top of page
Search

🛡️ Keep Your Emails Out of Spam — How to Turn on DKIM for Your Domain [Updated October 2025]

Updated October 2025


If you send email from your business domain, turning on DKIM is a simple way to protect your reputation and keep more emails out of spam. DKIM adds a tamper-proof "signature" to each message so receiving mail servers can confirm it really came from you.


Why DKIM matters (plain-English)


  • Stops spoofing: Makes it harder for bad actors to send email pretending to be you.

  • Builds trust: Receiving servers can verify your cryptographic signature.

  • Improves deliverability: Properly signed mail is less likely to be filtered as spam.

  • Foundation for compliance: Along with SPF and DMARC, DKIM is expected for senders of all sizes (and required for high-volume senders).


Step-by-step: Turn on DKIM in Google Workspace


Step 1 — Generate a DKIM key pair

  • In Google Admin console (super admin required): Apps > Google Workspace > Gmail > Authenticate email (DKIM).

  • Choose your sending domain.

  • Generate a new DKIM record (selector usually "google") with a 2048-bit key.

  • You'll get the public key (to publish in DNS). The private key stays secure on Google's servers.


Screenshot of Google Admin console showing DKIM 'Authenticate email' screen for domain selection"

Step 2 — Publish the DKIM TXT record at your DNS

  • Sign in where your domain is hosted (e.g., GoDaddy, Cloudflare, Squarespace).

  • Add a TXT record:

    • Host/Name: google._domainkey.yourdomain.com

    • Value: The "v=DKIM1; k=rsa; p=…" public key from Admin console

    • TTL: Use your default (or 1 hour).

  • Save. DNS changes can take up to 48 hours to propagate.


Step 3 — Start authentication and verify

  • Back in Google Admin console, click Start authentication for that domain.

  • Send a test email (e.g., to a Gmail address). In Gmail, open the message > More (⋮) > Show original. Look for "DKIM: PASS."

  • If you don't see DKIM passing after propagation, double-check your DNS entry and selector.


Quick reference table

Step

What you do

Notes

1

Generate DKIM in Admin console

Domain + selector ("google"), 2048-bit key

2

Add TXT at DNS

Host: google._domainkey, Value: v=DKIM1; k=rsa; p=…

3

Start auth + test

In Gmail "Show original," expect DKIM: PASS


Tips and watch-outs


  • If you use Google Domains or Squarespace: Good news! They might already have DKIM set up for you. You might just need to click the "Start authentication" button.

  • Use the strongest key: When you set up DKIM, pick the 2048-bit key option. It's stronger and works better with email companies.

  • If you use other email tools: Make sure they don't mess up your DKIM. Ask them how to make DKIM work with their system.

  • Change your keys once a year: Just like changing passwords, it's good to make new DKIM keys every year to stay safe.

  • Don't forget SPF and DMARC: After DKIM is working, set up these other two safety tools too. They work together like a team.

  • If it's not working: Check for extra spaces or quote marks in your TXT record. Make sure the host name is right. Sometimes it takes up to 2 days for changes to work.


Simple checklist you can follow


☑️  Super admin access to Google Admin console

☑️  DKIM key generated (selector: google, 2048-bit)

☑️  TXT published at google._domainkey.yourdomain.com

☑️ Start authentication clicked in Admin console

☑️ Test email shows "DKIM: PASS"

☑️  SPF and DMARC reviewed next


FAQ

What is DKIM in one sentence?

DKIM is a cryptographic signature added to your emails so receiving servers can verify they were sent by your domain and weren't altered in transit.


Do small lists really need DKIM?

Yes. Even small senders benefit from reduced spoofing risk and better inbox trust—plus many providers expect DKIM to be present.


Does DKIM replace SPF or DMARC?

No. Use all three. SPF verifies sending servers, DKIM verifies message integrity, and DMARC tells receivers how to enforce failures and gives you reports.


How do I check if DKIM is passing?

Send a test to Gmail, open the message > More (⋮) > Show original, and look for "DKIM: PASS."


How long does setup take?

Generating and adding the record takes 5–10 minutes; DNS can take up to 48 hours to propagate before DKIM shows as PASS.


What if I use a third-party email platform?

You may need that platform to sign mail with your domain, or update DNS with their DKIM keys. Ensure only one valid DKIM signature remains on the final sent message.


Take Action

Short on time? We'll help you set up DKIM (and align SPF/DMARC) and send trust-building newsletters your customers actually read.



External citations:

 
 
 

Recent Posts

See All
The Tech Trio Every Business Must Have!

You need three foundational pieces working together before you can start sending those amazing newsletters we've been talking about. Let me walk you through each piece and why it matters...

 
 
 

Comments

The Instant Newsletter Company   |   Detroit, Michigan  |   Privacy Policy  |   ©2025 Mandie Kramer

bottom of page