D
DKIM Test

How to Set Up DKIM in Google Workspace (G Suite)

Step-by-step guide to configure DKIM in Google Workspace. Learn how to generate DKIM keys, add TXT records, and enable email signing for Gmail.

Last updated: 2026-01-28

Google Workspace (formerly G Suite) includes built-in DKIM signing for your domain's email. Enabling it helps your emails reach recipients' inboxes instead of spam folders, and it's required for bulk senders under Google's own email guidelines.

This guide covers the complete DKIM setup process for Google Workspace.

Before You Start

You'll need:

  • Super admin access to your Google Workspace account
  • Access to your domain's DNS settings
  • Your domain already verified in Google Workspace

Google Workspace uses the selector "google" by default. After key rotation, it may use "google2". Both should be configured.

Step-by-Step Setup

1

Access the Google Admin Console

Go to admin.google.com and sign in with your super admin account.

2

Navigate to Gmail authentication

Go to AppsGoogle WorkspaceGmailAuthenticate email.

Or navigate directly to: admin.google.com/ac/apps/gmail/authenticateemail

3

Select your domain

If you have multiple domains, select the one you want to configure DKIM for.

4

Generate a new DKIM key

Click Generate new record. You'll see options for:

  • DKIM key bit length: Choose 2048 if your DNS supports it (recommended). Use 1024 only if your DNS provider has TXT record length limits.
  • Prefix selector: Leave as "google" unless you have a specific reason to change it.
5

Copy the DNS record

Google will display a TXT record value. It looks something like:

v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A...

The DNS hostname will be: google._domainkey.yourdomain.com

6

Add the TXT record to your DNS

Log into your DNS provider and create a new TXT record:

  • Host/Name: google._domainkey (some providers want just this; others need the full google._domainkey.yourdomain.com)
  • Value/Content: The full string Google provided, starting with v=DKIM1
  • TTL: 3600 (or default)
7

Wait for DNS propagation

DNS changes typically propagate within 15-30 minutes, but can take up to 48 hours.

8

Start authentication

Return to the Google Admin Console. Click Start authentication.

If successful, the status will change to "Authenticating email."

Verify Your Setup

After enabling DKIM, verify it's working.

Look up: google._domainkey.yourdomain.com

You should see your DKIM public key in the results.

Test with a Real Email

Send an email from your Google Workspace account to an external address. Check the email headers for:

Authentication-Results: ...
  dkim=pass header.d=yourdomain.com header.s=google

In Gmail, you can view this by opening the email and clicking the three dots → "Show original."

2048-bit vs 1024-bit Keys

Google recommends 2048-bit keys for better security. However, some DNS providers have character limits on TXT records that prevent 2048-bit keys from working.

Use 2048-bit if:

  • Your DNS provider supports long TXT records
  • You're using Cloudflare, Route 53, Google Domains, or most modern DNS providers

Use 1024-bit if:

  • Your DNS provider truncates long TXT records
  • You see errors when adding the full 2048-bit key
  • You're using an older or limited DNS provider

Test first

Try 2048-bit first. If the DKIM lookup fails or shows a truncated key, regenerate with 1024-bit.

Common Issues and Solutions

"DNS TXT record not found"

Cause: The TXT record isn't published or hasn't propagated yet.

Solution:

  • Verify the record exists in your DNS provider's control panel
  • Check that the hostname is exactly google._domainkey (not google._domainkey.yourdomain.com.yourdomain.com)
  • Wait for propagation and try again

"Start authentication" button is grayed out

Cause: Google can't find a valid DKIM record in DNS.

Solution:

  • Use a DNS lookup tool to verify the record is visible globally
  • Check for typos in the record value
  • Ensure you copied the entire key (they're long)

Key appears truncated in DNS lookup

Cause: Your DNS provider has character limits on TXT records.

Solution:

  • Regenerate the DKIM key with 1024-bit length
  • Or, some DNS providers require splitting long TXT records into multiple quoted strings

DKIM passes but shows "google2" selector

Cause: Google rotated your DKIM key. This is normal and automatic.

Solution: No action needed. Google handles key rotation automatically. Both google and google2 selectors should work.

Multiple Domains

If you have multiple domains in Google Workspace, configure DKIM for each one separately:

  1. In the Admin Console, select each domain from the dropdown
  2. Generate a DKIM key for that domain
  3. Add the TXT record to that domain's DNS
  4. Start authentication for that domain

Each domain needs its own DKIM record.

Google Workspace + Third-Party Email Services

If you use other services to send email (Mailchimp, SendGrid, etc.), those services need their own DKIM configuration. Google Workspace DKIM only covers emails sent directly through Gmail/Google Workspace.

For each third-party service:

  1. Follow their DKIM setup instructions
  2. Add their DKIM records to your DNS (usually with different selectors like k1, s1, etc.)
  3. Verify each service's DKIM separately

Complete Your Email Authentication

DKIM works best with SPF and DMARC. Google requires all three for bulk senders.

SPF: Add Google's servers to your SPF record:

include:_spf.google.com

Check your SPF at spfrecordcheck.com.

DMARC: Create a DMARC policy for your domain. Start with:

v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com

Check at dmarcrecordchecker.com.

Related Articles

Monitor Your DKIM Records

Checking once is good. Monitoring continuously is better. The Email Deliverability Suite watches your SPF, DKIM, DMARC, and MX records daily and alerts you when something breaks.

Never miss a DKIM issue

Monitor your SPF, DKIM, DMARC and MX records daily. Get alerts when something breaks.

Start Monitoring