Overview of Steps (referenced from G Suite)
(If you purchased your domain from one of Google’s domain host partners while signing up for G Suite, skip to Step 3. Google automatically generates the domain key and adds the necessary DNS record once you turn on authentication.)
If you migrated your own separate domain, not obtained through a Google domain host partner, repeat the following steps for each domain associated with your G Suite account.
- Generate the public domain key for your domain.
- Add the key to your domain's DNS records so recipients can retrieve it for reading the DKIM header.
- Turn on email signing to begin adding the DKIM header to outgoing mail messages.
Step 1 - Generate the domain key
- Sign in to the Google Admin console.
- Click Apps > G Suite > Gmail > Authenticate email.
- Select the domain for which you want to generate a domain key.
The name of your primary domain appears by default. To generate a domain key for a different domain, select it from the drop-down list.
- Click Generate new record.
- If your registrar doesn't support 2048-bit keys, change the key length from 2048 to 1024.
- Optionally, update the text used as the DKIM selector prefix.
The selector prefix is used to distinguish the domain key that G Suite uses from any other domain keys you may have. In most cases, you'll select the default prefix "google". The only reason to change the prefix is if your domain already uses a DKIM domain key with the selector prefix "google".
- Click Generate.
The text box displays the information you need in order to create the DNS record that recipients query in order to retrieve the public domain key.
Step 2 – Add Key to Domain DNS
- Sign in to the administrator console provided by your domain provider.
- Locate the page from which you can update the DNS records.
Adding a domain key for a subdomain? If your domain host doesn't support updating DNS records for subdomains, add the record to the parent domain. See Update DNS records for a subdomain.
- Create a TXT record with the name and value from the Google Admin console. The information you need to create the TXT record appears in the text box on the Authenticate email page in the Google Admin console.
Different domain registrars use different names for the fields associated with a TXT record. For example, GoDaddy has fields named TXT Name and TXT Value, while Name.com calls the same fields Record Host and Record Answer. Regardless of which provider you use, enter the text under DNS Host name (TXT record name) into the first field and the text under TXT record value into the second field.
- If your domain host is EasyDNS, add a period and your domain name to the end of the DNS Host name (TXT record name) value. The value you enter should have the form google._domainkey.your_domain.com, where your_domain.com is the name of your domain.
- If your domain provider supports the 2048-bit domain key length but limits the size of the TXT record value to 255 characters, you can't enter the DKIM key as a single entry in the DNS records. In this case, split the key into multiple quoted text strings and enter them together in the TXT record value field. For example, split the DKIM key into 2 parts as follows:
"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAraC3pqvqTkAfXhUn7Kn3JUNMwDkZ65ftwXH58anno/bElnTDAd/idk8kWpslrQIMsvVKAe+mvmBEnpXzJL+0LgTNVTQctUujyilWvcONRd/z37I34y6WUIbFn4ytkzkdoVmeTt32f5LxegfYP4P/w7QGN1mOcnE2Qd5SKIZv3Ia1p9d6uCaVGI8brE/7zM5c/"
2. Save your changes.
Step 3 – Turn on Email Signing
- In your Google Admin console (at admin.google.com)
- From the Admin console dashboard, go to Apps > G Suite > Gmail.
- Click Authenticate email.
- Select the domain whose mail you want to sign with the domain key.
The page indicates the status of the domain key for the selected domain.
5. Click Start authentication.
You can activate DKIM authentication only after updating the DNS records for the domain. G Suite tries to verify the existence of the DKIM domain key and displays a warning message if unable to do so. You might need to wait for up to 48 hours for the DNS record updates to take effect.
6. To confirm that DKIM signing is active, send an email message to someone who is using Gmail or G Suite.
7. Open the message in the recipient's inbox.
8. Click the at the right of the "Reply" arrow, then choose Show original from the drop-down menu to open the message header.
9. In the header, find the line starting with "DKIM-Signature", as in the following example:
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mydomain.com; s=google;
(Where 'd' is the sending domain, and 's' is the signing domain)
This line in the email header confirms that DKIM authentication is active.
To maintain the safety and security of the email service, Google uses DKIM signing for all email messages. Google now signs all email traffic not signed with DKIM originating from Google Cloud domains with d=*.gappssmtp.com. This should not cause any email delivery issues. In the rare event that your email is rejected, contact the receiving server administrator. In particular, you should suggest that receivers not reject emails based on a missing or unverifiable DKIM signature. See RFC 4871. To prevent any issues, we encourage you to add your own DKIM signature to your emails.
For further information regarding DKIM configuration with G Suite, please review Google's documentation located here: Authenticate email with DKIM