How to Set Up DKIM in Google Workspace

Complete DKIM setup guide for Google Workspace (formerly G Suite).

Published: 2026-01-21 | Updated: 2026-01-21 | Read time: 5 min

Key Takeaways

Before You Start

This guide walks you through enabling DKIM in Google Workspace. You'll need:

What DKIM Does for Google Workspace

When you enable DKIM, Google signs every email you send with a cryptographic signature. Recipients can verify this signature using your public key (published in DNS). Without DKIM: Emails can be forged to look like they came from your domain. With DKIM: Emails are cryptographically verified as genuinely from you.

Step 1: Generate DKIM Key in Admin Console

1. Go to admin.google.com 2. Navigate to AppsGoogle WorkspaceGmail 3. Click Authenticate email 4. Select your domain from the dropdown 5. Click Generate New Record

Key Settings

| Setting | Recommended Value | |---------|-------------------| | DKIM key bit length | 2048 (more secure) | | Prefix selector | google (default) | 6. Click Generate You'll see a TXT record value. Copy this entire string — you'll add it to your DNS.

Step 2: Add DKIM Record to DNS

Now add the DKIM record to your domain's DNS:

Record Details

| Field | Value | |-------|-------| | Type | TXT | | Name/Host | google._domainkey | | Value | The string from Step 1 | | TTL | 3600 (or default) |

Provider-Specific Examples

Cloudflare: 1. Go to DNS settings 2. Add Record → TXT 3. Name: google._domainkey 4. Content: (paste the long string) 5. Save GoDaddy: 1. DNS Management → Add 2. Type: TXT 3. Host: google._domainkey 4. TXT Value: (paste the long string) 5. Save Namecheap: 1. Advanced DNS → Add New Record 2. Type: TXT Record 3. Host: google._domainkey 4. Value: (paste the long string) 5. Save

Step 3: Start Authentication

After adding the DNS record, wait for propagation (usually 10 minutes to 48 hours), then: 1. Go back to admin.google.comAppsGmailAuthenticate email 2. Select your domain 3. Click Start authentication

If It Works

You'll see a green checkmark and "Authenticating email" status.

If It Fails

"DNS record not found": "Invalid DKIM record":

Step 4: Verify DKIM is Working

Check with MailRisk

Scan your domain to verify DKIM is properly configured. You should see:

Send a Test Email

1. Send an email to a Gmail address 2. Open the email 3. Click the three dots → "Show original" 4. Look for dkim=pass

What "Pass" Looks Like

`` Authentication-Results: mx.google.com; dkim=pass header.i=@yourdomain.com header.s=google header.b=xxxxx; spf=pass (google.com: domain of sender@yourdomain.com designates xxx as permitted sender) ``

Troubleshooting

Common Issues

DKIM shows as "Not started" after adding DNS: DKIM fails after working previously: Multiple domains:

Getting Help

If you're stuck: 1. Verify your DNS record matches exactly what Google provided 2. Check Google Workspace support docs 3. Contact your DNS provider if records aren't propagating

Google Workspace DKIM FAQ

How long does DKIM take to start working?

Once you click "Start authentication," it's active immediately for new emails. DNS propagation can take 1-48 hours for the record to be verifiable everywhere.

Can I use 1024-bit keys?

Yes, but 2048-bit is recommended. 1024-bit keys are being phased out for security reasons.

Do I need DKIM if I already have SPF?

Yes. SPF verifies sending servers; DKIM verifies email content hasn't been modified. You need both for proper DMARC alignment.

What if I use Google Workspace + another email service?

Each service needs its own DKIM setup. Google's selector is "google"; other services will have their own selectors (e.g., "s1" for Mailchimp).