DKIM for Google Workspace: Complete Setup Guide
Learn how to set up DKIM for Google Workspace (Gmail). Step-by-step instructions for generating keys and configuring DNS records.
Last updated: 2026-02-04
Google Workspace (formerly G Suite) supports DKIM signing for all outgoing emails. This guide shows you how to enable DKIM and configure your DNS records.
Google Workspace generates and manages DKIM keys for you. You just need to add the public key to your DNS records.
How Google Workspace DKIM Works
When you enable DKIM in Google Workspace:
- Google generates a 2048-bit RSA key pair (or 1024-bit if needed)
- You copy the public key from the Admin console
- You add it as a TXT record at
google._domainkey.yourdomain.com - Google automatically signs all outgoing emails with the private key
Enable DKIM in Google Workspace
Open the Admin console
Go to admin.google.com and sign in as an administrator.
Navigate to DKIM settings
Go to Apps → Google Workspace → Gmail → Authenticate email.
Select your domain
If you have multiple domains, select the one you want to configure.
Generate new record
Click "Generate new record." Choose 2048-bit if your DNS supports long TXT records, otherwise select 1024-bit.
Copy the DNS record
Google displays the DNS hostname and TXT value. Copy both.
Add the DNS Record
Add a TXT record with these values:
| Field | Value |
|---|---|
| Host/Name | `google._domainkey` |
| Type | TXT |
| Value | The value from Google Admin console |
| TTL | 3600 (or default) |
DNS propagation can take up to 48 hours. Wait before proceeding to the next step.
Start Authentication
Return to Admin console
Go back to Apps → Google Workspace → Gmail → Authenticate email.
Start authentication
Click "Start authentication." Google will verify your DNS record is correct.
Verify status
The status should change to "Authenticating email." All new emails will now be DKIM signed.
Need custom DKIM keys?
Generate additional DKIM keys for other email services alongside Google Workspace.
Google Workspace DKIM Selector
Google uses google as the default selector. Your DNS record will be at:
google._domainkey.yourdomain.com
You can also configure a custom prefix if needed (useful for multiple Google Workspace accounts), but the default works for most setups.
Troubleshooting
"DNS record not found" error
- Wait for DNS propagation (up to 48 hours)
- Verify the TXT record is at the correct hostname
- Check for typos in the record value
2048-bit key too long
- Some DNS providers have TXT record length limits
- Switch to 1024-bit in the Google Admin console
- Or check if your DNS provider supports record splitting
DKIM still not working after 48 hours
- Verify the record with a DNS lookup tool
- Check that the TXT value matches exactly (no extra spaces)
- Try deleting and re-adding the record
Using Google Workspace with Other Services
If you send email through other services (Mailchimp, SendGrid, etc.) alongside Google Workspace, you'll need separate DKIM keys for each:
| Service | Selector Example |
|---|---|
| Google Workspace | `google._domainkey` |
| Mailchimp | `k1._domainkey` |
| SendGrid | `s1._domainkey` |
Each service has its own key pair. This is normal and secure.
Related Articles
DKIM Creator helps you generate keys for services beyond Google Workspace.
Generate DKIM keys for any service
Create custom DKIM key pairs for your other email services. Free and instant.
Generate DKIM Keys