Question: How do I set up a DKIM record in Google Workspace?

Explanation: DKIM (DomainKeys Identified Mail) is an authentication method that proves emails sent from your domain genuinely originate from your organisation and have not been altered in transit. It protects your domain against spammers, spoofing and phishing attacks, and improves email deliverability because receiving mail servers (such as Gmail, Outlook and Yahoo) treat your messages as trustworthy. Think of DKIM as a digital seal that verifies every email.

info
How does DKIM work technically?
DKIM uses asymmetric cryptography with a key pair:
  • Private key – Stored securely at Google and used to digitally sign every outgoing email. This key never leaves Google's servers.
  • Public key – Published by you as a TXT record in your domain's DNS so receiving mail servers can verify the signature.
When a receiving server gets an email from your domain, it retrieves the public key from your DNS and checks whether the signature in the email header is valid. If the signature checks out, the recipient knows for certain that the email truly originated from your domain and was not modified along the way. If verification fails, the receiving server can mark the email as suspicious, place it in spam, or even reject it outright — depending on the domain's DMARC policy.
lightbulb
DKIM combined with SPF and DMARC
DKIM is one of the three pillars of email authentication. For optimal protection and deliverability you want all three configured:
  • SPF (Sender Policy Framework) – Defines which servers are allowed to send email on behalf of your domain. A receiving server checks whether the sending IP appears in your SPF record.
  • DKIM (DomainKeys Identified Mail) – Verifies the integrity and origin of an email through a digital signature. Unlike SPF, DKIM remains valid even when an email is forwarded, because the signature is tied to the content itself.
  • DMARC (Domain-based Message Authentication, Reporting & Conformance) – Tells receiving servers what to do when SPF or DKIM fails (reject, quarantine or allow) and sends reports back to the domain owner.
Since February 2024, major providers like Google and Yahoo require bulk senders to correctly configure DKIM, SPF and DMARC — without these records, emails end up in spam more quickly or get rejected outright. For regular business senders this has effectively become the standard as well.

Solution:

1
Generate the DKIM key in the Google Workspace admin console
Go to admin.google.com and sign in with an administrator account.

Then navigate to:

Appsarrow_forward_iosGoogle Workspacearrow_forward_iosGmailarrow_forward_iosAuthenticate email
  • Select the domain you want to generate a DKIM key for from the dropdown. Do you have multiple domains under Google Workspace? You'll need to repeat this procedure per domain — each domain requires its own DKIM key pair.
  • Click 'Generate new record'.
  • Choose the desired prefix (the so-called selector, default 'google'). You can also pick a custom value such as 
    google2026
    . This is useful if you want to rotate the key later without immediately removing the old one.
  • Select the desired key length: [list]
  • 2048-bit (recommended) — more secure and the current standard.
  • 1024-bit — only use this when your DNS provider doesn't support long TXT records.
[*]Click 'Generate'. [/list] Generating DKIM in Google Workspace
warning
Watch out with 2048-bit keys
A 2048-bit record exceeds 255 characters and needs to be split into multiple strings by some DNS providers. Modern providers (TransIP, Cloudflare, Google Domains) handle this automatically — older systems do not. If 2048-bit doesn't work with your provider, fall back to 1024-bit — less secure, but still usable.
2
Add the DKIM record to your domain's DNS settings
Copy the generated TXT record value. It starts with 
v=DKIM1; k=rsa; p=...
followed by a long string of characters (the public key). Copy the entire value, including all semicolons, but without any quotation marks the provider may wrap around it.

Go to your domain provider's website — the party where you registered the domain name, for example TransIP, Cloudflare, GoDaddy, Namecheap or Google Domains. Find the DNS settings or DNS management section for the relevant domain.

Then add a new TXT record with the following values:

FieldValue
TypeTXT
Name/Hostgoogle._domainkey
ValueThe copied TXT record value
TTLDefault (usually 3600 seconds)
warning
Replace 'google' in the Name with the selector prefix you chose in step 1. Some providers automatically append your domain name to the host — be careful not to accidentally create 
google._domainkey.yourdomain.com.yourdomain.com
. In that case, only fill in 
google._domainkey
, without the domain after it.
3
Wait for DNS changes to propagate
DNS changes can take up to 72 hours to roll out globally. This is called propagation and happens because DNS servers around the world copy data from each other with a delay.

In practice the record is usually visible within 15 minutes to a few hours. You can verify the record was published correctly using:

Only proceed to the next step once both tools return the public key.

4
Enable DKIM signing
Go back to the Google Workspace admin console and navigate to:
Appsarrow_forward_iosGoogle Workspacearrow_forward_iosGmailarrow_forward_iosAuthenticate email
  • Select the domain you added the DKIM record for in DNS.
  • Click 'Start authentication' to enable DKIM for the chosen domain.

Once activated, Google automatically signs every outgoing email from this domain with DKIM. The status in the panel changes from 'Not started' to 'Authenticating email'.

check_circle
Check that DKIM is working correctly
Send a test email to a Gmail account (preferably a different one than your sending account), open the message and click the three dots in the top right > 'Show original'. Next to 
DKIM:
you should see 'PASS' with your domain listed as the signer. If you see 'FAIL' or 'NEUTRAL', recheck steps 2 and 3.