How to Set Up DKIM in Google Workspace

What DKIM does in Google Workspace

DKIM signs outgoing Gmail messages with your domain, so mailbox providers can verify that the message was authorized by you and was not changed in transit.

For Google Workspace, DKIM is not a generic DNS value you copy from another site. You generate a unique key in the Google Admin console, publish the public key as a TXT record at your DNS host, then return to Google and start authentication. After that, Gmail signs outbound mail for the selected domain with the selector you chose, usually google. DKIM signatures are defined in RFC 6376.

DKIM is one part of deliverability, not a magic inbox button. Gmail, Outlook, and other mailbox providers use authentication, domain reputation, complaint rates, recipient engagement, content and abuse signals, policy compliance, and sometimes third-party reputation data to decide whether mail reaches the inbox, spam, or is rejected. DKIM matters because it gives those systems a reliable identity to evaluate.

Before changing DNS, run a free InboxRadar domain check. It shows your current SPF, DKIM, DMARC, and MX status, then gives you a baseline to compare after the Google Workspace change propagates.

Before you start

Have the right admin access, the right domain, and the right DNS account open before you generate the key.

• Sign in to admin.google.com with a super administrator account. Google also says the flow requires the Gmail Settings administrator privilege.
• Confirm Gmail is active for the domain. Google says you may need to wait 24 to 72 hours after turning on Gmail before a DKIM key can be generated.
• Open the DNS host for the domain, usually the registrar or DNS provider, not necessarily Google.
• Decide which domain you are configuring. Each Google Workspace domain needs its own DKIM key.
• Keep the official Google setup page available: Set up DKIM for Google Workspace.

If your DNS provider supports long TXT records, choose a 2048-bit key. Google still offers 1024-bit for DNS hosts that cannot handle 2048-bit keys, but 2048-bit is the stronger default.

Step by step: add DKIM in Google Workspace

The Google flow has three real steps: generate, publish, and start authentication. Do not click Start authentication until the TXT record exists in DNS.

• In the Google Admin console, go to Apps, then Google Workspace, then Gmail, then Authenticate email.
• Use the selected domain menu to choose the domain you want to sign.
• Click Generate New Record. Select 2048 for key length when your DNS host supports it.
• Use the default selector google unless another DKIM record already uses that selector. If it does, choose a different selector and keep it consistent.
• Copy the DNS host name and TXT value exactly as Google shows them. The host is commonly google._domainkey, and the value starts with v=DKIM1;.
• At your DNS provider, create a TXT record with that host name and value. Save it. If the DNS provider automatically appends your domain name, do not type the domain twice.
• Wait for DNS to publish. Google says DKIM can take up to 48 hours to start working after the record is added.
• Return to Authenticate email for the same domain and click Start authentication. When it is working, Google shows the domain as authenticating email with DKIM.

To verify from the mailbox side, send a fresh message to another Gmail or Google Workspace recipient, open the message, choose Show original, and look for DKIM=pass in Authentication-Results. Google notes that sending a message to yourself is not a reliable verification test.

What the DNS record should look like

A Google Workspace DKIM record is a TXT record under a selector, not at the root domain.

Most setups use a host like google._domainkey.yourdomain.com. Some DNS panels want only google._domainkey in the host field because they add yourdomain.com automatically. The value is the long public key from Google, beginning with v=DKIM1;. Do not shorten it, rewrap it manually, or use a value copied from another domain.

If a DNS provider splits a long TXT value into quoted chunks, that can still be valid. What matters is that public DNS returns the same combined TXT value Google generated. If Google cannot validate the record after propagation, compare the public TXT lookup with the value in Admin console character by character.

Do not stop at DKIM

Google Workspace DKIM helps a lot, but inbox placement depends on the full authentication chain.

• SPF: Google Workspace senders commonly authorize Google with include:_spf.google.com. Keep exactly one SPF TXT record on a domain. SPF has a DNS lookup limit of 10, defined in RFC 7208, so do not stack every vendor include without checking.
• SPF ending: ~all is a soft fail and is common while you are still confirming all senders. -all is a hard fail and should only be used when every legitimate sender is listed. Avoid +all.
• DMARC: DMARC tells receivers what to do when mail fails aligned SPF and DKIM. Start with p=none and a rua reporting address, then move toward quarantine or reject once reports show your real mail is passing. DMARC behavior is defined in RFC 7489.
• Alignment: For DMARC to pass, SPF or DKIM must pass and align with the visible From domain. Google Workspace DKIM usually gives you aligned DKIM when Gmail sends for your own domain.
• MX: MX records control where inbound mail for your domain is delivered. They do not sign outbound mail or determine whether Google adds a DKIM signature, but broken MX records can break replies and bounce handling.
• Blocklists and reputation: Passing SPF, DKIM, and DMARC does not erase spam complaints, blocklist listings, or a bad sending history. It gives providers a stable domain identity so good behavior can build trust.

For current sender requirements, use the official Gmail sender guidelines and Microsoft guidance on email authentication for Microsoft 365. Both providers treat authentication as a baseline signal, especially for higher-volume senders.

Troubleshooting failed Google Workspace DKIM

Most DKIM setup failures are DNS placement mistakes, propagation delay, or starting authentication before the record is live.

• If Google says the record was not created, confirm Gmail has been active long enough. The Google help page says the key can be unavailable for 24 to 72 hours after Gmail is turned on.
• If the DNS host field shows google._domainkey.yourdomain.com.yourdomain.com, remove the duplicated domain in your DNS panel.
• If the TXT value is truncated, check whether your DNS host has a TXT character limit and follow its long-record format.
• If another service already uses the google selector, generate a new Google Workspace record with a different selector.
• If third-party senders still fail DMARC, configure DKIM for those senders too. Google Workspace DKIM only signs mail sent through Google Workspace.
• If InboxRadar still shows a weak grade, fix the highest-impact item first. A clean DKIM record will not compensate for a missing DMARC record or an SPF record that exceeds 10 DNS lookups.

After the record passes, keep monitoring. DNS changes, vendor migrations, and domain host edits can break authentication months later. InboxRadar can watch your domain for drift and email you when SPF, DKIM, DMARC, MX, or reputation checks change.