What is DKIM for Gmail?

DKIM (DomainKeys Identified Mail) is an email authentication method that lets Gmail cryptographically sign outgoing messages with a private key. The recipient's mail server checks the signature against a public key published in your DNS. A valid signature proves the email genuinely came from your domain and wasn't modified in transit. Google Workspace uses a 2048-bit RSA key stored at google._domainkey.yourdomain.com.

Do I need DKIM if I already have SPF?

Yes. SPF and DKIM serve different purposes. SPF verifies the sending server's IP address. DKIM verifies the message content and headers with a cryptographic signature. Google's 2024 bulk sender mandate requires both SPF and DKIM to pass before DMARC can be enforced. Running only SPF leaves you unprotected against header spoofing — attackers can still forge your From address through a server that passes SPF.

How long does Gmail DKIM take to activate?

DNS propagation typically takes 15 minutes to 48 hours after you add the TXT record. Most providers propagate within an hour. After propagation, click 'Start Authentication' in the Google Admin console. The status changes from 'Authenticating' to 'Signing email' once Google confirms the DNS record is live.

Why does my Gmail DKIM show 'Authentication failed'?

The three most common causes are: (1) the DNS TXT record has extra spaces or line breaks introduced when copy-pasting the key value — the key must be a continuous string with no whitespace; (2) the record hasn't propagated yet — wait up to 48 hours and check again; (3) the record was added under the wrong subdomain — it must be at google._domainkey.yourdomain.com, not _domainkey.yourdomain.com or the root domain.

Can I use a 1024-bit DKIM key with Gmail?

Technically yes, but you shouldn't. RFC 8301 deprecates 1024-bit keys because modern hardware can factor them in days. Google's Admin console defaults to 2048-bit. Some older DNS providers cap TXT record length at 255 characters and reject 2048-bit keys — if yours does, split the key value into two quoted strings separated by a space inside the same TXT record, which is valid per RFC 4871.

Does DKIM signing affect cold email deliverability?

Yes, significantly. Gmail, Outlook, and Yahoo rate inbox placement partly on whether DKIM passes. Emails without a valid DKIM signature are more likely to be flagged as spam or rejected outright, especially after Google's February 2024 bulk sender requirements. DKIM alone won't fix a burned domain, but a missing or broken DKIM record is one of the fastest ways to destroy deliverability on a healthy domain.

Gmail DKIM: Setup, DNS Records & Troubleshooting

TL;DR

DKIM (DomainKeys Identified Mail) cryptographically signs Gmail messages so receiving servers can verify they came from your domain.
Set it up in four steps: generate a 2048-bit key in Google Admin → add a DNS TXT record at google._domainkey.yourdomain.com → wait for propagation → click Start Authentication.
Common failures come from extra whitespace in the key, wrong subdomain, or DNS not yet propagated — all fixable in minutes.
DKIM alone isn't enough. Pair it with SPF and a DMARC record to satisfy Google's bulk sender requirements and protect your domain from spoofing.

What Is DKIM?

DKIM — DomainKeys Identified Mail — is an email authentication standard defined in RFC 6376. It works by attaching a cryptographic signature to every outgoing email header.

When a receiving mail server gets a message, it fetches your public key from DNS and checks the signature. A match means the email genuinely came from your domain and wasn't tampered with in transit.

The mechanism uses asymmetric cryptography:

Private key — stored securely by Google, used to sign outgoing mail.
Public key — published in your DNS as a TXT record, used by anyone to verify signatures.

Google Workspace generates the key pair for you. Your job is to paste the public key into your DNS provider and flip the switch in the Admin console.

Why DKIM Matters for Gmail

In February 2024, Google and Yahoo introduced mandatory bulk sender requirements. Any domain sending more than 5,000 emails per day to Gmail must have SPF, DKIM, and a DMARC record — or messages get rejected.

Even below that threshold, DKIM affects inbox placement. Gmail's spam filters factor authentication signals into every delivery decision. Unauthenticated email is treated with suspicion regardless of content quality.

DKIM protects against two specific threats:

Header spoofing — attackers forging your From address. SPF alone doesn't prevent this.
Message tampering — content modified after sending, which breaks the DKIM signature.

For B2B teams running cold email at scale, a broken or missing DKIM record is one of the fastest ways to tank deliverability on an otherwise healthy domain. If you're also running Gmail warmup, DKIM must be configured before warmup begins — signing-less warmup emails train ISPs to associate your domain with unauthenticated mail.

Before You Start

You need:

Google Workspace admin access — a Super Admin account on your Google Workspace organization.
DNS access — login to wherever your domain's DNS is managed (GoDaddy, Cloudflare, Namecheap, Route 53, etc.).
Your domain verified in Google Workspace — if Google doesn't own your domain verification, the DKIM key won't generate.

Personal Gmail accounts (@gmail.com) don't support custom DKIM. DKIM configuration is for Google Workspace domains only — meaning you're sending from you@yourcompany.com through Google's mail servers.

Step 1: Generate Your DKIM Key

Sign into the Google Admin console as a Super Admin.
Navigate to Apps → Google Workspace → Gmail → Authenticate email.
Select the domain you want to authenticate from the dropdown.
Click Generate new record.
Set the key length to 2048 bits. This is the recommended minimum per RFC 8301.
Leave the selector prefix as google (default) unless you have a specific reason to change it.
Click Generate.

Google displays two values you'll need in the next step:

DNS Host name: google._domainkey.yourdomain.com
TXT record value: a long string starting with v=DKIM1; k=rsa; p=...

Keep this browser tab open — you'll need to return here to activate signing after adding the DNS record.

Step 2: Add the DNS TXT Record

Log into your DNS provider and create a new TXT record with these values:

Field	Value
Record type	TXT
Host / Name	`google._domainkey` (some providers auto-append the domain)
Value	The full `v=DKIM1; k=rsa; p=...` string from the Admin console
TTL	3600 (1 hour) or your provider's default

Critical: Copy the key value as a single unbroken string. Some DNS interfaces wrap long values across multiple lines — that's fine visually, but the underlying record must contain no extra spaces or line breaks inside the key value. Whitespace in the p= field breaks signature verification.

If your DNS provider caps TXT record length at 255 characters (some older providers do), split the key into two quoted strings in the same record:

"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA..." "...rest-of-key-here"

This is valid per RFC 4871 and most modern providers handle it automatically.

Save the record and allow DNS to propagate. Use MXToolbox DKIM Lookup or Google's Check MX tool to confirm the record is visible before proceeding.

Step 3: Activate DKIM Signing

Once DNS propagation is confirmed, return to Admin console → Apps → Google Workspace → Gmail → Authenticate email.

Select your domain.
Click Start Authentication.
The status changes to Authenticating… while Google verifies the DNS record.
Within minutes to a few hours, status changes to Signing email — DKIM is live.

If the status stays on Authenticating… for more than 48 hours, your DNS record likely has an issue. See the troubleshooting section below.

Step 4: Verify DKIM Is Working

Send a test email from your Google Workspace account to any external address — a personal Gmail, Outlook, or a free mail account works fine.

In the received email:

Open the message in Gmail and click the three-dot menu → Show original.
Look for the line: dkim=pass header.i=@yourdomain.com
Also verify: Authentication-Results: mx.google.com; dkim=pass

If you see dkim=pass, DKIM is correctly configured and all outgoing mail is now signed.

Alternatively, forward a test email to mail-tester.com — it gives a 10-point spam score breakdown including DKIM pass/fail status.

Troubleshooting DKIM Failures

These are the four most common Gmail DKIM problems and how to fix each one.

1. Status stuck on "Authenticating" for 48+ hours

Cause: DNS record not yet visible, or published under the wrong hostname.

Fix: Run a lookup with nslookup -type=TXT google._domainkey.yourdomain.com. If no record appears, check your DNS provider — the record may not have saved correctly. Confirm the host field is google._domainkey, not _domainkey or google alone.

2. dkim=fail (message has been altered)

Cause: The email body or headers were modified between sending and receiving — often by a mailing list processor, forwarding gateway, or email security appliance that rewrites headers.

Fix: This is expected behavior when mail passes through a rewriting intermediary. It's not a configuration error on your end. DMARC's "relaxed" alignment mode handles this gracefully by allowing SPF to pass even when DKIM fails due to forwarding.

3. dkim=fail (bad signature)

Cause: Extra whitespace or line breaks in the DNS key value, or the public key doesn't match the private key Google is signing with (this happens if you re-generated the key without updating DNS).

Fix: Go back to Admin console → Authenticate email, generate a new record, and re-paste the full key value into DNS as a clean single string. Delete the old TXT record first to avoid conflicts.

4. "No DKIM record found" on lookup tools

Cause: DNS provider didn't save the record, or the selector name is wrong.

Fix: Log back into DNS, confirm the TXT record exists and the host is exactly google._domainkey. Some providers (like GoDaddy) automatically append the root domain — enter google._domainkey without the domain suffix in those cases.

DKIM + SPF + DMARC: The Full Stack

DKIM is one leg of a three-part authentication stack. Each protocol covers a different attack vector:

Protocol	What it verifies	DNS record type
SPF	Sending server IP is authorized for the domain	TXT at root domain
DKIM	Message was signed by the domain and wasn't altered	TXT at `google._domainkey`
DMARC	SPF and/or DKIM align with the From header; sets policy for failures	TXT at `_dmarc`

A minimal DMARC record for a new setup looks like this:

v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com

Start with p=none (monitor only — no mail rejected). Once you've confirmed SPF and DKIM both pass cleanly across all your mail streams, escalate to p=quarantine, then p=reject.

This sequencing matters. Jumping to p=reject before your authentication is solid will start bouncing legitimate mail — including transactional emails from third-party senders like your CRM, marketing automation, or support tools.

For B2B teams running cold email campaigns, having all three protocols passing is table stakes. Google's bulk sender requirements explicitly mandate SPF, DKIM, and DMARC alignment for high-volume senders. If you're also monitoring deliverability across multiple sending domains, check email domain warmup best practices — authentication and warmup work together, not independently.

The state of cold email in 2026 makes clear: inbox placement is harder than ever, and unauthenticated domains get filtered before content quality even enters the equation. Getting your DKIM signed correctly is the foundation everything else sits on.

If your outreach stack touches enriched contact data — pulling verified emails before sending — tools like email enrichment platforms pair naturally with a clean authentication setup to maximize inbox rates.

Conclusion

Gmail DKIM setup takes under 30 minutes from start to finish. Generate a 2048-bit key in Google Admin, add the TXT record to DNS under google._domainkey.yourdomain.com, activate signing, and verify with a test email.

The most common mistake is whitespace in the key value — copy it as a clean, unbroken string and the setup is straightforward. Pair DKIM with SPF and a DMARC record at p=none to complete your authentication stack, then escalate DMARC enforcement once you've confirmed all mail streams pass cleanly.

Authentication is the floor, not the ceiling. Once DKIM is live, focus on list quality, sending cadence, and email personalization — the factors that move the needle on replies once you've earned inbox placement.

TL;DR

DKIM (DomainKeys Identified Mail) cryptographically signs Gmail messages so receiving servers can verify they came from your domain.
Set it up in four steps: generate a 2048-bit key in Google Admin → add a DNS TXT record at google._domainkey.yourdomain.com → wait for propagation → click Start Authentication.
Common failures come from extra whitespace in the key, wrong subdomain, or DNS not yet propagated — all fixable in minutes.
DKIM alone isn't enough. Pair it with SPF and a DMARC record to satisfy Google's bulk sender requirements and protect your domain from spoofing.

What Is DKIM?

DKIM — DomainKeys Identified Mail — is an email authentication standard defined in RFC 6376. It works by attaching a cryptographic signature to every outgoing email header.

When a receiving mail server gets a message, it fetches your public key from DNS and checks the signature. A match means the email genuinely came from your domain and wasn't tampered with in transit.

The mechanism uses asymmetric cryptography:

Private key — stored securely by Google, used to sign outgoing mail.
Public key — published in your DNS as a TXT record, used by anyone to verify signatures.

Google Workspace generates the key pair for you. Your job is to paste the public key into your DNS provider and flip the switch in the Admin console.

Why DKIM Matters for Gmail

DKIM protects against two specific threats:

Header spoofing — attackers forging your From address. SPF alone doesn't prevent this.
Message tampering — content modified after sending, which breaks the DKIM signature.

Before You Start

You need:

Google Workspace admin access — a Super Admin account on your Google Workspace organization.
DNS access — login to wherever your domain's DNS is managed (GoDaddy, Cloudflare, Namecheap, Route 53, etc.).
Your domain verified in Google Workspace — if Google doesn't own your domain verification, the DKIM key won't generate.

Step 1: Generate Your DKIM Key

Sign into the Google Admin console as a Super Admin.
Navigate to Apps → Google Workspace → Gmail → Authenticate email.
Select the domain you want to authenticate from the dropdown.
Click Generate new record.
Set the key length to 2048 bits. This is the recommended minimum per RFC 8301.
Leave the selector prefix as google (default) unless you have a specific reason to change it.
Click Generate.

Google displays two values you'll need in the next step:

DNS Host name: google._domainkey.yourdomain.com
TXT record value: a long string starting with v=DKIM1; k=rsa; p=...

Keep this browser tab open — you'll need to return here to activate signing after adding the DNS record.

Step 2: Add the DNS TXT Record

Log into your DNS provider and create a new TXT record with these values:

Field	Value
Record type	TXT
Host / Name	`google._domainkey` (some providers auto-append the domain)
Value	The full `v=DKIM1; k=rsa; p=...` string from the Admin console
TTL	3600 (1 hour) or your provider's default

If your DNS provider caps TXT record length at 255 characters (some older providers do), split the key into two quoted strings in the same record:

"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA..." "...rest-of-key-here"

This is valid per RFC 4871 and most modern providers handle it automatically.

Save the record and allow DNS to propagate. Use MXToolbox DKIM Lookup or Google's Check MX tool to confirm the record is visible before proceeding.

Step 3: Activate DKIM Signing

Once DNS propagation is confirmed, return to Admin console → Apps → Google Workspace → Gmail → Authenticate email.

Select your domain.
Click Start Authentication.
The status changes to Authenticating… while Google verifies the DNS record.
Within minutes to a few hours, status changes to Signing email — DKIM is live.

If the status stays on Authenticating… for more than 48 hours, your DNS record likely has an issue. See the troubleshooting section below.

Step 4: Verify DKIM Is Working

Send a test email from your Google Workspace account to any external address — a personal Gmail, Outlook, or a free mail account works fine.

In the received email:

Open the message in Gmail and click the three-dot menu → Show original.
Look for the line: dkim=pass header.i=@yourdomain.com
Also verify: Authentication-Results: mx.google.com; dkim=pass

If you see dkim=pass, DKIM is correctly configured and all outgoing mail is now signed.

Alternatively, forward a test email to mail-tester.com — it gives a 10-point spam score breakdown including DKIM pass/fail status.

Troubleshooting DKIM Failures

These are the four most common Gmail DKIM problems and how to fix each one.

1. Status stuck on "Authenticating" for 48+ hours

Cause: DNS record not yet visible, or published under the wrong hostname.

2. dkim=fail (message has been altered)

Cause: The email body or headers were modified between sending and receiving — often by a mailing list processor, forwarding gateway, or email security appliance that rewrites headers.

3. dkim=fail (bad signature)

4. "No DKIM record found" on lookup tools

Cause: DNS provider didn't save the record, or the selector name is wrong.

DKIM + SPF + DMARC: The Full Stack

DKIM is one leg of a three-part authentication stack. Each protocol covers a different attack vector:

Protocol	What it verifies	DNS record type
SPF	Sending server IP is authorized for the domain	TXT at root domain
DKIM	Message was signed by the domain and wasn't altered	TXT at `google._domainkey`
DMARC	SPF and/or DKIM align with the From header; sets policy for failures	TXT at `_dmarc`

A minimal DMARC record for a new setup looks like this:

v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com

Start with p=none (monitor only — no mail rejected). Once you've confirmed SPF and DKIM both pass cleanly across all your mail streams, escalate to p=quarantine, then p=reject.

Gmail DKIM: What You Need to Know (2026)

TL;DR

What Is DKIM?

Why DKIM Matters for Gmail

Before You Start

Step 1: Generate Your DKIM Key

Step 2: Add the DNS TXT Record

Step 3: Activate DKIM Signing

Step 4: Verify DKIM Is Working

Troubleshooting DKIM Failures

1. Status stuck on "Authenticating" for 48+ hours

2. dkim=fail (message has been altered)

3. dkim=fail (bad signature)

4. "No DKIM record found" on lookup tools

DKIM + SPF + DMARC: The Full Stack

Conclusion

Frequently Asked Questions

Protect your sending reputation

Gmail DKIM: What You Need to Know (2026)

TL;DR

What Is DKIM?

Why DKIM Matters for Gmail

Before You Start

Step 1: Generate Your DKIM Key

Step 2: Add the DNS TXT Record

Step 3: Activate DKIM Signing

Step 4: Verify DKIM Is Working

Troubleshooting DKIM Failures

1. Status stuck on "Authenticating" for 48+ hours

2. dkim=fail (message has been altered)

3. dkim=fail (bad signature)

4. "No DKIM record found" on lookup tools

DKIM + SPF + DMARC: The Full Stack

Conclusion

Frequently Asked Questions

Protect your sending reputation