Authenticate email with a domain key - generate the key - Google Workspace

DomainKeys Identified Mail (DKIM) is an email authentication method that uses cryptographic keys to sign messages and verify their authenticity. Setting up DKIM for your Google Workspace domain is an important step to ensure your emails are not marked as spam and to protect your organisation’s reputation. This guide will show you how to generate a DKIM key and update your DNS records to enable email authentication.

Step-by-Step Guide to Generating and Setting Up DKIM for Google Workspace

Step 1: Sign in to the Google Admin Console

  1. Go to admin.google.com and log in using your Google Admin credentials.
  2. You will be directed to the Google Admin console dashboard.

Step 2: Navigate to Email Authentication Settings

  • In the new Google Admin console:

    • Go to Apps > Google Workspace > Gmail > Authenticate email.

  • In the classic Google Admin console:

    • Go to Advanced Tools, scroll down to the Authenticate Email (DKIM) section, and click Set up email authentication (DKIM).

Step 3: Select the Domain for DKIM Setup

  1. The name of your primary domain will appear by default.
  2. If you want to set up DKIM for a different domain:
    • Click the domain selector drop-down menu.
    • Choose the appropriate domain from the list.

Step 4: Generate a New DKIM Record

  1. Click Generate new record to create a new DKIM key.
  2. Optionally, update the DKIM selector prefix:
    • The DKIM selector prefix is a unique identifier that distinguishes the Google DKIM key from other keys that might be used by your domain.
    • By default, Google uses the prefix google.
    • Change the prefix only if your domain already uses a DKIM key with the google prefix.

Step 5: Retrieve the DKIM Key

After generating the key, a text box will display the DKIM key information you need to create the corresponding DNS TXT record for your domain. This includes:

  • TXT Record Name: This is typically in the format google._domainkey.yourdomain.com.
  • TXT Record Value: Contains the public key, which will be used to verify the authenticity of your emails.

Note: Keys generated through the Google Admin console are 1024-bit in strength by default. For enhanced security, consider upgrading to a 2048-bit key if supported by your domain host.

Step 6: Update Your DNS Records

  1. Log in to your domain registrar’s console (e.g., GoDaddy, Namecheap, etc.).
  2. Go to the DNS management section.

  3. Add a new TXT record using the details generated in Step 5:

    • Name/Host: google._domainkey or google._domainkey.yourdomain.com (depending on your domain host’s configuration).
    • Type: TXT
    • Value: Paste the DKIM public key displayed in the Google Admin console.
    • TTL (Time to Live): Set this to 3600 seconds (or 1 hour) for standard propagation.

  4. Save the record and wait for DNS propagation (which can take up to 48 hours).

Step 7: Activate DKIM Signing in Google Admin Console

  1. After updating the DNS record, go back to the Google Admin console.
  2. Click on the Authenticate email section again.
  3. Click Start authentication to activate DKIM signing for your domain.

Important Considerations When Setting Up DKIM

Understanding DKIM Selectors

The DKIM selector is a unique identifier that helps differentiate between multiple DKIM keys for a domain. By default, Google uses the selector google. If you already have DKIM set up for your domain using this selector, use a different selector to avoid conflicts.

Using a 2048-bit DKIM Key

For enhanced security, consider using a 2048-bit key instead of the default 1024-bit key. To enable 2048-bit DKIM keys:

  1. Go to the Gmail DKIM settings in your Admin console.
  2. Click Generate new record.
  3. Select 2048-bit under the key length.

Not all domain providers support 2048-bit keys, so check with your registrar before generating the key.

Verifying DKIM Setup

Once DKIM is set up, you can use tools like MXToolbox DKIM Lookup or Google’s Check MX tool to verify your configuration. A successful setup will show a valid public key associated with your domain.

Further Notes

  • Propagation Time: DNS changes, including DKIM records, can take up to 48 hours to propagate. During this period, the new record might not be detected immediately.

  • Domain Changes: If you switch domain hosts or make changes to your domain settings, you’ll need to regenerate and update the DKIM record.

  • Using DMARC: After setting up DKIM, consider configuring DMARC (Domain-based Message Authentication, Reporting & Conformance) for additional email security and reporting.

By setting up DKIM for your domain, you’re ensuring that recipients can trust your emails and reducing the chances of your messages being marked as spam. This process strengthens your domain’s email security and protects your organisation from spoofing and phishing attacks.

Need help with advanced configurations? Get in touch with our team.

raramuridesign consulting - web strategy, development, design