Add DKIM to prevent email spoofing

Enhance security for outgoing email (DKIM)‍

Email spoofing is when the content of emails are changed to make the messages appear from someone or somewhere other than the actual source. To prevent this, some email servers require DKIM to avoid email spoofing.

A DKIM encrypted signature protects the header of all outgoing messages. Email servers that get signed messages use DKIM to decrypt the message header,  and verify the message was not fraudulently changed after it was sent. ‍

How to set up DKIM for Gmail 

1. Generate the domain key for your domain.
2. Add the public key to your domain's DNS records. Email servers can use this key to verify your messages' DKIM signatures.
3. Turn on DKIM signing to start adding a DKIM signature to all outgoing messages.

Generate a DKIM key for your domain (for outgoing email)

We will be using the DKIM from G Suite as an example. If you are using another provider, the steps might differ slightly.

1. From your G Suite admin console homepage, go to Apps > G Suite > Gmail.

2. Click 'Authenticate email'.

3. Your primary domain will be selected by default. Click your primary domain name and select all other domains where you will want to use DKIM.

4. Click 'Generate new record'.

5. Select DKIM key bit length. If your domain host supports 2048-bit keys, we would recommend using 2048-bit as they will be more secure. If you previously used a 1024-bit key, there will be no impact when switching to a 2048-bit key.

If your domain host doesn't support 2048-bit keys, you can change the key length to 1024.Domain keys include a text string called the prefix selector which you can modify. The default prefix selector for the Gmail domain key is google. Change the prefix only if your domain already uses a DKIM key with the prefix selector google.

1. Click Generate.Use the text at TXT record value to update the DNS record at your domain host. Remote mail servers can get this public key from the DNS record and use it to confirm your messages from your domain.

DKIM for multiple domains

If you're setting up DKIM for more than one domain, repeat Steps 4–6 to get a DKIM key for each domain.

Add the domain key to your domain's DNS records

For below steps, use the DKIM domain key you generated in the admin console.

1. Sign in to the management console for your domain host.

2. Locate the page where you update your DNS records.Subdomains. If your domain host doesn't support updating subdomain DNS records, add the record to the parent domain.

3. Add a TXT record.

• In the first field, enter the text displayed in the admin console, under DNS Host name (TXT record name).
• In the second field, enter the text string displayed in the admin console under TXT record value. Save your changes.

Turn on DKIM signing

1. From your admin console homepage, go to apps > G Suite > Gmail.

2. Click 'Authenticate email'.

3. Select the domain you want to start email signing. The page shows the status of email signing for the selected domain.

4. Click 'Start authentication'.

5. To verify that DKIM signing is active, send an email message to someone who is using Gmail or G Suite. You can't do this test by sending a message to yourself.

6. Open the message in the recipient's inbox.

7. Next to 'Reply,' click 'More' (the three vertical dots) click 'Show original'. The entire message header displays.

8. In the message header, the line starting with DKIM-Signature confirms that DKIM signing is on.

How to set up DKIM for other email hosting providers

Please contact your email hosting provider's support team for help.