In Google Workspace Admin Console, go to Apps > Google Workspace > Gmail > Authenticate email. Select your domain, click Generate New Record, choose 2048-bit, and copy the TXT record value. Add it to your DNS as a TXT record at google._domainkey.yourdomain.com. Wait for DNS propagation, then click Start Authentication.
DKIM for Google Workspace: Complete Setup Guide
Generate Your DKIM Key
- Sign in to the Google Workspace Admin Console
- Navigate to Apps > Google Workspace > Gmail
- Click Authenticate email
- Select the domain you want to configure
- Click Generate New Record
Google gives you two options:
| Setting | Recommendation |
|---|---|
| DKIM key bit length | 2048 (always) |
| Prefix selector | google (default, fine for most setups) |
Click Generate. You'll see a TXT record value that starts with v=DKIM1; k=rsa; p=MIIBIjANBgkq...
Add the DNS Record
Create a TXT record in your DNS provider:
Host: google._domainkey
Type: TXT
Value: The full string Google gave you
If your DNS provider has a 255-character limit per string, you may need to split the value into two strings. Most modern providers handle this automatically.
Practitioner note: I've seen clients copy the DKIM value and accidentally include a trailing space or line break. If authentication fails after propagation, re-copy the value — invisible characters are the most common culprit.
Start Authentication
Go back to Admin Console > Apps > Gmail > Authenticate email and click Start Authentication. If the DNS record has propagated, the status changes to "Authenticating email."
If it doesn't work immediately, wait. DNS can take up to 48 hours, though most records propagate in under an hour.
Verify DKIM Is Working
Send a test email to a Gmail address and check the headers. Look for:
Authentication-Results: mx.google.com;
dkim=pass [email protected] header.s=google
You can also use MXToolbox DKIM Lookup to verify the DNS record. Enter google._domainkey.yourdomain.com and confirm the public key is published.
Practitioner note: Google Workspace doesn't sign email by default — you have to explicitly enable it. This is one of the most common gaps in email authentication. I audit domains every week where DKIM was never turned on despite being on Workspace for years. If you set up Workspace and skipped this step, your emails aren't DKIM-signed right now.
Common Issues
"DNS record not found": Either the record hasn't propagated or the hostname is wrong. Double-check that your DNS entry is at google._domainkey.yourdomain.com, not google._domainkey with an extra dot or subdomain.
DKIM alignment failures in DMARC: Google Workspace signs with your domain in the d= tag, so DKIM alignment should pass. If it's failing, check that you haven't configured a sending alias that uses a different domain.
Multiple domains: Each domain in your Workspace account needs its own DKIM key. Secondary domains won't inherit the primary domain's DKIM configuration.
For SPF and DMARC setup in Google Workspace, see the complete Google Workspace email auth guide. If you're managing DKIM across a complex Google Workspace setup with multiple domains and third-party senders, I can help configure it correctly so nothing falls through the cracks.
Sources
- Google: Turn on DKIM for your domain
- Google: DKIM troubleshooting
- RFC 6376: DomainKeys Identified Mail (DKIM) Signatures
- MXToolbox: DKIM Record Lookup
v1.0 · April 2026
Frequently Asked Questions
How do I enable DKIM in Google Workspace?
Go to Admin Console > Apps > Google Workspace > Gmail > Authenticate email. Select your domain, generate a 2048-bit key, add the DNS TXT record, wait for propagation, then click Start Authentication.
What DKIM selector does Google Workspace use?
Google Workspace uses 'google' as the default DKIM selector, creating the record at google._domainkey.yourdomain.com. You can customize the selector prefix during key generation.
How long does Google Workspace DKIM take to activate?
After adding the DNS record, propagation typically takes 15 minutes to 48 hours. Most records propagate within an hour. Google will show 'Authenticating email' once it verifies the record.
Should I use 1024-bit or 2048-bit DKIM in Google Workspace?
Always choose 2048-bit. It's the current security standard and Google supports it natively. Only use 1024-bit if your DNS provider has a 255-character TXT record limit and doesn't support splitting.
Can I use DKIM with multiple domains in Google Workspace?
Yes. You need to generate and configure a separate DKIM key for each domain in your Google Workspace account. Go through the setup process individually for each domain.
Want this handled for you?
Free 30-minute strategy call. Walk away with a plan either way.