MailerMonk
    01Free tools
    02Backlink agent03How it works04Pricing
    Sign inStart free trial
    PrivacyTerms
    Chapter · DKIM for Google Workspace
    Revised 17 Jun 2026
    Guide · DKIM · Google Workspace

    How to set up DKIM for Google Workspace.

    Google Workspace (formerly G Suite) handles mail for many small and mid-size businesses. The DNS setup is well-documented but the DKIM step requires generating the key inside the Admin console first.

    Afsan Rahmatullah
    Afsan RahmatullahMailerMonk

    DKIM (DomainKeys Identified Mail, RFC 6376) is the cryptographic signature attached to outgoing email so receivers can verify the message wasn't tampered with and that it actually came from a server authorized by your domain. To turn it on for Google Workspace, you publish one or more DNS records at `<selector>._domainkey.<your-domain>` containing the public key matching the private key Google Workspace uses to sign.

    Most ESPs (including Google Workspace) ask you to publish CNAME records that point at hosted keys they manage. This is preferable to publishing the raw key text yourself — when the provider rotates keys, your DNS keeps pointing to the rotated key and nothing breaks.

    Publish these DNS records

    Add the following record(s) to your domain's DNS zone. Most registrars (Cloudflare, Route 53, Namecheap, GoDaddy) accept values exactly as shown.

    Record · TXT
    Type
    TXT
    Host
    google._domainkey
    Value
    v=DKIM1; k=rsa; p=<KEY_FROM_ADMIN_CONSOLE> (paste the value Google generates)
    Why this matters
    • In the Admin console under Authenticate email, click Generate new record. Choose 2048-bit (default). The selector is always `google` for Google Workspace.
    • Google generates the key first; the selector record is published only after you click Start authentication. If you publish a stub record before generation, Google will overwrite the value when you generate.

    Where in Google Workspace

    The DKIM configuration lives in Admin console → Apps → Google Workspace → Gmail → Authenticate email.

    Verify the records

    After the records propagate, run the DKIM Checker against your domain with each selector to confirm the public key resolves and parses correctly.

    From a terminal
    dig +short TXT <selector>._domainkey.your-domain.com
    Run the free DKIM checker

    Common pitfalls

    Pitfall
    • Generating a new DKIM key in the Admin console rotates the key — old signatures stay valid until they expire, but verify mail still signs cleanly afterwards.
    • If you've migrated from another provider and inherited an SPF record with conflicting includes, Google's authentication check will appear to pass while DMARC still fails alignment. Always check the DMARC report, not just the Admin console green checkmark.

    Frequently asked questions

    How do I find the DKIM key to publish for Google Workspace?

    Go to Admin console → Apps → Google Workspace → Gmail → Authenticate email. Click Generate new record, choose 2048-bit, and click Generate. Google displays the TXT record value — this is the public key you publish at google._domainkey.your-domain.com. After publishing, return to the same screen and click Start authentication to tell Google to begin signing outbound mail.

    Why is the DKIM selector always 'google' for Google Workspace?

    Google Workspace uses a fixed selector name (google) for all customers, which means your DKIM record is always at google._domainkey.your-domain.com. Unlike Microsoft 365 (which uses rotating selectors) or SendGrid (which uses account-specific selectors), you only ever need one DKIM record for Google Workspace.

    How do I rotate the DKIM key for Google Workspace?

    Go to Admin console → Gmail → Authenticate email → Generate new record. Generating a new key does not immediately replace the old one — it creates a new key waiting to be published. Update the DNS TXT record at google._domainkey with the new value, wait for DNS propagation, then click Start authentication again. Old signatures from the previous key remain valid until they expire (typically 7 days).

    DKIM is still not passing after I published the record — why?

    Common causes: (1) DNS propagation hasn't completed — wait 30–60 minutes and re-test, checking from an external resolver like 8.8.8.8; (2) you published the record but haven't clicked Start authentication in the Admin console; (3) the TXT value was truncated during copy-paste — the key is long and some DNS editors silently cut it. Use the DKIM checker at mailermonk.com/tools/dkim-checker to verify the published key resolves correctly.

    After you publish

    Want to know if it actually keeps working?

    MailerMonk continuously watches your DKIM record, aggregate DMARC reports, and inbox placement — and pings you the moment something drifts. Free for the first domain.

    Start free trial

    About the author

    Afsan Rahmatullah
    Afsan Rahmatullah
    MailerMonk

    Building tools that keep cold email out of spam. Writes about deliverability, DMARC, and what actually moves inbox placement.

    Related · Google Workspace

    Other records for Google Workspace