Set up DKIM to prevent email spoofing
Next: 3. Turn on DKIM signing
Skip this step if your domain was provided by a Google Workspace domain host partner
If your domain was provided by a Google Workspace domain host partner, skip this step. Gmail generates the domain key for you and adds it to your domain’s DNS records. Go to Turn on DKIM signing.
To turn on DKIM, update your domain DNS TXT record with the DKIM domain key you generated in the Admin console. Update the TXT record at your domain host, not in the Admin console.
Learn more about working with DNS TXT records.
Add the domain key to your domain’s DNS records
For these steps, use the DKIM domain key you generated in the Admin console.
Important: If you have more than one domain, complete these steps for each domain. Use a unique DKIM key for each domain.
- Sign in to the management console for your domain host.
- Locate the page where you update DNS records.Subdomains: If your domain host doesn’t support updating subdomain DNS records, add the record to the parent domain. Learn about Updating DNS records for a subdomain.
- Add a TXT record:Note: If your domain provider limits the length of TXT records, read Domain keys and TXT record limits.
- In the first field, enter the text displayed in the Admin console under DNS Host name (TXT record name).
- In the second field, enter the text string displayed in the Admin console under TXT record value.
- Save your changes.
Important: After you add the TXT record to your domain’s DNS records, the DKIM page in your Google Admin console continues to display this message: You must update the DNS records for this domain. If you’ve correctly added the TXT record to your domain’s DNS records, ignore the message. It can take up to 48 hours for email authentication to start.
Domain keys and TXT record limits
DNS TXT records can have up to 255 characters in a single string. For TXT records over 255 characters, DNS chains multiple text strings together into a single record.
A 2048-bit domain key is longer than the 255-character limit, so it requires a TXT record created from chained text strings.
Contact your domain host to find out if TXT records longer than 255 characters are supported:
- Supported: Find out what steps are required to update your DNS records with the domain key. The steps are different for different domain hosting services.
- Not supported: Use 1024-bit domain keys for DKIM to stay within the 255-character limit.
Turn on DKIM signing