Turn On DKIM
From: https://support.google.com/a/answer/180504?sjid=16475661690433716483 -NC 







Turn on DKIM for your domain
Protect against spoofing & phishing, and help prevent messages from being
marked as spam

Follow the steps in this article to get your DomainKeys Identified Mail
(DKIM) key, add the key to your domain provider, and turn on DKIM
authentication for your domain.
If your domain provider is Google Domains, Google automatically creates a
DKIM key, and adds the key to your domain’s DNS records when you set up
Google Workspace. Go directly to Turn on DKIM in your Admin console.

We recommend you always set up a DKIM key for your domain, following the
steps in this article. If you don't set up your own DKIM key, Gmail signs
all outgoing messages with a default DKIM key: d=*.gappssmtp.com. Messages
sent from non-Google servers aren't signed with the default DKIM key.




Step 1: Get your DKIM key in your Admin console
You must be signed in as a super administrator for this task.

Important: 
After you turn on Gmail for your organization, you must wait 24–72 hours
before you can get your DKIM key in the Admin console. If you try to
generate a key before the waiting period is over, you might get this error:
DKIM record not created. You must wait 24 to 72 hours after enabling Gmail
with a registered domain before you can create a DKIM record.

    

  1. Sign in to your Google Admin console.


  2. Sign in using an administrator account, not your current account
aryturner@gmail.com

  3. In the Admin console, go to Menu ""and then"" Appsand thenGoogle 
Workspaceand thenGmail.

  4. Click Authenticate email.

  5. In the Selected domain menu, select the domain where you want to set up DKIM.

  6. Click the Generate New Record button.

  7. In the Generate new record box, select your DKIM key settings:

    

    
Setting
Options

    
DKIM key bit length 	

    2048—If your domain provider supports 2048-bit keys, select this option.
Longer keys are more secure than shorter keys. If you previously used a
1024-bit key, you can switch to a 2048-bit key if your domain provider supports
them. Read more about domain keys and TXT record limits.

1024—If your domain host doesn't support 2048-bit keys, select this
option.
    

    
Prefix selector 	

    The default selector prefix is google. We recommend you use the default.

If your domain already uses a DKIM key with the prefix google, enter a different
prefix in this field. Read more about DKIM selectors.
    

    

  8. At the bottom of the Generate new record box, click Generate. On the setting
page, the text string beneath TXT record value changes to a new value and this 
message is displayed: DKIM authentication settings updated.

  9. Copy the DKIM values shown in the Authenticate email window. You’ll add
it 

at your domain provider in the next step:





  1. DNS Host name (TXT record name)—This 
text is the name for the DKIM TXT record
you'll add to your domain provider's DNS
records. Enter this name in the Host field.
    

  2. TXT record value—This text is the DKIM
key. You'll add this to your DKIM TXT record.
Enter the key in the TXT Value field.



Log into your domain provider for the next step.




Step 2: Add the TXT record name & DKIM 
key to your domain
Log into your domain provider and add the DKIM information you got in Step 1.

Keep these tips in mind:


For help with your domain sign-in information, settings, or TXT records, contact
your domain provider. For example, if Google Domains is your domain provider, 
get help here. Google doesn't provide technical support for third-party domain 
providers.

  1. Sign in to the management console for your domain provider.

  2. Locate the page where you update DNS settings for your domain.

  3. Add a TXT record for DKIM:

  4. In the first field, enter the DNS Host name (TXT record name) shown in the
Admin console.

  5. In the second field, enter the TXT record value (DKIM key) shown in the
Admin console. 

  6. Save your changes.

Go back to your Admin console for the next step.




Step 3: Turn on DKIM signing

Important:
The Authenticate email page in your Google Admin console might continue to 
display this message for up to 48 hours: You must update the DNS records for 
this domain. If you've correctly added your DKIM key at your domain provider, 
you can ignore the message.

    

  1. Sign in to your Google Admin console.

  2. Sign in using an administrator account, not your current account anyone@gmail.com

  3. In the Admin console, go to Menu ""and then"" Appsand thenGoogle
Workspaceand thenGmail.

  4. Click Authenticate email.

  5. In the Selected domain menu, select the domain where you want to turn on
DKIM. 

  6. Click the Start authentication button. When DKIM setup is complete and
working correctly, the status at the top of the page changes to: Authenticating 
email with DKIM.





Turn off DKIM
We don’t recommend turning off DKIM for your domain. Without DKIM, hackers
and other malicious users can impersonate your domain, and send messages
that appear to come from your organization or domain. Messages from your
domain are also more likely to be sent to spam. If you must turn off DKIM,
follow the the steps in Turn off DKIM.




Step 4: Verify DKIM authentication is on

    

  1. Send an email message to someone who is using Gmail or Google Workspace.
(You can't verify DKIM is on by sending yourself a test message.)

  2. Open the message in the recipient's inbox and find the entire message header.
Note:
Steps to view the message header differ for different email applications. To 
show message headers in Gmail, next to Reply, click More and thenShow original.

  3. In the message header, look for Authentication-Results. Receiving services
use different formats for incoming message headers, however the DKIM results
should say something like DKIM=pass or DKIM=OK.

If the message header doesn't include a line about DKIM, messages sent from
your domain aren't signed with DKIM: