, use a tool available from the internet to do the following:
- Find your DKIM prefix selector. You can send a test email to your inbox, view the message source, and locate the s value in the DKIM-Signature header.
- Specify your domain name, key length, and DKIM prefix selector to generate a DKIM key pair.
- Store the private key in your mail server configuration and add the public key to your domain.
Generate a DKIM key for your domain
You must be signed in as asuper administratorfor this task.
Important: In Google Workspace, after you turn on Gmail for your organization, you must wait 24–72 hours before you can get your DKIM key in the Admin console. If you try to generate a key before this time, you might get an error that the DKIM record was not created.
-
Sign in to your GoogleAdminconsole.
Sign in using your administrator account (does not end in @gmail.com).
-
In the Admin console, go to MenuAppsGoogle WorkspaceGmail.
- Click Authenticate email.
- In the Selected domain menu, select the domain where you want to set up DKIM.
- Click the Generate New Record button.
- In the Generate new record box, select your DKIM key settings:
- DKIM key bit length options:
- 2048—If your domain provider supports 2048-bit keys, select this option. Longer keys are more secure than shorter keys. If you previously used a 1024-bit key, you can switch to a 2048-bit key if your domain provider supports them.
- 1024—If your domain host doesn't support 2048-bit keys, select this option.
- Prefix selector options:
- The default prefix selector is google. If you are using Google Workspace, this is the recommended option.
- If your domain already uses a DKIM key with the prefix google, enter a different prefix in this field. Read more about DKIM selectors.
- DKIM key bit length options:
- ClickGenerate. On the Authenticate email page, theTXT record value is updated and thismessage appears: DKIM authentication settings updated.
Important:The Authenticate email page in your Google Admin console might continue to display this message for up to 48 hours: You must update the DNS records for this domain. If you've correctly added your DKIM key at your domain provider, you can ignore this message.
- Copy the DKIM values shown in theAuthenticate email window. You’ll add it at your domain provider in the next step:
DNS Host name (TXT record name)—This text is the name for the DKIM TXT record you'll addto your domain provider's DNS records. Enter this name in the Host field. TXT record value—This text is the DKIM key. You'll add this to your DKIM TXT record. Enter the key in the TXT Value field.
Step 3: Add the DKIM key to your domain
Once you have generated your DKIM key pair, add the public DKIM key to your domain by creating a DKIM TXT record.
For help with your domain sign-in information, settings, or TXT records, contact your domain provider. Google doesn't provide technical support for third-party domain providers.
Add DKIM domain key to domain DNS records
Add the DKIM key from your Google Admin console to your domain provider's DNS records.
- Sign in to your domain host,typically where you purchased your domain name. If you’re not sure who your domain host is, seeidentify your domain registrar.
- Go to the page where you update DNS TXT records for your domain. For help finding this page, check the documentation for your domain.
-
Add or update the TXT record with this information (refer to the documentation for your domain):
Note: Some domain providers limit TXT record length. If yours does, read Verify your domain provider's TXT record character limits. - Save your changes.
- If you use subdomains, check with your domain provider to find outhow to add aTXT record for subdomains.
- Ifyou are setting up DKIM for more than one domain, complete these steps for each domain. You must get a unique DKIM key from the Admin Console for each domain.
After adding a DKIM key, it can take up to 48 hours for DKIM authentication to start working.
Step 4: Turn on & verify DKIM
- If you are using Google Workspace, follow the instructions in this section.
- If you are not using Google Workspace, use one of the tools available on the internet.
After you add your DKIM key at your domain provider, turn on DKIM signing in your Google Admin console.
-
Sign in to your GoogleAdminconsole.
Sign in using your administrator account (does not end in @gmail.com).
-
In the Admin console, go to MenuAppsGoogle WorkspaceGmail.
- Click Authenticate email.
- In the Selected domain menu, select the domain where you want to turn on DKIM.
- ClickStart authentication.When DKIM setup is complete and working correctly, the status at the top of the page changes to:Authenticating email with DKIM.
- Send an email message to someone who is using Gmail orGoogle Workspace. (You can't verify DKIM is on by sending yourself a test message.)
- Open the message in the recipient's inbox and find the entire message header.
Note: Steps to view the message header differ for different email applications. To show message headers in Gmail, nextto Reply, click MoreShow original.
- In the message header, look forAuthentication-Results. Receiving services usedifferent formats for incoming message headers, howeverthe DKIM resultsshould say something likeDKIM=passorDKIM=OK.
If the message header doesn't include a line about DKIM, messages sent from your domain aren't signed with DKIM:
- Verify you completed all the steps in this article.
- Go to Troubleshoot DKIM issues.
Next steps
- Google recommends that you also set up DMARC authentication for your organization.
- If you can't figure out if DKIM is working, or if messages from your domain are going to spam, see Troubleshoot DKIM issues.
- Optionally, consider setting up BIMI to add your organization'slogo to outgoing messages.
Related topics
- Troubleshoot DKIM issues
- Turn off DKIM
- About TXT records
Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companieswith which they are associated.
Was this helpful?
How can we improve it?
Need more help?
Try these next steps:
Start your free 14-day trial today
Professional email, online storage, shared calendars, video meetings and more. Start your free Google Workspace trial today.