Google Workspace DKIM Not Working? Fix It Fast (2026)
You enabled DKIM in the Google Admin console, but Gmail still shows DKIM as failing or not present. This usually means the selector record from the Google Admin setup screen was never added to DNS, was added under the wrong hostname, or does not match the selector Gmail is actually using to sign outbound mail.
If signatures fail, check the DKIM selector troubleshooting guide.
Learn the bigger picture in our Email Authentication Explained guide and compare SPF vs DKIM vs DMARC to understand how these protocols work together.
One-Minute Fix
In Google Admin, go to Apps → Google Workspace → Gmail → Authenticate email, enable DKIM for the correct domain, copy the exact TXT record shown there, and publish it at the selector._domainkey hostname in your DNS. Wait for DNS propagation, then send a new test message and re-check DKIM.
google._domainkey.example.com TXT "v=DKIM1; k=rsa; p=MIIBIjANBg..."The host name must exactly match the selector value shown in Google Admin followed by ._domainkey.yourdomain.com. If Google shows google as the selector, the TXT record must live at google._domainkey.yourdomain.com, not on the root zone or under www.
Re-checkWrong vs correct setup
Wrong setup
example.com TXT "v=DKIM1; k=rsa; p=MIIBIjANBg..."
google._domainkey.example.com TXT "v=DKIM1; k=rsa;"Here DKIM is either published on the root domain instead of under google._domainkey, or the p= value is truncated. Gmail will happily send mail, but receivers cannot fetch a valid public key, so DKIM verification fails for every message.
Correct setup
google._domainkey.example.com TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A..."This matches what Google Admin expects: DKIM is enabled for the right domain, the selector in DNS matches the selector in the Admin console, and the full public key is published without truncation.
Why this happens
With Google Workspace, DKIM is only fully active after you turn it on in the Admin console and publish the provided TXT record at your DNS provider. DKIM keeps failing when that TXT record is never added, is added under the wrong domain or zone, when the selector name is copied incorrectly, or when you test before external DNS resolvers can see the new record.
Why this is a problem
Gmail continues to send messages even when DKIM is missing or broken, but receivers treat that traffic as less trustworthy. DMARC policies that rely on DKIM alignment may fail, and over time important transactional and product emails can be pushed from the inbox into spam or promotions as providers see an incomplete authentication story.
How this affects deliverability
For Google Workspace domains, a working DKIM setup is one of the clearest signals that your mail is intentional and properly configured. When DKIM is not working, Gmail-signed mail looks the same as test or half-finished setups, which can make it harder to build and maintain inbox placement for high-value messages.
Common causes
- DKIM was never fully activated for this domain in the Google Admin console.
- The TXT record from Google Admin was not added at the selector._domainkey hostname in DNS.
- The selector name in DNS does not match the selector Gmail is using to sign messages.
- The record was added under the wrong domain or DNS zone (for example, a staging domain instead of the production sending domain).
- DNS changes were made recently and external resolvers are still seeing the old state.
- DKIM was configured in DNS but 'Start authentication' was never clicked in Google Admin.
What we checked
We queried the selector._domainkey hostname that Google Workspace uses for this domain and looked for a DKIM TXT record starting with v=DKIM1, with k=rsa and a non-empty p= public key. If no matching record exists, or the key appears truncated or published under a different hostname, Gmail-signed messages cannot be validated correctly.
Live DNS lookup. No login. No saved domains. No tracking.
FAQ
Where do I enable DKIM for Google Workspace?
In the Google Admin console, open Apps → Google Workspace → Gmail → Authenticate email. Choose the domain you send from, generate or reuse a selector, publish the TXT record in DNS at the specified host, then come back and click Start authentication.
How long does it take for Google Workspace DKIM to start working?
Once the TXT record is published correctly, DKIM usually starts passing as soon as DNS caches refresh. That can be a few minutes to a couple of hours depending on TTL and your DNS provider, but in edge cases it can take up to 24–48 hours.
Can I have multiple DKIM selectors for Google Workspace?
Yes. You can rotate keys by creating a new selector and publishing its TXT record while the old one is still in place. Just make sure the selector Gmail uses in the DKIM-Signature header always has a matching DNS record.
Why is DKIM still failing after I followed the Google guide?
Most persistent failures come from publishing the TXT record in the wrong zone, copying the selector incorrectly, or testing before DNS propagation is complete. Double-check the exact host name, use external DNS tools to confirm the record is visible, then send a fresh test from a Workspace mailbox. You can also open a real message in Gmail, click 'Show original', and check whether DKIM shows as pass or fail for your domain.
Next steps
- Confirm that DKIM is enabled for the correct domain in Google Admin.
- Copy the exact selector and TXT value from the Google DKIM setup screen.
- Publish the TXT record at selector._domainkey.yourdomain.com in your DNS provider.
- Wait for DNS propagation and send a new test message from a Google Workspace account.
- Re-run your DKIM and DMARC checks to confirm signatures now pass and align.
- Review the full troubleshooting guidance in the DKIM Hub.
- Explore sender authorization issues in the SPF Hub.
- Review alignment and policy issues in the DMARC Hub.