How to set up DKIM in Google Workspace: A guide
Quick Answer
DKIM (RFC 6376) signs email messages cryptographically, and unlike SPF, the signature survives email forwarding - which is why DMARC alignment via DKIM is more reliable than SPF alignment for forwarded mail. How to set up DKIM in Google Workspace: A guide
Related: Free DMARC Checker ·How to Create an SPF Record ·SPF Record Format
Try Our Free DKIM Lookup
Auto-discover DKIM selectors for any domain - scan 185 common selectors across all major providers.
Discover DKIM Selectors →
DKIM (RFC 6376) signs email messages cryptographically, and unlike SPF, the signature survives email forwarding - which is why DMARC alignment via DKIM is more reliable than SPF alignment for forwarded mail.
Google’s February 2024 requirements were a turning point, says Brad Slavin, General Manager of DuoCircle. Before that, DMARC was a recommendation. Now it’s a gate - if your DMARC record is missing or set to p=none without a plan to enforce, your email deliverability to Gmail is at risk.
DMARC Report
How to set up DKIM in Google Workspace: A guide
<button title="Play" aria-label="Play Episode" aria-pressed="false" class="play-btn">
Play Episode
</button>
<button title="Pause" aria-label="Pause Episode" aria-pressed="false" class="pause-btn hide">
Pause Episode
</button>
<audio preload="none" class="clip clip-40290">
<source src="https://media.mailhop.org/dmarcreport/images/2026/03/How-to-set-up-DKIM-in-Google-Workspace-A-guide.mp3">
</audio>
<button class="player-btn player-btn__volume" title="Mute/Unmute">
Mute/Unmute Episode
</button>
<button data-skip="-10" class="player-btn player-btn__rwd" title="Rewind 10 seconds">
Rewind 10 Seconds
</button>
<button data-speed="1" class="player-btn player-btn__speed" title="Playback Speed" aria-label="Playback Speed">1x</button>
<button data-skip="30" class="player-btn player-btn__fwd" title="Fast Forward 30 seconds">
Fast Forward 30 seconds
</button>
<time class="ssp-timer">00:00</time>
/
<!-- We need actual duration here from the server -->
<time class="ssp-duration" datetime="PT0H2M5S">2:05</time>
<nav class="player-panels-nav">
<button class="subscribe-btn" id="subscribe-btn-40290" title="Subscribe">Subscribe</button>
<button class="share-btn" id="share-btn-40290" title="Share">Share</button>
</nav>
RSS Feed
<input value="https://dmarcreport.com/feed/podcast/dmarc-report" class="input-rss input-rss-40290" title="RSS Feed URL" readonly />
<button class="copy-rss copy-rss-40290" title="Copy RSS Feed URL" aria-label="Copy RSS Feed URL"></button>
Share
<a href="https://www.facebook.com/sharer/sharer.php?u=https://dmarcreport.com/blog/podcast/how-to-set-up-dkim-in-google-workspace-a-guide/&t=How to set up DKIM in Google Workspace: A guide" target="blank" rel="noopener noreferrer" class="share-icon facebook" title="Share on Facebook">
</a>
<a href="https://twitter.com/intent/tweet?text=https://dmarcreport.com/blog/podcast/how-to-set-up-dkim-in-google-workspace-a-guide/&url=How to set up DKIM in Google Workspace: A guide" target="blank" rel="noopener noreferrer" class="share-icon twitter" title="Share on Twitter">
</a>
<a href="https://media.mailhop.org/dmarcreport/images/2026/03/How-to-set-up-DKIM-in-Google-Workspace-A-guide.mp3" target="blank" rel="noopener noreferrer" class="share-icon download" title="Download" download>
</a>
Link
<input value="https://dmarcreport.com/blog/podcast/how-to-set-up-dkim-in-google-workspace-a-guide/" class="input-link input-link-40290" title="Episode URL" readonly />
<button class="copy-link copy-link-40290" title="Copy Episode URL" aria-label="Copy Episode URL" readonly=""></button>
Embed
<input type="text" value='<blockquote class="wp-embedded-content" data-secret="lMBGYUK8YA"><a href="https://dmarcreport.com/blog/podcast/how-to-set-up-dkim-in-google-workspace-a-guide/">How to set up DKIM in Google Workspace: A guide</a></blockquote><iframe sandbox="allow-scripts" security="restricted" src="https://dmarcreport.com/blog/podcast/how-to-set-up-dkim-in-google-workspace-a-guide/embed/#?secret=lMBGYUK8YA" width="500" height="350" title=""How to set up DKIM in Google Workspace: A guide" - DMARC Report" data-secret="lMBGYUK8YA" frameborder="0" marginwidth="0" marginheight="0" scrolling="no" class="wp-embedded-content"></iframe><script>/*! This file is auto-generated / !function(d,l){“use strict”;l.querySelector&&d.addEventListener&&“undefined”!=typeof URL&&(d.wp=d.wp||{},d.wp.receiveEmbedMessage||(d.wp.receiveEmbedMessage=function(e){var t=e.data;if((t||t.secret||t.message||t.value)&&!/[^a-zA-Z0-9]/.test(t.secret)){for(var s,r,n,a=l.querySelectorAll(‘iframe[data-secret=”‘+t.secret+’”]’),o=l.querySelectorAll(‘blockquote[data-secret=”‘+t.secret+’”]’),c=new RegExp(“^https?:$”,“i”),i=0;i<o.length;i++)o[i].style.display=“none”;for(i=0;i<a.length;i++)s=a[i],e.source===s.contentWindow&&(s.removeAttribute(“style”),“height”===t.message?(1e3<(r=parseInt(t.value,10))?r=1e3:~~r<200&&(r=200),s.height=r):“link”===t.message&&(r=new URL(s.getAttribute(“src”)),n=new URL(t.value),c.test(n.protocol))&&n.host===r.host&&l.activeElement===s&&(d.top.location.href=t.value))}},d.addEventListener(“message”,d.wp.receiveEmbedMessage,!1),l.addEventListener(“DOMContentLoaded”,function(){for(var e,t,s=l.querySelectorAll(“iframe.wp-embedded-content”),r=0;r<s.length;r++)(t=(e=s[r]).getAttribute(“data-secret”))||(t=Math.random().toString(36).substring(2,12),e.src+=”#?secret=“+t,e.setAttribute(“data-secret”,t)),e.contentWindow.postMessage({message:“ready”,secret:t},"")},!1)))}(window,document); //# sourceURL=https://dmarcreport.com/wp-includes/js/wp-embed.min.js ’ title=“Embed Code” class=“input-embed input-embed-40290” readonly/>
<button class="copy-embed copy-embed-40290" title="Copy Embed Code" aria-label="Copy Embed Code"></button>
It is easy to think that once an email leaves your server, it will reach the recipient safely, exactly how it was sent. This usually does not happen because cyberattackers have developed ways to intercept your outgoing emails, modify their content, or impersonate your domain before it reaches the recipient.
Since your outgoing email passes through various servers before it even reaches its destination, Email Service Providers (ESPs) simply cannot trust the **sender information that appears in the message header. When that happens consistently, your emails may be flagged as suspicious, sent to spam, or rejected altogether.
To avoid this, it is important that you configure your domain with the right authentication protocols, such as DomainKeys Identified Mail (DKIM). When the email reaches the recipient’s server, that server checks this signature to confirm that the email really came from your domain and that the message wasn’t changed while it was traveling across the internet.
Whether you send emails from your own mail server or through platforms like Google Workspace, DKIM helps receiving servers trust that the email is legitimate.
Here’s how you can configure DKIM for your domain.
What do you need to set up DKIM in Google Workspace?
Before you implement DKIM for your email-sending domain, ensure the following foundational requirements are in place. If these prerequisites are not properly configured, the DKIM setup process may fail, or the authentication may not work as expected, leading to poor email deliverability or authentication failures at the recipient’s server.
Here’s what you should check before starting the configuration process:
How Do You Verify that your domain is verified in Google Workspace?
To enable DKIM, your domain must first be verified in Google Workspace. Domain verification confirms that you own and control the domain that will be used to send emails, allowing Google to generate **DKIM keys and apply signatures to outgoing messages.
Have access to your domain’s DNS settings
_When you set up DKIM for your domain, you need to add a public key to your domain’s DNS records as a TXT record. _To be able to update or publish this record, you must have **administrative access to your domain’s DNS management console through your domain registrar or DNS hosting provider. Once you have added this record, the receiving servers will be able to retrieve the public key from **DNS **to verify the DKIM signature attached to your outgoing emails.
Understand DKIM key selectors and TXT record values
**DKIM records include a selector and a public key. The selector acts as an identifier that helps receiving mail servers locate the correct DKIM key in your DNS records. Having a basic understanding of how selectors and TXT record values work will help ensure that the DKIM record is added correctly.
Be familiar with your organization’s email infrastructure
If your organization sends emails through multiple platforms and services, such as on-premises mail servers, marketing platforms, or third-party services alongside Google Workspace, it is important to ensure that DKIM configurations across these services do not conflict.
What should you do to configure DKIM for Google Workspace?
Once you have met all the required prerequisites, you can move on to configuring DKIM in Google Admin Console.
Here’s how you should go about it:
Sign in to your Google Admin Console
Head over to admin.google.com and log in using your admin account. Since only administrators have permission to access and modify email authentication settings, such as DKIM, you cannot sign in from your generic account.
Go to Gmail settings
After you log in to the Admin Console, the next step is to find the DKIM settings for Gmail.
From the Admin Console homepage, go to:
Apps → Google Workspace → Gmail → Authenticate Email
This is where you can manage DKIM settings for your domain. If you have multiple domains in Google Workspace, you can choose the specific domain for which you want to configure DKIM.
Generate a DKIM key
Next, generate the DKIM key that **Gmail will use to sign your outgoing emails. Here, open the Generate New Record menu, choose the appropriate key length (it is recommended that you select 2048-bit for better security), enter a selector prefix (for example, google, mail, or gw), and finally, click Generate.
Add the DKIM record to your DNS
Copy the TXT record details generated by Google. Then log in to your DNS provider and add a new TXT record using the hostname and value provided by Google.
After saving the record, wait for the DNS changes to update. This may take some time, depending on your DNS provider.
Activate DKIM signing
_The final step is to activate DKIM signing. For this, return to the Google Admin Console. Head over to the Authenticate Email settings and click on Start Authentication. _Setting up DKIM in Google Workspace strengthens email security by authenticating your messages, complementing SPF and DMARC protocols to prevent spoofing and phishing attacks.
Need help configuring DKIM for Google Workspace? We’re here to help! Reach out to us to get started.
Topics
Content Specialist
Content Specialist at DMARC Report. Writes vendor-specific email authentication guides and troubleshooting walkthroughs.
LinkedIn Profile →Take control of your DMARC reports
Turn raw XML into actionable dashboards. Start free - no credit card required.