Google: Help prevent spoofing and spam with DKIM

Google Article: https://support.google.com/a/answer/174124

Protect against spoofing & phishing, and help prevent messages from being marked as spam

Set up DKIM to help protect your domain against spoofing, and help prevent your outgoing messages from being marked as spam. Spoofing is a type of email attack that forges the From address of an email message. A spoofed message appears to be from the impersonated organization or domain. DKIM detects when a message has been modified, and when unauthorized changes are made to the message From: address.

Without DKIM, messages sent from your organization or domain are more likely to be marked as spam by receiving mail servers. Learn more about preventing messages to Gmail users from being blocked or sent to spam.

Email authentication requirements for sending to Gmail accounts

Google performs random checks on messages sent to personal Gmail accounts to verify messages are authenticated. To help ensure messages you send to Gmail accounts are delivered as expected, you should set up either SPF or DKIM for your domain. Messages without at least one of these authentication methods are rejected with a 5.7.26 error, or are marked as spam. We recommend you always set up SPF and DKIM to protect your organization’s email, and to support future authentication requirements.

If you use an email service provider, verify that they authenticate your organization's email with SPF or DKIM.

If you regularly forward email, be sure to follow Best practices for forwarding email to Gmail to help ensure your messages are delivered as expected.

If your domain provider is Google Domains, Google automatically creates a DKIM key, and adds the key to your domain’s DNS records when you set up Google Workspace. Go directly to Turn on DKIM in your Admin console.

Video

SPF and DKIM help prevent spammers from impersonating your organization.

How DKIM helps prevent spoofing and spam

Helps prevent spoofing

DKIM is a standard email authentication method that adds a digital signature to outgoing messages. Receiving mail servers that get messages signed with DKIM can verify messages actually came from the sender, and not someone impersonating the sender. DKIM also checks to make sure message contents aren’t changed after the message has been sent.

When receiving servers can verify messages are from you, your messages are less likely to be marked as spam.

With DKIM authentication, you improve the likelihood that legitimate messages are delivered to recipients’ inboxes. Receiving servers can verify messages are actually from your domain, and aren't forged. 

Helps deliver messages to recipients’ inboxes

DKIM helps receiving email servers verify that messages are actually from the organization shown in the email. When servers can verify that messages are from your organization, they're less likely to mark them as spam. This helps ensure messages are delivered to recipients’ inboxes because the receiving server can validate the message came from your domain, and isn’t forged.

What you need to do

	Before you set up DKIM Get the sign-in information for your domain provider Find out if your domain provider supports 2048-bit DKIM keys Understand DNS TXT records Check outbound gateway settings (Optional) Check for an existing DKIM key for your domain For details, go to Before you set up DKIM.
	Turn on DKIM for your domain Step 1: Get your DKIM key in your Admin console Step 2: Add your DKIM key at your domain provider Step 3: Turn on DKIM in your Admin console Step 4: Verify DKIM signing is on For details, go to Turn on DKIM for your domain.
	Troubleshoot DKIM issues Verify DKIM is set up correctly Verify messages pass DKIM authentication Check message forwarding Contact the admin for servers that reject DKIM-authenticated messages Verify your domain providers TXT record character limits Review your email sending practices For details, go to Troubleshoot DKIM issues.