Google Workspace DKIM setup: enable Gmail signing for your domain
Set up Google Workspace DKIM by generating a key in the Admin console, publishing the DNS TXT record, turning on authentication, and verifying DMARC alignment.
Google Workspace can sign outgoing mail with DKIM for your custom domain, but many domains never turn it on.
Without custom-domain DKIM, DMARC has to rely more heavily on SPF alignment. That is fragile when messages are forwarded or when other senders use your domain. DKIM gives Gmail a cryptographic signature tied to your domain.
Google’s DKIM setup documentation says you generate a DKIM key in the Admin console, add the public key to DNS, then turn on and verify DKIM.
Before you start
You need:
- Google Workspace super administrator access.
- DNS access for the domain you send from.
- Gmail already activated for your organization.
- A verified custom domain in Google Workspace.
Google says you may need to wait 24-72 hours after turning on Gmail before you can generate the DKIM key in the Admin console.
Step 1: open Google Workspace DKIM settings
Sign in to the Google Admin console with a super administrator account.
Go to Apps > Google Workspace > Gmail > Authenticate email.
Select the domain you want to authenticate. If you manage multiple domains or aliases, repeat the process for each domain that sends mail.
Step 2: generate the DKIM record
Click Generate New Record.
Use a 2048-bit key if your DNS provider supports long TXT records. Google also offers 1024-bit keys for DNS providers that cannot handle 2048-bit values, but 2048-bit is the better default.
For the selector, Google’s recommended default is:
google
That creates a DNS host name like:
google._domainkey
The value is a long TXT record that begins with v=DKIM1; k=rsa; p=.... Copy the exact value from Google. Do not shorten it.
Step 3: add the DKIM TXT record in DNS
At your DNS provider, create the record Google shows:
| Field | Value |
|---|---|
| Type | TXT |
| Host / Name | google._domainkey |
| Value | The full TXT value from Google |
| TTL | Default |
Some DNS providers automatically append your domain. If your domain is example.com, entering google._domainkey should create google._domainkey.example.com. Do not accidentally create google._domainkey.example.com.example.com.
If the DNS provider splits long TXT values, use its normal TXT splitting behavior. Do not add extra spaces or smart quotes.
Step 4: turn on DKIM in Google
Return to Authenticate email in the Google Admin console.
After DNS has propagated, click Start Authentication. Google may continue showing a DNS warning for up to 48 hours, so verify the public DNS record if the interface is slow to update.
Once enabled, Google Workspace signs outgoing Gmail messages with your domain in the DKIM d= value.
Step 5: verify DKIM and DMARC alignment
Send a test email from Google Workspace to a Gmail account. Open the message details and confirm DKIM passes.
Then check the domain with DMARCTrust’s domain checker. You are looking for:
- A valid SPF record.
- Google Workspace DKIM passing on real mail.
- A DMARC record at
_dmarc. - DMARC reports flowing to a monitored address.
DKIM passing is not always the same as DMARC passing. For DMARC, the DKIM signing domain must align with the visible From domain. With Google Workspace custom-domain DKIM, it normally does.
Common mistakes
Publishing the record but not starting authentication. DNS alone is not enough. You must enable signing in Google.
Using the wrong selector. If Google generated google._domainkey, do not publish selector1._domainkey or a copied value from another provider.
Editing the TXT value. DKIM keys are exact. Formatting changes can invalidate the public key.
Forgetting outbound gateways. If an outbound gateway modifies message bodies or footers after Google signs the message, DKIM can fail.
What about SPF and DMARC?
Set up the Google Workspace SPF record too:
v=spf1 include:_spf.google.com ~all
Then publish DMARC in monitoring mode:
v=DMARC1; p=none; rua=mailto:[email protected];
Use the DMARC generator to create the value and DMARCTrust to parse the reports. After a few weeks of clean data, move gradually toward p=quarantine and p=reject.
FAQ
What is the DKIM selector for Google Workspace?
The default selector is google, so the DNS host is usually google._domainkey.
Should I use 1024-bit or 2048-bit DKIM?
Use 2048-bit unless your DNS provider cannot publish the longer TXT value.
Does Google Workspace DKIM replace SPF?
No. Use both SPF and DKIM. DMARC can pass if either SPF or DKIM passes with alignment, but DKIM is usually more resilient.
