Setting up DKIM for Google Workspace (Without Losing Your Mind)

Doing sales email outreach and using Google’s email infrastructure?

You must set up a DKIM record for your domain.

Failing to do so will result in fewer opens for your painstakingly crafted campaigns.

However, setting up DKIM is more complicated than setting up other email authentication methods.

Fortunately, at RogerRoger, we created a quick guide to setting up DKIM for Google Workspace without the headache.

What is DKIM?

DKIM (DomainKeys Identified Mail) is an email authentication method.

It makes it harder for criminals to spoof your domain (forging the sender address) and modify emails during transit.

Put bluntly, DKIM prevents cybercriminals from faking who the email is from or messing with its content.

Setting up DKIM will improve your inbox placement because email providers will consider your emails more secure.

In other words, for modern sales email outreach, you need DKIM to optimize your ROI.

How Do I Set Up DKIM for Google Workspace?

The five steps to setting up DKIM for Google Workspace are:

1. ➡️ Check for an existing Google DKIM record

2. ➡️ Generate your DKIM key in Google Admin Console

3. ➡️ Add the DKIM record to your domain’s DNS records

4. ➡️ Turn on DKIM signing

5. ➡️ Validate your DKIM record

Let’s go through these steps in more detail:

1. Check for an existing Google DKIM record

Some domain providers will automatically set up a DKIM record for your domain. Examples include:

• Google Domains

• Squarespace

• Wix

This usually happens when you set up Google Workspace with them or when they manage your DNS settings for you.

So, you want to check if your domain already has a DKIM record set up.

To check for an existing DKIM, go to your domain provider account and select your domain. Then look for the DNS page, and check if there’s a TXT record starting with: google.

Can a domain have multiple DKIM records?

Yes. However, not from the same email provider. Google DKIM records typically start with the selector *google. (*The DKIM record should look like this: google._domainkey.yourdomain.com. )

Having two records with this selector would cause DNS conflicts and DKIM authentication failure.

2. Get Your DKIM Key from Google Admin Console

DKIM uses two important keys: a private key and a public key.

Google generates the private key and keeps it safe on their servers. With the private key, outgoing emails are cryptographically signed.

The public key, on the other hand, is what you publish in your DKIM record. You add this record as a DNS TXT record to your domain’s DNS records.

Receiving mail servers use the public key to verify the email’s signature to check if it hasn’t been tampered with during transit.

You don’t have to worry about the private key. You’ll never see or handle it. Google takes care of it all.

Here’s how to generate both DKIM keys for Google Workspace:

1. ➡️ Sign in to the Google Admin console as a super administrator

2. ➡️ Navigate to: Menu → Apps → Google Workspace → Gmail → Authenticate email

3. ➡️ In the Selected domain dropdown, pick the domain you want to configure

4. ➡️ Click Generate New Record

5. ➡️ Set your options:

   • Key length: choose 2048 bits (more secure) or 1024 bits if your DNS provider has limitations

   • Prefix (selector): the default is google - If that selector already exists, pick a new one

6. ➡️ Click Generate. Google displays a message: DKIM authentication settings updated along with the new DNS TXT record details

7. ⚠️ Don’t click “Start authentication” yet. That happens later. First, add the public key to DNS.

How do I generate the correct DKIM key pair for Google Workspace?

The Admin Console generates the keys for you. You don’t have to create the private/public key pair.

🕒 Timing notes

• You must have enabled Gmail for your domain 24-72 hours before generating the key. Otherwise, you may receive an error.

• After generating, the Admin console may continue prompting you to update DNS for up to 48 hours, even if it’s already set

3. Add the DKIM record to your domain’s DNS records

Armed with your public DKIM key, here’s how to add the DKIM record to your domain:

1. ➡️ Go to your domain provider account

2. ➡️ Select your domain

3. ➡️ Look for the DNS settings

4. ➡️ Add a new TXT record

5. ➡️ In the name/host field enter: google._domainkey.yourdomain.com (modify according to your domain)

6. ➡️ Add the public key Google Admin Console gave you in the Value field

7. ➡️ Set the TTL value to 3600 or default - TTL means time to live, and it’s the time in seconds the server should cache your record

Should DKIM be TXT or CNAME?

For Google Workspace: TXT. ****Some providers use CNAME pointing to a hosted DKIM service, but Google does not.

4. Turn on DKIM signing

The next step… is to wait a bit.

DNS changes can take up to 72 hours to propagate fully. The good news is that your record will usually become active in a few hours.

You can use a tool like MXToolbox to verify if the record is functioning properly.

When it does, return to Admin Console and click Start authentication. Admin console will now check if your public DKIM key is reachable.

Once successful, all emails sent from your domain will be signed with DKIM.

5. Validate your DKIM record

Time to see if it’s all working!

Here’s how to validate that DKIM signing functions properly:

1. ➡️ Send an email from Gmail to another Gmail account you have access to

2. ➡️ Open the email, click the three dots menu in the upper right corner, and go to Show original

3. ➡️ If next to DKIM, it says Pass, you’ll be good to go

Should You Rotate DKIM Keys?

For better security, you should rotate your DKIM keys at least once a year. If your company requires high security, change your DKIM twice a year or more.

Here’s why:

If someone somehow gets a hold of your private key, they could fake sending from your domain and pass DKIM authentication. Worst part? They could keep doing that forever if you don’t rotate your DKIM keys.

But, since we love good news at RogerRoger, rotating your DKIM keys is easy.

You just follow the same steps we outlined in this post:

1. ➡️ Generate a new key with a new selector in Admin Console

2. ➡️ Add the new TXT record in DNS

3. ➡️ Enable DKIM with the new selector

4. ➡️ Wait until it’s live before deleting the old one

Beyond DKIM

Setting up DKIM is a good step towards more eyeballs on your sales emails.

However, DKIM alone is not enough.

You must also set up two other email authentication methods:

• SPF: Lets you authorize the sending servers that can send from your domain.

• DMARC: Kind of like the email authentication police. It lets you decide what to do with emails that fail SPF or DKIM authentication.

Set up these two email authentication protocols, too. Start with SPF.

These three together will give you the best chance at landing in your prospect’s inbox. The only place where your emails will convert!