Setting up DKIM Authentication in Google Apps
In a previous Notebook entry, I looked at setting up your business email with Google Apps.
One item that that wasn’t covered there was the setting up of DKIM (DomainKeys Identified Mail) authentication.
Google recommends that you add DKIM authentication for each of your domains:
Spammers can forge the From address on mail messages so that the spam appears to come from a user in your domain. To help prevent this sort of abuse, Google Apps enables you to add a digital “signature” to the header of mail messages sent from your domain.
So in setting up DKIM authentication, you will be explicitly identifying Google’s mail servers as the authorized mail servers for your domains.
Generating a Domain Key
The first step in setting up DKIM authentication with Google Apps (which is detailed here by Google) is to log in to your Apps account. Select “Advanced tools” in the top blue menu. Scroll down to where it says “Authenticate email” on the left, and click the “Set up email authentication (DKIM)” link.
From the drop down list (assuming you have more than one domain associated with your account), choose the domain name for which you want to generate a new record. Then in the large gray box below, click the “Generate new record” link. A popup will ask you to choose a “prefix selector”, but just accept the default (“google”) option and click the “Generate” button.
You will now see a lot of information appear in the gray box that was empty before:
This strange looking information will help machines out on the internet to verify that any emails @ your domain name were actually sent by you.
Updating Your DNS Records
You now need to update the DNS records for your domain. That’s a fancy way of saying that you need to make this DKIM information available on the internet.
How you set up DNS records will depend on your web hosting service, so you may have to contact your web host to get details about that. (Google has some general guidelines here.) If you are using CPanel, you can implement the following steps.
Firstly, for each domain that you have associated with your Apps account, log in to your CPanel account and choose the “Advanced DNS Zone Editor” option.
You’ll then see a small form something like this:
Into the “Name” field, paste
In the “TTL” (meaning “time to live”) field, you can basically type any number, but a common one to use is “14400”. (This just tells computers around the world how long—that is, how many seconds—to store this information before checking that it is still current.)
From the drop down list, choose “TXT”.
In the “Address” field, paste the remainder of the DKIM record.
Now click the “Add Record” button, and you’re done with CPanel.
Turn on Authentication
The last step is to return to your Apps account and turn on authentication. If you still have the original DKIM record page open, simply click “Start Authentication” at the bottom of the page. Otherwise, once again click Advanced Tools and click the “Set up email authentication (DKIM)” link again, and choose the domain for which you just changed the DNS record. The page will indicate the status of the domain key for that domain.
Click “Start authentication”. It may take a while for the authentication process to be completed. It can sometimes take a day or two for your DNS records to be updated around the world, so if you get an error message, perhaps take a break and come back to this authentication step a little later.
And that’s it! Your emails are now more likely to reach their destination now, because they will be officially “signed” by your domain name. And spammers won’t be able to send out emails pretending to be you. “Win win”, as they say.
Another way to prevent spammers from sending emails from your address is by adding an SPF record to your domain—a slightly simpler process, but which has the same basic effect.