Enabling DKIM For Your Domain Using the Google Admin Console
No matter what your organization’s size is and how many emails you send in a day, you can be a target of impersonation and phishing attacks. So, ensure all your domains, including the parked ones, are secured with SPF, DKIM, and DMARC. In this guide, we are taking you through the 4 steps to enable DKIM using the Google Admin console.
For domains on Google servers that don’t have DKIM, Gmail itself signs all the outgoing emails with a default DKIM key, which is- d=*.gappssmtp.com. But this doesn’t happen for non-Google servers.
Also, if your domain provider is Google Domains, you don’t need to generate a pair of public and private keys. Google will itself generate the keys and add them to your domain’s DNS record when you set up Google Workspace.
If you are not subjected to the above cases, then follow the steps in this guide.
STEP 1- Get Your DKIM Key in Your Admin Console
To do this task, you should be signed in as a super administrator. Also, wait for 24-72 hours after turning on Gmail for your organization to get your DKIM key in the Admin console. If you try producing a key before the waiting period, you will come across the ‘DKIM record not created’ prompt.
Here are steps to get your DKIM key in your Admin console-
- Use your login credentials to sign in to your Google Admin console. Ensure you sign in using an administrator account and not your personal account.
- In the Admin console, go to Menu > Apps > Google Workspace > Gmail.
- Click ‘Authenticate email.’
- In the Selected Domain menu, select the domain where you want to set up DKIM.
- Click the ‘Generate New Record’ button. Then, select your key settings.
| Setting | Options |
| DKIM Key Bit Length |
2048—If your domain provider supports 2048-bit keys, choose this option. Longer keys offer greater security compared to shorter keys. If you previously used a 1024-bit key, you can upgrade to a 2048-bit key, provided your domain provider supports it. 1024– If your domain host doesn’t support 2048-bit keys, then you choose 1024-bit DKIM keys. |
| Prefix Selector | ‘google’ is the selector prefix by default and Google recommends using this only. If your domain already uses a DKIM key with ‘google’ as the prefix, enter a different prefix in this field. |
- Look at the bottom of the Generate New Record box. There will be a ‘Generate’ button; click on it. Then, on the settings page, the text string below the TXT record value will change to a new value, and you will see the ‘DKIM authentication settings updated’ prompt.
- You will see the DKIM values in the ‘Authenticate email,’ which you have to copy and add to your domain provider in the next step:
-
- DNS Host name (TXT record name): It’s the name for the DKIM TXT record you’ll add to your domain provider’s DNS records. Enter this name in the Host field.
- TXT record value: This text is the DKIM key. You’ll add this to your DKIM TXT record. Enter the key in the TXT Value field.
Sign in to your domain provider for the following steps.
STEP 2: Adding the TXT Record Name and DKIM Key to Your Domain
After you log in to your domain provider, add the information you received in the first step.
- Log in to the management console of your domain provider’s platform.
- Find an option to update DNS settings.
- Add a TXT record for DKIM:
-
- In the first field, enter the DNS Hostname (TXT record name).
- In the second field, enter the TXT record value (DKIM key).
4. Save changes.
Once done, go back to the Admin console for the next step.
Please bear the following points in mind-
- Some domain providers impose a limit on the TXT record length; so check in advance.
- After you add your DKIM key, it takes 24 to 48 hours for it to propagate on the Internet and start reflecting.
- If you are configuring DKIM for multiple domains, complete the steps below for all of them. Also, you need to get a unique key from the Admin console for all the domains.
- It’s discouraged to use the DKIM length tag (l=) as emails sent using it are vulnerable to cyber abuse for attempting phishing and spoofing attacks.
STEP 3: Turn on DKIM Signing
- Use your login credentials to sign in to your Google Admin console. Ensure you sign in using an administrator account and not your personal account.
- In the Admin console, go to Menu > Apps > Google Workspace > Gmail.
- Click ‘Authenticate email.’
- In the Selected Domain menu, select the domain where you want to turn on DKIM.
- Click on the ‘Start Authentication’ button, and when the setup process is complete, you will notice that the status at the top of the page will change to ‘Authenticating email with DKIM.’
Disabling DKIM
We don’t recommend turning off DKIM for your domain. Without DKIM, hackers can impersonate your domain and send fake messages that seem to come from you. Your emails are also more likely to end up in spam. Still if you have to turn off DKIM, follow these steps.
- Use your login credentials to sign in to your Google Admin console. Ensure you sign in using an administrator account and not your personal account.
- In the Admin console, go to Menu > Apps > Google Workspace > Gmail.
- Click ‘Authenticate email.’
- On the ‘Authenticate email’ page, click the ‘Stop authentication’ button.
STEP 4: Verify if DKIM is Enabled
- Since you can’t verify if DKIM is enabled by sending a test email to yourself, you have to send a message to another Gmail or Google Workspace user.
- Open the email in the recipient’s inbox and find the full header.
- In the message header, find ‘Authentication-Results.’ Different receiving services may format message headers differently, but the DKIM results should indicate something like DKIM=pass or DKIM=OK.
If your DKIM is still not on, verify that you completed all the above-mentioned steps correctly. If the issue still persists, reach out to us at support@duocircle.com.
We have a team of email security experts in SPF, DKIM, and DMARC who will find the flaw in your configuration or even do it from scratch. We are committed to securing domains from phishing and spoofing attacks through email authentication.