Setting up DKIM for Google Workspace: Step-by-Step Guide
Estimated reading time: 7 minutes
An email authentication technique called DomainKeys Identified Mail (DKIM) helps safeguard email senders and recipients from spam, spoofing, and phishing. A vital safety measure in today’s digital environment, with its numerous email-based risks, DKIM allows recipients to confirm that an email claiming to be from a particular domain was, in fact, sent by the owner of that domain.
How DKIM Works
Every outgoing email is signed with a digital signature that is linked to the sender’s domain. The signature is encrypted with a private key that is safely kept on the sender’s server.
Upon receiving the email, the recipient’s server obtains a public key from the DNS and utilizes it to decrypt the email’s signature. It also creates its own signature using the same email components that the sender’s signature was created from.
Then the recipient’s server matches the two signatures. If the signatures match, the sender and the email are considered authentic.If the two signatures differ even by a single character, the server returns the DKIM authentication failure. It means that the message could have been tampered with in transmission.
Benefits of Setting up DKIM in Google Workspace
The utilization of DKIM email authentication helps both senders and receivers. Because only authenticated emails from reliable domains are delivered, this verification greatly lowers the possibility of fake emails arriving in recipients’ inboxes.
For Google Workspace users, the implementation of DKIM signing for their email communications means:
- strengthened email security and spoofing prevention;
- improved sender reputation and deliverability;
- increased trust among email recipients;
- compliance with sender requirements;
- reduced risk of email-based attacks.
Requirements for Setting up DKIM in Google Workspace
In order you can setup DKIM in Google Workspace to authenticate your messages with DKIM, you need to ensure that the following conditions are met:
- Admin access to Google Workspace. To configure DKIM settings, you need to be able to login as administrator in your Google Workspace account.
- Domain DNS access. You’ll need to publish TXT records for DKIM in your domain’s DNS management panel, so having access to it is necessary.
- Domain ownership. You’ll need to ensure that the domain you are setting up DKIM for is yours. The authenticity of the emails you will be sending from the domain depends on this.
- Domain configuration. Your domain must be set up correctly and must be operational in your Google Workspace account.
How to Setup DKIM in Google Workspace
In order to sign outbound emails by your custom domain and pass DKIM alignment, follow this detailed guide to enable DKIM in Google Workspace:
Step 1: Create a DKIM Key.
Login as administrator in your Google Workspace Admin console and navigate to Menu > Apps > Google Workspace > Gmail.
Click “Authenticate email.”
Select the domain, for which you want to configure DKIM signing, in the “Selected domain” menu.
Click “Generate New Record”.
In the “Generate new record” box, select your DKIM key settings:
2048 – if your domain provider supports 2048-bit keys, select this option. Longer keys are more secure than shorter keys.
1024 – if your domain host doesn’t support 2048-bit keys, select this option.
Choose the prefix selector. The default prefix selector is google. If your domain already uses a DKIM record with the ‘google’ prefix, enter a different prefix in this field.
Next, click “Generate.”
The message “DKIM authentication settings updated” will appear.
Copy the values in the “Authenticate email” window and update the DNS records for this domain.
Step 2: Add DKIM Key to DNS.
Login to your hosting provider’s account.
Select the domain and go to the settings where you update TXT records for your domain. Typically it’s called “DNS settings”, “DNS management” or something similar.
Click on the “Add record” button.
Add the TXT record with this information:
Type: TXT
Host (Hostname, Alias): the domain name. If the Host is the same domain (not subdomain) you are adding the TXT record to, enter the @ symbol.
Value: the generated DKIM key
Save the changes.
If you are setting up DKIM for a subdomain, refer to your domain provider’s documentation to properly add a DKIM TXT record for the subdomain.
If you are setting up DKIM for more than one domain, get a unique DKIM key from the Google Workspace Admin Console for each domain and complete these steps.
After adding a DKIM TXT record, it can take up to 48 hours for DKIM authentication to start working.
Step 3: Turn on DKIM Signing in Google Workspace.
Now you need to turn on DKIM signing for outbound emails in your Google Admin console.
In the Admin console, navigate to Menu > Apps > Google Workspace > Gmail.
Click “Authenticate email”.
Select the domain, for which you added a DKIM key.
Click “Start authentication.”
If the DKIM setup is done correctly, the status at the top of the page changes to: Authenticating email with DKIM.
How to Verify DKIM Configuration
To verify whether or not your messages are signed up with DKIM properly, you can use these methods:
1. Send an email to Gmail.
Send an email message from the domain where you enabled DKIM to a recipient having a Gmail or a Google Workspace account.
Open the message, click “More” and then click “Show original.”
In the message header, look at the “DKIM” header field.
If the message was successfully signed with DKIM, the field value will show something like “PASS” or “OK.”
If the message header doesn’t include a field about DKIM, messages sent from your domain aren’t signed with DKIM.
2. Use an email deliverability testing tool.
Run an email test with GlockApps to receive a detailed report about your email placement, sending environment, and domain configuration. Here is what GlockApps will show you:
1. Email Placement.
You receive an in-depth analysis of your sending environment such as IP reputation, domain reputation, email authentication (SPF and DKIM), and email deliverability with different ISPs across the world.
2. DKIM Authentication and Alignment.
You can get the DMARC reports for your domain processed automatically after generating and publishing a DMARC record. The reports contain valuable information about your email traffic, sending sources, and email authentication outcomes (SPF, DKIM, and DMARC). You’ll instantly see if DKIM fails and why.
3. DKIM Record Status.
Uptime monitors will automatically test the validity of your DKIM record in DNS to ensure your outgoing email campaigns are properly signed with DKIM by Google Workspace.
4. DKIM Success Rate.
Connect to your Gmail or Google Workspace account from GlockApps to see the reputation data for your domain. Go to the authentication dashboard to find out how your outbound emails pass SPF, DKIM, and DMARC authentication. Put the mouse on the chart to see the data for the appropriate date.
Setting up DKIM in Google Workspace is mandatory for complying with the sender requirements, protecting your email recipients from spam and scam, and minimizing the number of emails filtered out to Spam. Once DKIM signing is set up, Google Workspace will add a DKIM signature to any email you send from your domain in the Google account ensuring the authenticity of the message. However, there are various scenarios when DKIM authentication fails. Most of the failures can be fixed by the sender. Here is a good source to read about why DKIM fails and how to fix it.
Related Posts
The DKIM protocol, along with SPF, DMARC, and BIMI form the perfect ensemble for email security. Any one of those Read more
There are several causes for DMARC failure. To ensure your emails are properly authenticated and your domain is protected from Read more
This article will teach you what an SPF record is and how you can create an SPF TXT record that's Read more
Email authentication is becoming a big deal. Authentication allows the mailbox provider to confirm that the sender is the one Read more