Increasing a DomainKeys Identified Mail (DKIM) key to 2048 bits could help Google Apps administrators better protect their organization against spam and email spoofing. Here’s how:

  1. Check your public DKIM record length using the Google Apps admin console, or by using Dave Johnson’s free DKIM checker.
  2. Check your your domain registrar support to verify that it supports a TXT record long enough for a 2048-bit key.
  3. Generate a new, 2048-bit DKIM key through the admin console by clicking Apps > Google Apps > Gmail > Authenticate email, then copy the key.
  4. Modify your domain’s TXT record by pasting the new key in the value field for your DNS provider and saving the record.
  5. Return to the “Authenticate email” setting in the Google Apps admin console and select “Start Authenticating.”

For a more in-depth explanation of each step, read the article below.

Understanding DKIM

As systems get faster, the time it takes to solve a math problem decreases. Spammers know this. But so does Google. That’s the reason Google doubled the length of DKIM keys managed in Google Apps from 1024 bits to 2048 bits.

DKIM offers email servers a way to test whether an email that claims to be from your domain did–or did not come from it.

A longer DKIM key makes it more difficult for spammers to send email that represents itself as being from your domain–better known as “spoofing.” So if you use Google Apps, you should authenticate your email with a 2048-bit DKIM key. Here’s how.

1. Check your public DKIM record length

If you’re a Google Apps admin, you can login and look at your DKIM key. Go to the Google Apps admin console (, choose Apps, then Google Apps, then Gmail. Look for the “Authenticate email” option and select it. If configured, you’ll see your domain’s DKIM key.

Google’s design choices help convey information. Look after the “p=” TXT record. If the key is about three lines long, your record is 1024 bits. If the key is almost five lines long, you already have a 2048-bit long key. The layout displays the key at a fixed width–even if you view the results on mobile.

If you’re not an admin, you can check the length of your DKIM key with a web-based tool created by Dave Johnson at If you use Google Apps and a standard DKIM setup, enter ‘google’ (no quotes) in the selector field and your domain in the latter (e.g., The tool displays the length of your domain’s DKIM key.

SEE: IT Communication Plan: Raise awareness with regular emails (Tech Pro Research)

2. Check domain registrar support

The next step is to verify that your domain name registrar allows you to create a TXT record long enough to include the 2048-bit key. Most do. However, not all systems allow you to create such a long record. Notably, restricts the length of a TXT record to 255 characters. You may need to contact support to create the record you need, if you can’t add it yourself.

3. Generate a new DKIM key

Back in the Google Apps admin console, choose “Generate new record” (i.e., navigate to > Apps > Google Apps > Gmail > Authenticate email). Your new record will be 2048 bits by default. Change the length to 1024 bits only if necessary. When you choose “Generate” the system will create your DKIM key. After it does, select and copy all of the DKIM TXT record information.

4. Modify your domain’s TXT record

Login to your DNS provider and locate your DKIM TXT record–or create a new TXT record, if you hadn’t already. Paste the copied DKIM key information into the value field. Enter “google._domainkey” (again, no quotes) in the name field. A TTL value of 3600 tells DNS servers to check for changes every hour. Save the record, then wait for a period of time, at least as long as your TTL value (e.g., an hour), to elapse.

5. Start authentication

Return to the “Authenticate email” setting in the Google Apps admin console and select “Start Authenticating.” The system will check that the key in your domain’s TXT record pairs with your Google Apps information (i.e., a private key maintained within the system). If it doesn’t validate, you might wait a bit longer and try again–or repeat the process to make sure the generated DKIM key data corresponds to the content in your domain’s DNS TXT record.

Once started, every email sent from your domain will now be authenticated with this DKIM key. Your DKIM key enables other mail servers to do a quick bit of math to validate that, “yes, this email is from the domain it claims”–or not.

Mail authenticated with DKIM tends to be delivered to an inbox; mail that fails the test more likely gets put in the spam folder. As a result, spammers have a harder time spoofing emails.