Most Google Workspace admins assume DKIM is handled for them because their outgoing mail seems to work. It does, but it's unsigned. Gmail happily delivers Workspace-to-Workspace mail internally, yet when that same mail leaves Google's walls — to Outlook, to Yahoo, to every recipient running a modern spam filter — the missing signature gets logged as a weak authentication signal. Combined with any marginal content or reputation, it is the difference between Inbox and Spam.
Sign in to the Admin Console, generate a 2048-bit DKIM key, copy the TXT record to your DNS provider, wait for propagation, then click Start authentication. If the button greys out or throws "DKIM is not active yet", it's almost always a DNS propagation issue or a record-truncation issue. Both are covered below.
Step 1 — Sign in to Admin Console as a super admin
Go to admin.google.com and sign in with an account that has the super admin role. DKIM setup is not available to delegated admins without the Gmail settings privilege. If you're not the super admin, ask them to assign the privilege or run the steps for you — it's a two-minute job once the DNS access is in place.
Step 2 — Open Apps → Google Workspace → Gmail
In the left sidebar (or the big menu on the home dashboard), click Apps, then Google Workspace, then Gmail. This opens the Gmail service settings page. Scroll to the bottom and you'll see a block called Authenticate email.
Step 3 — Click Authenticate email
Clicking into Authenticate email opens the DKIM configuration panel. If you've never configured DKIM here before, you'll see a dropdown with your primary domain preselected and a button labelled Generate new record. The status will read "Not authenticating email". That's the state you're about to fix.
Step 4 — Select the sending domain
The dropdown at the top lists every domain attached to your Workspace account. Pick the domain whose outgoing mail you want to sign. If you send from alerts.acme.com and acme.com both, you repeat the whole process once per domain. Each domain gets its own DKIM key and its own TXT record.
Step 5 — Generate a new record (choose 2048-bit)
Click Generate new record. A dialog appears with three choices: 1024-bit key, 2048-bit key, and a prefix for the selector name (default google). Pick 2048-bit. The 1024 option exists only for legacy DNS providers that refuse long TXT values — today that's almost none. 2048 is the modern standard and all major receivers accept it without complaint.
Leave the selector as google unless you have a reason to change it. Whatever you pick, the full DNS host becomes <selector>._domainkey.<domain>.
Step 6 — Copy the DNS host and TXT value
Google shows you two fields. The first is the DNS host — for example google._domainkey. The second is a long TXT value starting with v=DKIM1; k=rsa; p=MIIBIjANBg... followed by a couple of hundred characters of base64 public key. Copy both exactly. Do not paste them into a text editor that might insert line breaks or smart quotes.
Host: google._domainkey
Type: TXT
Value: v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA...Step 7 — Publish the TXT record in DNS
Log into your DNS provider and add a new TXT record.
- Cloudflare: DNS → Records → Add record. Type TXT, Name
google._domainkey, Content paste the full value. Cloudflare handles long strings automatically — do not manually split them. - GoDaddy: DNS Management → Add → TXT. Host
google._domainkey, TXT value the full string. GoDaddy sometimes truncates at the UI layer — use the bulk editor if you see the value get cut. - Route 53: Hosted zone → Create record → TXT. Record name
google._domainkey.yourdomain.com, Value wrapped in double quotes. For strings over 255 characters, Route 53 expects them split into quoted segments:"v=DKIM1; k=rsa; p=MIIBI..." "...rest of key...". - Namecheap / Squarespace / Hover: same idea — find the DNS panel, add a TXT record with the host and value exactly as given.
Step 8 — Wait for DNS propagation
Propagation is usually a few minutes but can take up to 48 hours on slow providers. Don't trust the provider's own "DNS updated" notice — check with a public resolver:
dig TXT google._domainkey.yourdomain.com @8.8.8.8 +shortYou want to see the full v=DKIM1; k=rsa; p=... string come back. If it doesn't, wait five minutes and try again. Do not click Start authentication in the Admin Console until dig returns the record.
Step 9 — Click Start authentication
Back in the Admin Console, on the same Authenticate email screen, click Start authentication. Google performs its own DNS lookup. If it finds the record, the status flips to "Authenticating email" and the button changes to Stop authentication. That's the end state. Outgoing mail is now signed.
Step 10 — Verify with a test send
Send a test email from your Workspace account to a Gmail address you control (a personal Gmail, say). Open the message, click the three dots, and pick Show original. Near the top of the source view, you'll see:
DKIM: 'PASS' with domain yourdomain.comIf you see PASS, you're done. If you see NEUTRAL or nothing, jump to the gotchas below.
Common gotchas
"DKIM is not active yet" won't go away. Nine times out of ten this means the TXT record hasn't propagated to Google's resolver yet. Wait another hour, then retry. If dig from 8.8.8.8 returns the record but Google still complains, it can be a caching issue on Google's side — leave it for 2–4 hours.
Record length truncation. The full DKIM TXT is around 270 characters, and DNS strings are limited to 255 characters per segment. Most providers handle the split invisibly. Some (older cPanel, some bargain-tier hosts) don't, and you get half a record in DNS. Symptom: dig returns the value but it ends mid-base64 with no closing =. Fix: move DNS to a provider that handles long TXT properly, or manually split with quoted segments.
Multi-domain Workspace setups. Each additional domain needs its own pass through steps 4–9. The selector can be the same across domains — google._domainkey is scoped by the parent domain, so there's no collision.
Key rotation — yearly
Google Workspace doesn't automatically rotate DKIM keys. Best practice is to rotate the key annually. In the same Authenticate email panel, click Generate new record and choose a new selector name (e.g. google2026). Publish the new TXT record in DNS alongside the old one, wait for propagation, then click Start authentication. Leave the old record in DNS for 48 hours so in-flight messages still verify, then remove it.
The number-one cause of wasted time on DKIM setup is clicking Start authentication before DNS has propagated, seeing the error, and then assuming something is wrong with Workspace. Run dig against 8.8.8.8 and 1.1.1.1 and confirm both return the record. Only then click the button.