Google Workspace DKIM Not Working? 6 Causes and How to Fix Them

April 18, 2026 • InboxGreenEmail Team

🚨 DKIM issues can silently kill replies.

If opens dropped, replies disappeared, or bounces increased, treat it as an incident. Run the scan and get a fix path.

No signup required. Works on any domain.

search Run a Free Domain Check notifications_active Monitor my domain

You set up Google Workspace (formerly G Suite) for your domain. You went into Gmail → Admin Console → Gmail → Authenticate email, generated a DKIM key, copied it to DNS — and it still says "not authenticated" or your emails still fail DKIM.

DKIM for Google Workspace is one of the most commonly misconfigured DNS records — and Google's error messages don't make it easy to diagnose. Here's what to check.

1. The DNS record hasn't propagated yet

DNS changes can take anywhere from 5 minutes to 48 hours to propagate globally. Google's Admin Console checks propagation periodically, but it doesn't always reflect the latest state.

Don't click "Start authentication" immediately after adding the record. Wait at least 30–60 minutes, then check with a live DNS lookup:

Use the free DKIM Checker — enter your domain and the Google selector (google)
Or run the full check at InboxGreen.email/check

If the record shows up in the DKIM Checker but Google still says "not authenticated", click "Start authentication" again.

2. The record was copied with formatting errors

Google provides a long TXT record that looks like this:

v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA...

Common copy-paste mistakes:

Extra spaces inside the record (especially in the p= key value)
Missing parts of the key (the key is very long — make sure you got it all)
Wrapping the value in quotes in your DNS panel when the panel doesn't require it (some hosts need quotes, some add them automatically and get confused if you add them too)
Adding the record as type A or CNAME instead of TXT

Look up the record you have live using the TXT Lookup tool and compare it character-by-character with what Google provided.

3. The hostname is wrong

Google Workspace DKIM uses the hostname (selector): google._domainkey.yourdomain.com

When adding this in your DNS panel, you typically enter just the subdomain part — google._domainkey — as the hostname. But some DNS panels show the full domain, and some auto-append your domain.

Common mistake: entering google._domainkey.yourdomain.com as the hostname when your DNS panel is already on yourdomain.com, resulting in google._domainkey.yourdomain.com.yourdomain.com.

Check what's actually live: use the DKIM Checker with selector google and your domain. If it returns "not found", the hostname is probably wrong.

4. Your DNS host has a character limit on TXT records

Some older or simpler DNS hosts (including some domain registrars) limit TXT records to 255 characters per string. Google's DKIM key is much longer than that.

RFC 4408 allows TXT records to be split into multiple 255-character strings, which must be concatenated by DNS clients. The format looks like:

"v=DKIM1; k=rsa; p=MIIBIjANBgkq..." "hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQ..."

If your DNS host doesn't support this format, you may need to switch to a DNS provider that does (Cloudflare, AWS Route 53, and most major hosts handle this fine).

5. A previous DKIM record for the same selector is conflicting

If you previously had Google Workspace set up and rotated keys, the old TXT record may still be live at google._domainkey.yourdomain.com. Having two TXT records at the same hostname breaks DKIM validation.

Check for this with the TXT Lookup tool: look up google._domainkey.yourdomain.com and see if multiple records come back.

6. DMARC is failing even though DKIM passes

DKIM might actually be passing, but DMARC could still fail. DMARC requires alignment: the domain in the DKIM d= tag must match (or be an org-domain parent of) the From: address.

If your Google Workspace account sends from [email protected], DKIM must be signing with d=yourdomain.com — not a subdomain or different domain.

Check alignment with the free DMARC Analyzer.

Google Workspace DKIM diagnostic steps

Run InboxGreen.email/check on your domain — it checks the google selector specifically
Use the DKIM Checker to look up google._domainkey.yourdomain.com directly
Compare the live TXT record with what Google Admin Console shows under Gmail → Authenticate email
Send a test email to a personal Gmail account, open "Show original", check dkim=pass in Authentication-Results
If DKIM passes but DMARC fails, check alignment with the DMARC Analyzer

Once DKIM is passing and DMARC shows alignment, your Google Workspace emails will have proper authentication and you'll stop hitting spam filters.

For a complete setup checklist with copy-paste records for your exact domain and Google Workspace, try the InboxGreen FixKit.

Free Deliverability Scan

Check SPF, DKIM, DMARC and List-Unsubscribe for your domain in seconds.