Enable DKIM signing in the Google Admin Console and publish the public key in your DNS to cryptographically authenticate outgoing email.
TXT
google._domainkey
v=DKIM1; k=rsa; p=YOUR_PUBLIC_KEY_FROM_ADMIN_CONSOLE
The actual public key value is generated in your Google Admin Console. The default selector is "google".
Go to admin.google.com and sign in with your administrator account.
Go to Apps > Google Workspace > Gmail > Authenticate email. Select your domain from the list.
Click "Generate new record". Choose a DKIM key bit length of 2048 (recommended). The default prefix selector is "google". Click Generate.
Copy the generated TXT record value and create a new TXT record in your DNS with the host name google._domainkey and the value provided by Google.
Host: google._domainkey
Type: TXT
Value: v=DKIM1; k=rsa; p=MIIBIjANBgkqh...(your key)Return to the Google Admin Console and click "Start authentication". Google will verify the DNS record. It may take up to 48 hours for DNS propagation, but typically works within minutes.
After adding your DNS records, use our free DKIM checker to verify everything is configured correctly. DNS changes typically propagate within minutes, but can take up to 48 hours.
The default DKIM selector for Google Workspace is "google". This means the DNS record is published at google._domainkey.yourdomain.com. You can customize the selector during key generation.
After adding the DNS record and clicking "Start authentication" in the Admin Console, DKIM signing typically activates within a few minutes. DNS propagation can take up to 48 hours in some cases.
Use 2048-bit keys for stronger security. Only use 1024-bit if your DNS provider cannot handle the longer TXT record value.