DKIM fix

How to Enable DKIM for Google Workspace

Use this to enable Workspace DKIM: mint a 2048-bit key in Admin and paste the TXT — otherwise DMARC stays flaky.

Why Workspace mail fails DMARC until you publish this

Admin can mint a real key — until the TXT exists, you’re on borrowed time for alignment.

Where Admin expects the TXT

google._domainkey.yourdomain.com → TXT → "v=DKIM1; k=rsa; p=[generated-key]"

Paste exactly what Admin shows. Vocabulary: DKIM glossary.

Generate, publish, start auth

Step 1 Google Admin → AppsGmailAuthenticate email
Step 2 Select domain → Generate new record2048-bit
Step 3 Copy TXT record value
Step 4 Add to DNS at google._domainkey.yourdomain.com
Step 5 Return to Admin → Start authentication
Step 6 Verify in DNS Preflight

Verify DKIM TXT

Open DNS Preflight →
Related glossary: DKIM · SPF record · DMARC alignment

FAQ

What is the Google DKIM selector?

google — publish at google._domainkey.yourdomain.com.

What key size should I use?

2048-bit only. 1024-bit is legacy — rotate if you’re stuck on it.

How do I rotate my Google Workspace DKIM key?

Mint a new TXT in Admin, publish, wait for DNS, then cut over. Walkthrough: key rotation.

DKIM passes in DNS Preflight but Admin says pending?

Admin crawls slower — give it up to 48h. Preflight only proves DNS is live.

Can I have multiple DKIM records?

Yes — different selectors during rotation. Overlap, then delete the old TXT.

← All DKIM fix guides

Open DNS Preflight and re-check your zone →