Defaults.Exposed › Setup › DKIM

How to set up DKIM on Google Workspace

Generate a DKIM key in the Google Admin console and publish it in your DNS so your emails carry a tamper-proof signature.

Why this matters to your business

DKIM (DomainKeys Identified Mail) adds an invisible digital signature to every email you send. The receiving mail provider uses a public key you’ve published in your DNS to confirm two things: the message really came from your domain, and nobody altered it on the way.

In plain terms: DKIM is a seal of authenticity on your email. It makes impersonation harder and improves the chance your genuine mail reaches the inbox rather than spam. It’s free and it’s a one-time setup.

Important: DKIM has two halves

DKIM is the one record where it really matters who does what:

• Google generates the key — in the Google Admin console. You sign in to admin.google.com and have Google create the DKIM key for your domain. You cannot make this value up; Google produces it for you.
• Your DNS host publishes it. You then add that key to your domain’s DNS — at whichever company runs your nameservers (your registrar, web host, Cloudflare, etc.). That’s usually not Google.

So: generate in Google Workspace, publish in your DNS host. Both halves are needed, and there’s an extra step at the end where you go back into Google and switch DKIM on.

Step 1 — Generate the key in the Google Admin console

1. Sign in to the Google Admin console at admin.google.com with an administrator account.
2. Go to Apps → Google Workspace → Gmail, then open Authenticate email (this is the DKIM section).
3. Select your domain from the list.
4. If prompted, choose the key length (the default, typically 2048-bit, is fine) and click Generate new record.
5. Google now shows you two pieces of text:
   • A DNS host name / selector, which for Google is typically google._domainkey.
   • A long TXT record value beginning with v=DKIM1; k=rsa; p= followed by a very long string of characters (the public key).
6. Leave this page open — you’ll copy these into your DNS, then come back to turn DKIM on.

Step 2 — Publish the key in your DNS host

First, make sure you’re working in the company that actually runs your DNS. A DKIM record only works if it’s added wherever your domain’s nameservers point. If unsure, check the Nameservers section in your registrar account, or ask whoever manages your website.

1. Sign in to your DNS host and open the DNS settings for your domain (look for DNS / Records / Advanced DNS).
2. Add a new record and choose TXT.
3. In the Name / Host field, enter only the selector part — for Google this is usually google._domainkey. Do not add your domain name on the end; the DNS host appends it automatically.
4. In the Value field, paste the long key value Google gave you, exactly.
5. Leave TTL on the default.
6. Save.

Step 3 — Turn DKIM on, back in Google

Publishing the record isn’t enough — you have to tell Google to start signing.

1. Return to the Authenticate email page in the Google Admin console.
2. Click Start authentication.
3. Google checks that the record is visible in your DNS. If it can’t find it yet, give DNS a little time to propagate (minutes to a couple of hours) and try again.

Quirks people get wrong

• Two places, in order. Generate in Google, publish in DNS, then come back and click Start authentication. Skipping the last step means the key is published but Google never signs your mail.
• Don’t put the full domain in Host. If the instructions show google._domainkey.yourdomain.com, you enter only google._domainkey at your DNS host — the rest is added for you. Including the domain again creates a broken host like google._domainkey.yourdomain.com.yourdomain.com.
• Paste the whole key — it’s long. DKIM public keys are hundreds of characters. Some DNS hosts have a character limit on a single field and split long TXT values across multiple quoted strings — that’s normal and Google handles it, but make sure nothing is cut off and no stray spaces or line breaks crept in.
• Watch the quoting. Paste the plain value; most DNS hosts add the quotes for you. Manually adding " marks on top can corrupt the record.
• Match the selector exactly. The host in your DNS must match what Google expects (google._domainkey) character for character — that’s how the receiver finds the right key.
• Give it time. DNS changes can take minutes to a couple of hours before Google can confirm and DKIM starts validating.

Verify it worked

After publishing the record, turning authentication on, and allowing a little propagation time, run the free check on Defaults.Exposed. It will confirm in plain language whether your DKIM record is published and readable. Your data is processed in the EU.

Done? Check your domain free to confirm it worked — and see your full grade across all 34 checks.