How to set up DKIM for Google Workspace

DKIM (DomainKeys Identified Mail, RFC 6376) is the cryptographic signature attached to outgoing email so receivers can verify the message wasn't tampered with and that it actually came from a server authorized by your domain. To turn it on for Google Workspace, you publish one or more DNS records at `<selector>._domainkey.<your-domain>` containing the public key matching the private key Google Workspace uses to sign.

Most ESPs (including Google Workspace) ask you to publish CNAME records that point at hosted keys they manage. This is preferable to publishing the raw key text yourself — when the provider rotates keys, your DNS keeps pointing to the rotated key and nothing breaks.

Publish these DNS records

Add the following record(s) to your domain's DNS zone. Most registrars (Cloudflare, Route 53, Namecheap, GoDaddy) accept values exactly as shown.

• In the Admin console under Authenticate email, click Generate new record. Choose 2048-bit (default). The selector is always `google` for Google Workspace.
• Google generates the key first; the selector record is published only after you click Start authentication. If you publish a stub record before generation, Google will overwrite the value when you generate.

Where in Google Workspace

The DKIM configuration lives in Admin console → Apps → Google Workspace → Gmail → Authenticate email.

Verify the records

After the records propagate, run the DKIM Checker against your domain with each selector to confirm the public key resolves and parses correctly.

Common pitfalls

• Generating a new DKIM key in the Admin console rotates the key — old signatures stay valid until they expire, but verify mail still signs cleanly afterwards.
• If you've migrated from another provider and inherited an SPF record with conflicting includes, Google's authentication check will appear to pass while DMARC still fails alignment. Always check the DMARC report, not just the Admin console green checkmark.