Getting rid of spoofers: Digitally sign your Gmail messages with 2048-bit DKIM keys

Back in 2011, we launched the ability for any Google Apps administrator to set up DomainKey Identified Mail (DKIM). DKIM is a way to digitally sign messages so that recipient servers can verify that the message really comes from your domain and hasn’t been changed along the way. Additionally, when you sign your messages with DKIM, they become less likely to get caught up in recipients’ spam filters.

The fight against spoofers still continues today, and as spoofer’s tools have gotten more powerful, 1024-bit DKIM keys are no longer as secure. For that reason, we’re pleased to announce that Google Apps customers can now digitally sign their messages with 2048-bit DKIM keys, and we strongly recommend making this the standard for all email messages sent from your domain going forward.


  • If you are currently not using DKIM to protect your Gmail messages, set up 2048-bit DKIM in the Admin console. See the Help Center articles below for instructions.
  • If you are already using DKIM with 1024-bit keys, check with your DNS provider to see if they support 2048-bit keys. If so, update your domain keys to 2048-bit for the best protection.

Important: Some domain registrars do not yet support 2048-bit DKIM keys, even though this has been available for more than 30 years. For those domains, we still offer the ability to sign messages with 1024-bit keys from a drop-down.
Launch Details
Release track:
Launching to both Rapid release and Scheduled release

Rollout pace:
Gradual rollout (potentially longer than 3 days for feature visibility)

Admins only

Admin action suggested/FYI

Reference by