Email authentication is no longer “nice to have.” Since 2024, mailbox providers like Google, Microsoft, and Yahoo require proper authentication for reliable inbox placement. Miss these basics, and delivery suffers quickly.
SPF and DKIM are two of the pillars for good email deliverability. Together they protect your brand, confirm message integrity, and support consistent inbox placement. Without it, spoofing becomes easier, and legitimate mail looks suspicious by default.
Let’s walk through the DKIM setup for Google Workspace in a way that actually sticks.
What DKIM Does, in Plain Terms
DKIM, short for DomainKeys Identified Mail, adds a cryptographic signature to every message your domain sends. Receiving servers use this signature to confirm two things: the message came from your domain, and it was not altered in transit.
Think of it as a tamper-evident seal for email. If the seal breaks, trust drops immediately. DKIM does not stop spam on its own. It enables trust, which is what inbox placement runs on.
Phase 1: Generate DKIM Keys in Google Workspace
Start in the Google Admin Console. This step creates the signing keys Google will use.
1. Sign in to the Admin Console.
2. Go to Apps, then Google Workspace, then Gmail.
3. Select Authenticate email.
4. Choose the domain you want to configure.
5. Click Generate new record.
Use these settings:
· DKIM key bit length: Select 2048. This is the current best practice.
· Selector prefix: Leave the default value, usually google.
Once generated, copy two things carefully:
· The DNS host name, also called the selector.
· The TXT value, which contains the public key.
Accuracy matters here. One typo breaks the entire setup.
Phase 2: Publish the DKIM Record in DNS
This step makes your public key visible to the world.
1. Log in to your DNS provider.
2. Create a new TXT record.
3. Paste the values provided by Google.
Typical fields look like this:
Host / Name: google._domainkey
Value: The full TXT string from Google
Save the record and allow time for DNS propagation. Most updates complete within 30 to 60 minutes, but slower providers exist.
Once DNS is live, return to the Admin Console and click Start authentication. The status should update to “Authenticating email.”
If it does not, DNS is usually the issue.
Phase 3: Validate DKIM and SPF Together
Never assume success. Always validate.
Send a test message from your Google Workspace account to: https://aboutmy.email
Review the results carefully. You want to see PASS for both DKIM and SPF.
A DKIM pass confirms the signature is valid and aligned. An SPF pass confirms the sending server is authorized.
Together, these signals reduce filtering risk and support DMARC alignment later.
Common DKIM Pitfalls to Avoid
Small mistakes cause big problems.
· Publishing the record on the wrong domain or subdomain
· Copying incomplete TXT values
· Forgetting to click Start authentication
· Rotating keys without updating DNS
DKIM also fails silently. Mail keeps sending, but trust erodes quietly. Routine checks matter more than most teams realize. DMARC Reports (We’ll cover those in another article) are instrumental in identifying issues
DKIM is foundational. It protects your domain, reinforces trust, and supports long-term deliverability. If email drives revenue, this is not optional work. It is table stakes.
When was the last time you validated DKIM across all active sending domains, and should we review that together before it becomes a problem?
