← Back to Learn Hub

How to Set Up DKIM for Google Workspace (Gmail)

Setting up DKIM for Google Workspace is two steps, and most people miss the second one. You generate a key and publish it in your DNS, then you have to come back and turn signing on. Skip that and your custom-domain email is never actually signed.

DKIM adds a signature to every email you send, so receiving servers can confirm the message genuinely came from your domain and wasn't altered. By default, Google Workspace doesn't sign mail from your own domain until you set this up.

The two steps people miss

Google Workspace DKIM has two distinct steps: generate the key and publish the DNS record, then return to the Admin console and click Start Authentication. The first step alone does nothing. Signing only begins once you start authentication.

This catches a lot of admins out: the record is published, everything looks done, but mail is still going out unsigned.

Step 1: Generate your DKIM key

In the Google Admin console, go to Apps, then Google Workspace, then Gmail, and open Authenticate email. Select your domain and Generate new record (the 2048-bit option is recommended).

Google creates a TXT record using the selector google. Copy the record's name and value. You'll publish them next.

Step 2: Publish the record in your DNS

Add the record where your domain's DNS is managed (your registrar or DNS host).

  • Type: TXT
  • Host / Name: google._domainkey
  • Value: the long key string Google generated
  • Save, then allow time to propagate. Google notes this can take up to 48 hours.

Step 3: Start authentication

This is the step most people skip. Once the record has propagated, go back to Apps, Google Workspace, Gmail, Authenticate email in the Admin console and click Start Authentication.

Only now does Google Workspace begin DKIM-signing your outgoing mail. If you stop after step 2, signing never turns on.

How to check it worked

Confirm signing with our free DKIM checker. You can also send a test email to a Gmail address, open it, and use Show original to check that DKIM shows PASS.

Common problems

Most Google Workspace DKIM issues come from a few causes.

  • Mail still unsigned after publishing the record: you didn't click Start Authentication (step 3).
  • Start Authentication won't work yet: the TXT record hasn't propagated. Wait and retry.
  • No Gmail section in the Admin console: some lower-tier plans don't expose DKIM settings.
  • Calendar invites failing checks: a known side effect when DKIM signing isn't fully enabled. Completing step 3 resolves it.

Check your domain now

Enter your domain to see your current email security status.

Frequently Asked Questions

Does Google Workspace enable DKIM automatically?

No. For your custom domain you must generate the key in the Admin console, publish the google._domainkey TXT record in your DNS, and then click Start Authentication. Until you complete that last step, Google Workspace does not DKIM-sign mail from your domain.

Why are my Google Workspace emails failing DKIM?

The most common reason is that Start Authentication was never clicked. Publishing the DNS record isn't enough on its own. Signing only begins after you turn it on in the Admin console. Confirm the record has propagated, then complete that step.

What DKIM selector does Google Workspace use?

Google Workspace uses the selector google, so the record is published at google._domainkey.yourdomain.com. If you generate a new key later, the selector stays the same unless you change it, and you republish the updated value.

How long does Google Workspace DKIM take?

After you publish the TXT record, DNS changes can take up to 48 hours to propagate, though they're often live sooner. Once the record resolves, click Start Authentication and signing begins for new mail straight away.

Setting up DKIM for Google Workspace comes down to three steps: generate the key, publish the google._domainkey record, and click Start Authentication. That last step is the one that actually turns signing on.

Check it any time with our DKIM checker. Once DKIM is on, set up DMARC for Google Workspace too, or let readyDMARC handle all three records for you.

Related Articles

How to Set Up SPF for Google Workspace (Gmail)

Set up SPF for Google Workspace (Gmail): publish the v=spf1 include:_spf.google.com ~all TXT record,...

Read more →

How to Set Up DMARC for Google Workspace (Gmail)

Set up DMARC for Google Workspace (Gmail): publish the _dmarc DNS record, pick a policy, and move to...

Read more →

What Is DKIM? How Email Signing Works

Learn what DKIM is, how DomainKeys Identified Mail protects your business emails from tampering, and...

Read more →

Misconfiguring this is easy, and costly

One wrong record can let attackers send email as your domain, or block your own legitimate mail once you turn on enforcement. Getting from a published record to real protection, without breaking delivery, is where most teams get stuck. Our specialists set up SPF, DKIM, and DMARC for you and roll it out safely, checking at every stage.

Book a call with our team