D
DKIM Creator

DKIM for Gmail: Personal and Google Workspace Setup

Understand DKIM for Gmail. Personal Gmail accounts have DKIM handled automatically, while Google Workspace requires admin setup. Covers both scenarios plus Gmail's DKIM verification for incoming mail.

Last updated: 2026-02-06

Gmail handles DKIM differently depending on whether you use a free personal Gmail account or Google Workspace with a custom domain. This guide covers both scenarios.

Personal Gmail users (those sending from an @gmail.com address) don't need to configure DKIM. Google handles it automatically. This guide is primarily for Google Workspace administrators who send from a custom domain.

Personal Gmail vs. Google Workspace

Personal GmailGoogle Workspace
**Address**you@gmail.comyou@yourdomain.com
**DKIM signing**Automatic by GoogleRequires admin setup
**Your action**Nothing neededAdd DNS record, enable in admin
**Selector**Fixed (Google-managed)`google` (default)

DKIM for Personal Gmail Accounts

If you send email from an @gmail.com address, DKIM is fully automatic:

  • Google signs all outgoing email with their own DKIM key
  • The signing domain is gmail.com
  • You cannot change or customize this
  • It works out of the box with no configuration

The only exception: If you use Gmail to send email from a non-Gmail address (via "Send mail as" with a custom SMTP server), DKIM signing depends on that SMTP server's configuration, not Gmail's. In that case, you need to set up DKIM on the sending server.

DKIM for Google Workspace

Google Workspace (formerly G Suite) requires administrator action to enable DKIM for your custom domain.

Why It's Not Automatic

Google Workspace can't add DNS records to your domain for you. You need to:

  1. Generate a DKIM key in the Google Admin console
  2. Add the public key to your domain's DNS
  3. Activate DKIM signing

Without this, emails from your Workspace domain are signed with Google's default key, which may not align with your domain. This can affect DMARC alignment and deliverability.

Enable DKIM in Google Workspace

1

Open the Admin console

Go to admin.google.com and sign in with a super administrator account.

2

Navigate to DKIM settings

Go to Apps, then Google Workspace, then Gmail, then Authenticate email. If you have multiple domains, select the one you want to configure.

3

Generate a new DKIM key

Click "Generate new record." You'll see options for:

  • Key length: Choose 2048-bit (recommended) or 1024-bit if your DNS has record length limits
  • Prefix selector: Default is google. You can change this if needed (rare).
4

Copy the DNS record

Google displays the TXT record you need to add. Copy the DNS hostname (e.g., google._domainkey) and the TXT record value.

5

Add the TXT record to DNS

In your domain's DNS provider (GoDaddy, Namecheap, Cloudflare, etc.), add a TXT record:

FieldValue
Host/Namegoogle._domainkey
TypeTXT
ValueThe value copied from Google Admin
TTL3600 (or default)
6

Wait for DNS propagation

Allow up to 48 hours for the record to propagate globally.

7

Start authentication

Return to the Google Admin console (Apps, then Gmail, then Authenticate email). Click "Start authentication." Google verifies the DNS record and enables DKIM signing.

If you click "Start authentication" before the DNS record has propagated, Google will show an error. Wait and try again later.

Need DKIM keys for other services?

Generate custom DKIM keys for email services alongside Google Workspace.

Generate DKIM Keys

Google Workspace DKIM Details

Selector

Google Workspace uses google as the default selector. Your DNS record sits at:

google._domainkey.yourdomain.com

You can use a custom prefix, but google is standard and works for almost all setups.

Key Rotation

Google Workspace does not automatically rotate DKIM keys. To rotate:

  1. Generate a new key in the Admin console (with a new selector prefix)
  2. Add the new TXT record to DNS
  3. Activate the new key
  4. Remove the old DNS record after a transition period (7+ days)

Multiple Domains

If your Workspace account has multiple domains, each needs its own DKIM configuration. Repeat the setup process for each domain.

How Gmail Checks DKIM on Incoming Mail

Gmail verifies DKIM signatures on all incoming email. This affects whether messages land in the inbox or spam:

What Gmail checks:

  • Is the DKIM signature valid?
  • Does the signing domain match the From domain (DKIM alignment)?
  • Does the domain have a DMARC policy?

What you see in Gmail:

  • Messages from authenticated senders show the sender's name normally
  • Unauthenticated messages may show a question mark icon next to the sender
  • Failed authentication can trigger spam filtering

Checking DKIM Status in Gmail

To see if an email passed DKIM verification:

1

Open the email in Gmail

Open the message you want to check.

2

View original message

Click the three-dot menu (More) and select "Show original." Gmail shows a summary at the top.

3

Check the DKIM result

Look for the DKIM line in the summary. It shows either:

  • PASS with the signing domain
  • FAIL if the signature didn't verify
  • Not present if the email wasn't DKIM signed

The full headers also contain the Authentication-Results entry:

Authentication-Results: mx.google.com;
  dkim=pass header.d=example.com header.s=google;
  spf=pass smtp.mailfrom=example.com;
  dmarc=pass

Troubleshooting

"DNS record not found" in Admin console

  • Verify the TXT record is at the correct hostname (google._domainkey, not google._domainkey.yourdomain.com if your DNS provider auto-appends the domain)
  • Wait for propagation (up to 48 hours)
  • Check for typos in the TXT value

Emails still not passing DKIM

  • Confirm the key status is "Authenticating email" in the Admin console
  • Verify the TXT record with dig TXT google._domainkey.yourdomain.com +short
  • Check that the record value matches exactly (no extra spaces or missing characters)

2048-bit key too long for DNS provider

  • Switch to 1024-bit in the Admin console
  • Or check if your DNS provider supports long TXT records or record splitting

"Send mail as" not passing DKIM

  • If you use Gmail's interface to send from a non-Workspace address via a custom SMTP server, DKIM depends on that server, not Google
  • Configure DKIM on the actual sending server

Gmail, Google Workspace, and DMARC

DKIM is one part of email authentication. For full protection, combine it with:

  • SPF: Validates the sending server's IP
  • DMARC: Ties SPF and DKIM together with a policy

Google Workspace emails need DKIM enabled for DMARC alignment. Without it, DMARC relies solely on SPF, which can fail when emails are forwarded.

Related Articles

DKIM Creator helps you generate keys for services that don't handle DKIM automatically like Gmail does.

Generate DKIM keys for any service

Create custom DKIM key pairs for your email services. Free, private, and generated in your browser.

Generate DKIM Keys