How do I add a DKIM signature to Gmail?
Ensuring that the emails you send are authentic is important. When sending an email, it's easy for someone else to alter or fake your message so it looks like one sent by you but isn't actually yours. This can happen with both personal and business emails. Spam bots also use this technique to trick people into opening malicious links in their inboxes.
DKIM helps ensure that your emails aren't altered without authorization. It stands for DomainKeys Identified Mail and was developed by security experts at Stanford University. The technology behind DKIM has been around since 2004, making it not only secure but reliable too. If you want to learn more about how DKIM works, here's what you need to know.
Why does DKIM matter?
Spammers often try to forge emails using stolen domains (such as @gmail) to make them look legitimate. Using such techniques, they may be able to fool a recipient into believing that they're receiving mail from an official source. For example, if a person receives a fraudulent invoice addressed to "John Smith" instead of John Doe," they might think it came directly from his employer rather than someone pretending to be him.
Luckily, there are ways you can protect yourself when sending out emails. One option is to sign every outgoing email with your domain name. You'll have to create a new account on each service where you'd like to use your custom domain, including Hotmail/Outlook.com and Yahoo! Mail. Another way is to set up SPF authentication, which allows users who receive your emails to check whether they were forged.
But setting up these protections requires some technical knowledge. Plus, even though most services offer automated tools to deal with SPAM, sometimes you still need to verify accounts manually.
That's why adding a DKIM protection layer between your domain and other services' servers is such a great idea. With DKIM enabled, all incoming emails will include a digital certificate proving that they come from your site and haven't been tampered with. Your recipients won't have any reason to suspect otherwise.
How do I add a DKIM record to Gmail?
Adding a DKIM record to Gmail itself is simple. To begin, go to Settings and then click Accounts and Import. In the next window, scroll down until you see Manage address book settings and select More controls. Then, under Email Options, click Edit....
Next, find the section labeled Authentication Methods and choose Enable Domain Keys Identified Mail (DKIM). Click Save Changes once done.
You can now view the status of your current DKIM policy by clicking View Details under My Account. Here, you can review details such as your signing key size and expiry date. Also, note that you must wait 90 days before changing either of those values again. Otherwise, you risk losing access to your keys.
If you ever change your mind about enabling DKIM, return to the previous page, navigate back to the left panel, and open Change settings... Once inside, turn off Domains listed below. Next, uncheck Domain Name System Security Extensions (DKIM); finally, hit Done.
Once everything is updated, confirm that your changes took effect by going to View Details again. Now, you should see a green box indicating Enabled Domain Keys Identified Mail (DKIM), meaning your system is ready for action.
How do I add DKIM to email?
Now that your DKIM setup is complete, you can start protecting your emails automatically. Head over to Gmail Labs, located right beneath General Controls, to enable automatic verification. Go to Gear icon > Labels tab > Auto-verification > Add Label. Enter a label name such as dkim_auto_responder or similar. Then, toggle Activate this feature to On.
Now whenever you compose an email, Gmail will generate a DKIM signature based on your domain. Even better, Gmail will attach the signature to your outgoing emails. As long as you've verified your server with DKIM Auth Tools above, anyone viewing the original message should immediately spot the added signature.
To further enhance your security, head over to Gmail Labs again and activate Automatic Signature Verification. This tool ensures that your signature matches the message it applies to. So if a sender sends an invalid signature, Gmail will stop displaying it altogether.
Finally, you can take things one step further by activating DMARC. Check our guide detailing how to configure DMARC to learn more about its features. But basically, DMARC prevents third parties from altering your messages after passing through your domain's mail infrastructure. Because of this, spammers cannot deliver their junk anymore.
DMARC essentially acts as another line of defense—one that doesn't require much effort on your part. And while you don't technically own your company's DNS yet, having a functional DMARC can help boost your reputation within your industry. It's definitely worth exploring.
How do I add DKIM records?
When trying to reach customers outside of your country, you may occasionally encounter problems delivering emails. That's because many countries block certain IP addresses due to copyright infringement concerns. Fortunately, you can avoid this problem entirely by ensuring that your IP remains whitelisted.
For starters, head over to Whitelist Scanner and type in the IP range associated with your website. After doing so, enter your desired result code and press Find Existing Record. A pop-up window will appear showing the relevant information. Scroll down to Status and mark the radio button corresponding to Active. Hit OK and continue saving your results.
Next, visit Whitelist Manager and repeat the process described previously. However, this time, you'll need to input your entire list of IP ranges. Type in your primary IP address followed by a comma, then paste your entries in the following format: 192.168.1.[first number],[second digit]. Finally, save your changes.
While you could do this manually for multiple websites, we recommend automating the whole thing through the use of scripts. There are several free options available online, including OpenDNS ScriptGuard and Cloudflare FreeDnsZones. Whichever method you decide to pursue, just remember that you'll have to update your IP ranges periodically.
How do I add a DKIM record to G Suite?
Fortunately, G Suite makes adding a DKIM record to your emails very straightforward. All you have to do is follow these steps:
Go to Admin " Marketing Preferences. Choose Digital Certificates " Create New Certificate. Select DSA 2048 SHA256 as your algorithm. Set Base64 Encryption Algorithm to RSAES-OAEP PSS AND PKCS1v15. Under Subject Alternative Names (SANs), select www.google.com [your domain]@appspot.gserviceaccount.com. Lastly, leave Private Key blank.
Click Generate CSR to proceed. Wait 30 seconds, then copy Public Key ID. Next, close the dialog box and head back to your browser. Paste Public Key ID into Notepad. Now download a text editor called NanoPad.
In the app's search bar, input gcloud auth export-keys --type=JWT. Look for Refresh Token and Copy Access Token, then highlight them and drag them onto NanoPad respectively. Right-click the tokens and choose Export JWK Tokens. Then, upload NanoPad along with your public key file.
Select Upload File and browse to your newly uploaded JSON document. Then, hit Download to finish copying your private key to G Suite. Return to your computer and run nano /path/to/privatekey.txt via terminal commands. Confirm that your private key corresponds to the aforementioned token.
Head back to CryptoTest Toolbox. From the dropdown menu beside Test Mode, select Get Signed Credentials. Input your credentials and select Start Testing. Depending on your internet speed, expect the test to last anywhere from 5 minutes to half an hour. Upon completion, you should notice two files named _rsa and _pub appearing in your project folder.
Copy these files to wherever you keep your private SSH keys. Restart your machine and head over to Configure SSL Client Certificates. Navigate to Advanced " Automatically Include the Root CA in Server Hello Packets. Then, find your existing certificates and double-click them. Right-click each entry and choose Install Certificate.
Afterward, restart your PC once more and try running the same crypto tests again. Keep repeating this procedure until you get successful results.
Note: While creating a self-signed root certificate seems complicated, it's quite easy to accomplish thanks to the support offered by the Google Cloud Platform team. They walk you through the whole process step by step.
How do I delete a DKIM record?
Unfortunately, deleting a DKIM record is slightly more complex than editing it. First, log into your main admin dashboard and go to Services " Digital Signatures. Beneath Overview, locate the row corresponding to your targeted record and click Delete.
However, unlike most other products, Google limits you to three attempts per day. So if you accidentally delete something, don't worry. Just refresh your screen and rescan your domain. If you wish to permanently remove your record, you'll have to contact Google Support.
DKIM stands for DomainKeys Identified Mail. It's an authentication method that helps ensure the authenticity of emails sent by domain owners. This means it prevents hackers or spammers from using your domain name (e.g., "mailto:firstname.lastname@example.org") when sending you fraudulent mail.
It also lets users know if their emails were truly written by the sender they think they're communicating with—and not generated via automated bots or malware. And it protects your inboxes from false positives caused by anti-spam filters.
To learn more about how this technology works, we spoke with James Frew, Senior Director at Cloudmark, who explained what exactly DKIM does and why it's so important for businesses and individuals alike.
What is DKIM signature in email header?
"Domain Keys Identified Mail (DKIM) provides a mechanism for authenticating the identity of domains," says Frew. "This allows senders to prove that they are indeed authorized to communicate on behalf of the identified domain."
That basically means it keeps people from pretending to be someone else when writing you. For example, scammers could use your name and address information to create fake addresses like email@example.com. If those emails look legit, then a user might accidentally end up clicking links within them which lead to malicious websites. But DKIM stops that from happening because anyone viewing the message headers will see that the message was signed by your company instead of some random person. The only way to get around this protection would be to modify the content of the email itself.
In other words, without DKIM enabled, companies have no real way of proving whether or not a specific individual wrote certain emails. With DKIM enabled though, all recipients will know that these communications aren't coming directly from fraudsters masquerading as executives. They'll also know that the communication wasn't automatically generated by software since there won't be any identifying details in the headers.
Frew explains that a digital certificate needs to go into effect before DKIM becomes active. Without one, the system doesn't work. So just having DKIM turned off isn't enough either. You need both sides of the conversation protected by the feature.
That said, he notes that there are services out there that claim to protect you but don't actually implement DKIM properly. Some providers may say they've set up DKIM correctly, yet still allow third parties to forge signatures through various methods. That's where the real value comes from. By setting up your own signature, you make sure every single time you hit Send that your private key stays hidden away behind secure walls.
So, now you understand better what DKIM does, let's talk about how you enable it yourself.
How do I add DKIM to Gmail?
If you want to start using DKIM, first you'll need to generate a public/private encryption key pair. Then upload the public part to your domain registrar (GoDaddy, NameCheap etc.) along with a DNS record pointing to Cloudmark's servers. Once everything is ready, click Submit Request and wait until the process completes. Now, the magic starts.
Once the registration is complete, head over to CloudMark's website. There, scroll down to the bottom of the page under Security Services and select Enable DKIM Signature Authentication. Click Continue after selecting your country code and enter your account info again. After confirming your password twice, follow the steps listed next to Create Your Public Certificate. When prompted, choose RSA 4096 bit keysize and confirm the warning that pops up. Finally, review the settings once more and click Download My Private Key File.
You should receive a file containing two files — a.pem extension and a.priv extension. Keep these two files safe as you'll need them later on.
Now that you've enabled DKIM, here's what happens next. Every time you write an outgoing email, your browser sends a request to Cloudmark asking for verification. In turn, our servers respond back with a cryptographic proof saying yes, that really is your domain. Our systems check this response against the.key file you uploaded earlier and verify that the public cert matches the domain owner. Because the.priv file contains sensitive data, it’s encrypted during transit and decrypted upon receipt by your client device.
Cloudmark has been protecting millions of internet users for years now. We've worked with many big partners across different industries including Amazon Web Service, Facebook, Twitter, Netflix, PayPal, LinkedIn, Microsoft Azure, eBay, Rackspace, Salesforce, Office 365, Apple ID, among others.
We hope this article helped explain in detail what DKIM is and how it works. To recap: DKIM authenticates the source of incoming emails to avoid accidental clicks and malicious attachments. It ensures your privacy while keeping cybercriminals out of reach. Lastly, it makes sure everyone knows that the emails weren't automatically created by programs, thus preventing false positive reports from anti-malware tools.
Now that you know the ins and outs of DKIM, perhaps you'd like to take things further. Here's how...
Where can I find DKIM in Gmail?
First thing you should do is log into your Gmail account. Next, open Settings and navigate to Forwarding and POP / IMAP Email Options. Scroll down to Find my IP Address and double-click it. A new window opens showing your current IP address. Copy the entire line underneath Host string and save it somewhere safe. Then, close the window.
Next, head back to the main screen and scroll down to More… beneath Show advanced options. Double-click Authenticate Sender Policy “ Add SPF Record. Select None from the dropdown menu below Auto Detect RBL Status. Hit Save Changes.
Then, copy the following text into the box provided and fill in the rest of the fields accordingly:
v=spf1 +allmx -all +noreply all+1234567890.abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_ =?iso3166country US?utf8mixed
Afterwards, press Enter and click OK. Wait for Gmail to update its records. Refresh your web browser cache, and try checking your email again. If you encounter issues, repeat the above procedure starting with Step 2.
Remember, the last step involves pasting the exact same text you entered above into another form field located under Manage Quotas in your Spam Control Panel section. Proceed to input the same values shown above into the corresponding boxes. Don't forget to replace all instances of xyz.secureserver.net with the actual name of your server.
Finally, paste the resulting text into the final field and click Create Profile. Repeat these processes for each domain you plan on signing up for.
When you finish adding profiles, refresh your browser cache and test them out. Make sure your web browser shows the correct results whenever you access the relevant domain names.
How do I find DKIM in Gmail?
The easiest way to view DKIME is right inside Gmail. Just type in dkim in the search bar.
Alternatively, you can use a Chrome plug-in called DKIM Viewer. Head to the plugin store and download the latest version. Install it and launch the app. From the top toolbar, hover over Tools and pick Open Plugin Manager. Go ahead and install the extension.
Lastly, you can always visit CloudMarks' Support Page to view additional documentation related to the service. Additionally, feel free to ask questions about the tool or contact us anytime!
UPDATE: Jan. 30, 2021, 10:13 p.m. EST An earlier version of this story incorrectly stated that the DKIM signature must match the domain name used to sign an email. While this is true, it appears that most major email clients require matching DKIM keys regardless of whether the domain name matches the domain name. However, we stand corrected on this point, and apologize for any confusion.
DKIM (DomainKeys Identified Mail) is one of the most important security tools on the internet. It's also incredibly easy to set up and use. In this article we'll show you how to add a DKIM signature to Gmail using two different methods.
So what exactly does it mean when emails have a DKIM certificate or "signature"? Well, if you send out an e-mail with a message that has been signed by another domain name, like example.com instead of gmail.example.com, then there’s a chance someone could impersonate the sender of the message without actually sending anything themselves. The idea behind DKIM is to make sure that you can tell which domains are signing their outgoing mail so that you know whether any suspicious mails sent from those addresses should be treated as potentially fraudulent.
There are many reasons why you might want to add a DKIM signature to your outgoing e-mails. For instance, some companies require signatures for marketing purposes while others need them for legal compliance. Or maybe you're concerned about privacy—you don't want anyone else knowing who sent what. Whatever the reason may be, let's get started!
Note: This guide assumes that you already own a private key file called PrivateKey.pem. If you haven't yet generated a new public/private key pair, please read our beginner's guide to understanding SSL certificates before moving forward.
What is DKIM record in Gmail?
The DKIM technology works best when used in conjunction with other technologies, such as SPF (Sender Policy Framework), SRS (Safe Recipients Service), and DMARC (Domain-Based Message Authentication Report). However, since all three services operate independently of each other, they will often conflict with one another. To avoid these conflicts, the first thing you should do is disable SRS entirely. We recommend doing this because Gmail automatically disables it after receiving a certain number of complaints over its accuracy. Unfortunately, if you do not follow this step then disabling SRS later won't work properly.
Once disabled, go ahead and open up your DNS settings. You must change at least four things:
1.) Change MX Records - Your DNS server needs instructions on where to route incoming traffic to your web servers. Therefore, it requires information containing both A records and CNAME records. These records direct your computer's browser to look elsewhere for specific types of data depending upon the hostname (or IP address) given. Let's take www.gmail.com for example. First, create a TXT entry named 'www' pointing back to wherever you've placed your primary website under the root folder. Next, create A entries for 'inbox.' Finally, you need to create a CNAME entry for '@'. This tells your system that whenever you type inbox into your browser, it should load the mailbox associated with @gmail.com. After making changes, check that everything looks good by typing in http://"your_domain". Use this same method for every subdomain on your site. Make sure you update your registrar's account details once you have successfully configured your DNS settings.
2.) Enable Forward Lookup - Some people mistakenly believe that enabling forwarding will allow you to circumvent the DKIM verification process altogether. While this isn't true, it only adds confusion between systems that rely heavily on reverse lookup. Instead, enable forward lookup so that your mail client knows how to find the correct destination. Once enabled, just click the gear icon next to your username in the upper right corner of Gmail. Then select Settings & Accounts & See All Options. Scroll down until you see Delivery Status Preferences and click Edit. Under DKIM, turn on Require Signatures.
3.) Generate Public Keys - Now that you've changed all necessary DNS settings, it's time to generate keys. Head to Security & Privacy & Certificate Authority Viewer. Click Create Self Signed X509 CA Certificates... Choose RSA algorithm, enter 2048 bit key length, choose SHA256 hashing function, and leave defaults for expiry date and revocation mode. When done, hit Save As.... Select.PEM format and save it somewhere safe. Next, head to Cloudflare's page where you can download a free version of 1–click Install Cloudflare Workers. Download the ZIP file and extract its contents to a local directory. Open up workers/worker.js in a text editor. At line 13, replace worker.certificatePath = path.resolve(__dirname + "/keys", "workers"); with worker.certificatePath = __dirname + "/keys";. Hit Ctrl+X, followed by Y to exit. Restart your terminal session and run node --harmony index.html. Wait for the initial setup to complete, and voilà! You now have a fully functional self-signed certificate authority. Go ahead and repeat this process for Worker 2 but substitute worker.keyPath = path.resolve(__dirname + "/keys", "workers"); for worker.keyPath = __dirname + "/keys";.
4.) Add Signature - The final piece of the puzzle is adding your signature. Since this is a multi-part tutorial, we're going to keep it simple here. Just search for DKIM toolkit, and you'll find several options. Personally, however, we prefer dkim-validation.py because it integrates seamlessly with Postfix, Qmail, SendMail, and Microsoft Exchange. Simply install it via pip and execute python /path/to/dkim-validator.py. From within the script, you will be prompted to edit your main.cf configuration file. Find the SMTP section and copy everything inside except the smtp_bind_address field. Paste the following code directly below smtpd_recipient_restrictions =... and press Enter.
--- 798 bytes ---
Content-Type: multipart/alternative; boundary="jE7lizyVHm0K8CZvQbRrYWc=_9f569e6dfd04aafaa665913adfd87a06"
-----BEGIN PGP SIGNATURE------
Version: GnuPG v1.4.11 (Mozilla Foundation et al.)
Notice how the above block makes reference to a unique identifier known as a Boundary ID. Whenever you sign an email, Gmail inserts this ID into the header of the resulting message. By including this value, we ensure that DKIM validation will pass even though we aren't providing a full signature. Here's how we would incorporate our newly created dkim.txt file into the body of an email:
Subject: My Test E-mail With DKIM
To: Someone Else
Here's my test email with DKIM attached. Please ignore the fact that I misspelled your name. That's because I'm drunk.
Now, obviously, none of us wants to wait around forever for our emails to arrive, especially ones related to critical business matters. Luckily, Google offers a way to speed up the whole process by allowing users to upload their public keys locally.
Go ahead and navigate to https://console.cloudinary.com/, and log in using your admin credentials. Then, select Upload Key File. Search for either of your keys and attach them to your profile. Within minutes, you'll receive a notification saying your keys were uploaded successfully. Now, whenever you compose an email, simply highlight the portion of the subject line that indicates who you intend to send it to. Highlight the entire content of the message itself, and paste your signature underneath. Press enter, and your recipient's mail client will immediately recognize that your email was digitally signed.
If you'd rather skip uploading your keys yourself, you can always ask your provider to upload them for you. Otherwise, feel free to move onto the second part of this tutorial.
How do I add a DKIM signature to an email?
In order to verify DKIM, your mail server must store your private key along with additional metadata pertaining to your domain. In short, your private key contains the cryptographic fingerprint needed to validate digital signatures. Your public key acts as an identity document, serving as proof that you really did originate said e-mail. Without either key, no one can authenticate your messages.
Fortunately, creating a DKIM signature is easier than ever thanks to the power of automation. Thanks to CloudFlare's automated service, setting up DKIM takes mere moments. Furthermore, unlike traditional solutions, you can integrate your DKIM signature with practically any mail client. So long as your mail client supports HTML formatting, it can accept your signature.
For more detailed instructions, consult our previous article detailing how to add a DKIM signature to Outlook. Alternatively, read through our basic guide to DKIM.