How to Set Up DKIM for Gmail

"How do I set up DKIM (DomainKeys Identified Mail) for Gmail?" is one of the most common email authentication questions, and the answer depends entirely on which type of Gmail you use. A free @gmail.com account and a custom domain on Google Workspace handle DKIM in completely different ways. This guide covers both so you know exactly what applies to your situation.

Free Gmail (@gmail.com)

If you send email from an address like yourname@gmail.com, there is nothing for you to configure. Google handles DKIM automatically for all free Gmail accounts. You cannot change, disable, or customize it.

Every outgoing email from @gmail.com is signed with Google's own DKIM key using d=gmail.com. Recipients' mail servers verify the signature against Google's public key, and it passes without any action on your part.

You cannot publish your own DKIM keys for gmail.com, and you cannot change the selector Google uses. This is entirely managed infrastructure. If you need control over DKIM signing (for example, to pass DMARC alignment with your own domain), you need Google Workspace with a custom domain.

Google Workspace (Custom Domain)

If you send email from yourname@yourdomain.com through Gmail via a Google Workspace subscription, you have full control over DKIM and you should absolutely configure it.

By default, Google Workspace may sign outgoing emails with a Google-managed key, but that key uses Google's domain rather than yours. For proper DMARC alignment, you need DKIM configured specifically for your domain so the signature's d= tag matches your From address.

Key Setup Details

• The default selector for Google Workspace DKIM is google
• Google recommends 2048-bit keys for stronger security
• You generate the key in the Google Admin Console and publish a TXT record to your DNS

We have a complete walkthrough covering every step of the process: How to Set Up DKIM in Google Workspace. That guide covers key generation, DNS record creation, enabling signing, and verification.

The short version:

1. Open the Google Admin Console and navigate to Apps, then Google Workspace, then Gmail, then Authenticate email
2. Select your domain and generate a new DKIM key (choose 2048-bit)
3. Copy the TXT record Google provides
4. Add the TXT record to your DNS at google._domainkey.yourdomain.com
5. Return to the Admin Console and click Start Authentication
6. Verify with a DKIM check

Checking Gmail DKIM

Whether you use free Gmail or Google Workspace, you can verify DKIM is working by looking up the record with our free DKIM test tool.

For Google Workspace, look up google._domainkey.yourdomain.com. If the record exists and contains a valid public key, your DNS side is correctly configured.

How to Verify DKIM in Gmail Headers

The best way to confirm DKIM is working end-to-end is to inspect actual email headers.

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
  d=yourdomain.com; s=google; t=1709251200;
  h=from:to:subject:date:message-id;
  bh=abc123...;
  b=xyz789...

Authentication-Results: mx.example.com;
  dkim=pass header.d=yourdomain.com header.s=google

Gmail as a Sending Service

Some businesses use Gmail's SMTP servers to send email from applications, websites, or automated systems. If you configure an app to send through smtp.gmail.com using your Google Workspace credentials, those emails are signed with whatever DKIM configuration your Workspace domain has.

If DKIM is properly set up in Google Workspace, emails sent via SMTP relay will also be signed with your domain. If DKIM is not configured, they will be signed with Google's default key, which will not align with your custom domain for DMARC purposes.

For high-volume or transactional sending, consider a dedicated email service like SendGrid or Amazon SES instead of Gmail SMTP. Gmail has sending limits and is designed for person-to-person communication, not bulk or automated messages.

Troubleshooting Gmail DKIM

DKIM record not found: If a lookup for google._domainkey.yourdomain.com returns no results, the TXT record was not added to your DNS correctly. Double-check the record name and value in your DNS provider, and make sure you selected TXT as the record type.

Wrong selector: Google Workspace uses google as the default selector. If you chose a custom selector prefix during key generation, use that instead. The record will be at [prefix]._domainkey.yourdomain.com.

DKIM passes but DMARC fails: This is an alignment problem. Make sure the d= value in your DKIM signature matches your From address domain. If Gmail is signing with d=google.com rather than your domain, you have not completed the DKIM setup in the Admin Console. See our DKIM alignment guide for details.

DNS propagation delay: After adding the TXT record, it may take up to 48 hours to propagate globally, though most providers update within an hour. If verification fails, wait and try again.

Free Gmail vs Google Workspace DKIM

Complete Your Authentication

DKIM is one part of a three-layer email authentication strategy. For the best deliverability with Gmail, also configure:

• SPF (Sender Policy Framework): Ensure Google's servers are authorized senders for your domain. Check your SPF record at spfrecordcheck.com.
• DMARC (Domain-based Message Authentication, Reporting and Conformance): Set a policy that tells receiving servers how to handle authentication failures. Check yours at dmarcrecordchecker.com.

If you use additional sending services alongside Gmail (marketing platforms, CRMs, transactional email), each needs its own DKIM setup. Generate keys for those services at dkimcreator.com.