Last updated: July 2026
In short: After this guide you generate a DKIM key pair in the Google Admin console and publish the public part as a TXT record at your domain host.
Prerequisites
- A Google Workspace account with Gmail activated and your own domain
- Access to the Google Admin console
- Access to your domain’s DNS management (at the domain host)
What is DKIM?
DKIM (DomainKeys Identified Mail) protects your domain from spoofing by signing outgoing mail. The recipient fetches the public key from your DNS TXT entry and uses it to check the signature. Google generates a key pair for this: you enter the public key into DNS, Google keeps the private one on its servers for signing.
For context: while SPF authorizes the server, DKIM secures the message. Google requires SPF, DKIM and DMARC from bulk senders (over 5,000 mails/day) anyway.
The starting point at Google Workspace
Unlike the managed-CNAME providers (IONOS, Netcup), at Google you generate the key yourself in the Admin console and enter the finished TXT value at the domain host. The default prefix selector is google — the recommended choice for Google Workspace. The DNS entry is thus called google._domainkey.your-domain.
A waiting-time trap up front: after activating Gmail you have to wait 24 to 72 hours before you can even generate the DKIM key. Too early, and the console reports an error.
Step-by-step guide
1. Generate the key in the Admin console
In the Admin console: Apps → Google Workspace → Gmail → Authenticate email. Enter the domain, key length, and prefix selector, and click Generate.
Key length: choose 2048 bit if your domain provider supports it — longer keys are more secure than shorter ones. Only if your domain host doesn’t allow 2048-bit keys, use 1024 bit.
Selector: leave google, unless the domain already uses this prefix for another key — then assign your own prefix.
2. Copy the TXT value
After generating, the “Authenticate email” page shows the value of the TXT entry. Copy it in full — it’s the long v=DKIM1; k=rsa; p=... string.
3. Create the TXT record at the domain host
At your DNS provider, create a TXT record:
- Hostname:
google._domainkey(or your selector) - Value: the copied
v=DKIM1; ...string
Where exactly is shown in our host guides — e.g. IONOS, Strato, Hetzner DNS. With 2048-bit keys, mind any character limits in your host’s input field (e.g. All-Inkl: 512 characters).
4. Start DKIM in the Admin console
Back in the console, click Start authentication (or “Start authenticating”). Note: for up to 48 hours the page may still show “You need to update your DNS records” even though everything is correct — you can ignore this message if you entered the key correctly.
5. Wait until the change is live
DNS propagation takes time — up to 48 hours until the entry is visible everywhere.
Verify the result
Check your configuration with the free MXAudit scanner — it shows you DKIM, SPF, and DMARC at a glance.
Common mistakes
Generated too early. In the first 24–72 hours after Gmail activation, no key can be generated — wait instead of fighting the error.
Over-interpreted the “update DNS” message. For up to 48 hours after saving, the console may show this message despite correct entries. Only investigate if the problem persists after that.
2048-bit key truncated. Some hosts limit the TXT field length. If the long key gets cut off, the check fails — when in doubt, paste the value exactly and in full.
Selector mismatch. The DNS entry must be named exactly <selector>._domainkey, with the prefix chosen in the console.
Further reading
- Google Workspace Admin Help: Set up DKIM (retrieved: July 10, 2026)
- RFC 6376 — DomainKeys Identified Mail (DKIM)
