Prevent Spam with DKIM
From: https://support.google.com/a/answer/174124?sjid=16475661690433716483
-NC
Help prevent spoofing and spam with DKIM
Protect against spoofing & phishing, and help prevent messages from being
marked as spam
Set up DKIM to help protect your domain against spoofing, and help prevent
your outgoing messages from being marked as spam. Spoofing is a type of
email attack that forges the From address of an email message. A spoofed
message appears to be from the impersonated organization or domain. DKIM
detects when a message has been modified, and when unauthorized changes are
made to the message From: address.
Without DKIM, messages sent from your organization or domain are more likely
to be marked as spam by receiving mail servers. Learn more about preventing
messages to Gmail users from being blocked or sent to spam.
Email authentication requirements
for sending to Gmail accounts
Google performs random checks on messages sent to personal Gmail accounts to
verify messages are authenticated. To help ensure messages you send to Gmail
accounts are delivered as expected, you should set up either SPF or DKIM for
your domain. Messages without at least one of these authentication methods
are rejected with a 5.7.26 error, or are marked as spam. We recommend you
always set up SPF and DKIM to protect your organization’s email, and to
support future authentication requirements.
If you use an email service provider, verify that they authenticate your
organization's email with SPF or DKIM.
If you regularly forward email, be sure to follow Best practices for
forwarding email to Gmail to help ensure your messages are delivered as
expected.
If your domain provider is Google Domains, Google automatically creates a
DKIM key, and adds the key to your domain’s DNS records when you set up
Google Workspace. Go directly to Turn on DKIM in your Admin console.
SPF and DKIM help prevent spammers from impersonating your organization.
How DKIM helps prevent spoofing and spam
Helps prevent spoofing
DKIM is a standard email authentication method that adds a digital signature
to outgoing messages. Receiving mail servers that get messages signed with
DKIM can verify messages actually came from the sender, and not someone
impersonating the sender. DKIM also checks to make sure message contents
aren’t changed after the message has been sent.
When receiving servers can verify messages are from you, your messages are
less likely to be marked as spam.
With DKIM authentication, you improve the likelihood that legitimate
messages are delivered to recipients’ inboxes. Receiving servers can
verify messages are actually from your domain, and aren't forged.
Helps deliver messages to recipients’ inboxes
DKIM helps receiving email servers verify that messages are actually from
the organization shown in the email. When servers can verify that messages
are from your organization, they're less likely to mark them as spam. This
helps ensure messages are delivered to recipients’ inboxes because the
receiving server can validate the message came from your domain, and isn’t
forged.
What you need to do
Before you set up DKIM
- Get the sign-in information for your domain provider
- Find out if your domain provider supports 2048-bit DKIM keys
- Understand DNS TXT records
- Check outbound gateway settings
- (Optional) Check for an existing DKIM key for your domain
For details, go to Before you set up DKIM.
Turn on DKIM for your domain
- Step 1: Get your DKIM key in your Admin console
- Step 2: Add your DKIM key at your domain provider
- Step 3: Turn on DKIM in your Admin console
- Step 4: Verify DKIM signing is on
For details, go to Turn on DKIM for your domain.
Troubleshoot DKIM issues
Verify DKIM is set up correctly
Verify messages pass DKIM authentication
Check message forwarding
Contact the admin for servers that reject DKIM-authenticated messages
Verify your domain providers TXT record character limits
Review your email sending practices
For details, go to Troubleshoot DKIM issues.