Google Workspace DKIM Not Working? 6 Causes and How to Fix Them

Q: How do I know if Google Workspace DKIM is working?

Send a test email to Gmail, open it, and click More then Show original. Look for dkim=pass header.d=yourdomain.com in the Authentication-Results line. You can also use the DKIM Checker at inboxgreen.email/tools/dkim-checker with selector google and your domain.

Q: Why does Google say authenticating but emails still show DKIM fail?

The Admin Console status can be slow to update. Send a test email and check Show original in Gmail to verify signing. If the record is live but signing fails, check that the TXT value was copied completely and the hostname is exactly google._domainkey.

Q: What should the Google DKIM TXT record look like?

The Google DKIM record is published at google._domainkey.yourdomain.com and starts with v=DKIM1; k=rsa; p= followed by a long RSA public key. Google generates this key in the Admin Console under Apps > Google Workspace > Gmail > Authenticate email.

April 18, 2026 • InboxGreenEmail Team

Email authentication issues can hurt your inbox placement without any warning.

Run a free scan to check SPF, DKIM, DMARC, and blacklist status for your domain.

No signup required. Works on any domain.

search Run a Free Domain Check notifications_active Monitor my domain

You set up Google Workspace (formerly G Suite) for your domain. You went into Gmail → Admin Console → Gmail → Authenticate email, generated a DKIM key, copied it to DNS — and it still says "not authenticated" or your emails still fail DKIM.

DKIM for Google Workspace is one of the most commonly misconfigured DNS records — and Google's error messages don't make it easy to diagnose. Here's what to check.

1. The DNS record hasn't propagated yet

DNS changes can take anywhere from 5 minutes to 48 hours to propagate globally. Google's Admin Console checks propagation periodically, but it doesn't always reflect the latest state.

Don't click "Start authentication" immediately after adding the record. Wait at least 30–60 minutes, then check with a live DNS lookup:

Use the free DKIM Checker — enter your domain and the Google selector (google)
Or run the full check at InboxGreen.email/check

If the record shows up in the DKIM Checker but Google still says "not authenticated", click "Start authentication" again.

2. The record was copied with formatting errors

Google provides a long TXT record that looks like this:

v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA...

Common copy-paste mistakes:

Extra spaces inside the record (especially in the p= key value)
Missing parts of the key (the key is very long — make sure you got it all)
Wrapping the value in quotes in your DNS panel when the panel doesn't require it (some hosts need quotes, some add them automatically and get confused if you add them too)
Adding the record as type A or CNAME instead of TXT

Look up the record you have live using the TXT Lookup tool and compare it character-by-character with what Google provided.

3. The hostname is wrong

Google Workspace DKIM uses the hostname (selector): google._domainkey.yourdomain.com

When adding this in your DNS panel, you typically enter just the subdomain part — google._domainkey — as the hostname. But some DNS panels show the full domain, and some auto-append your domain.

Common mistake: entering google._domainkey.yourdomain.com as the hostname when your DNS panel is already on yourdomain.com, resulting in google._domainkey.yourdomain.com.yourdomain.com.

Check what's actually live: use the DKIM Checker with selector google and your domain. If it returns "not found", the hostname is probably wrong.

4. Your DNS host has a character limit on TXT records

Some older or simpler DNS hosts (including some domain registrars) limit TXT records to 255 characters per string. Google's DKIM key is much longer than that.

RFC 4408 allows TXT records to be split into multiple 255-character strings, which must be concatenated by DNS clients. The format looks like:

"v=DKIM1; k=rsa; p=MIIBIjANBgkq..." "hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQ..."

If your DNS host doesn't support this format, you may need to switch to a DNS provider that does (Cloudflare, AWS Route 53, and most major hosts handle this fine).

5. A previous DKIM record for the same selector is conflicting

If you previously had Google Workspace set up and rotated keys, the old TXT record may still be live at google._domainkey.yourdomain.com. Having two TXT records at the same hostname breaks DKIM validation.

Check for this with the TXT Lookup tool: look up google._domainkey.yourdomain.com and see if multiple records come back.

6. DMARC is failing even though DKIM passes

DKIM might actually be passing, but DMARC could still fail. DMARC requires alignment: the domain in the DKIM d= tag must match (or be an org-domain parent of) the From: address.

If your Google Workspace account sends from [email protected], DKIM must be signing with d=yourdomain.com — not a subdomain or different domain.

Check alignment with the free DMARC Analyzer.

Google Workspace DKIM diagnostic steps

Run InboxGreen.email/check on your domain — it checks the google selector specifically
Use the DKIM Checker to look up google._domainkey.yourdomain.com directly
Compare the live TXT record with what Google Admin Console shows under Gmail → Authenticate email
Send a test email to a personal Gmail account, open "Show original", check dkim=pass in Authentication-Results
If DKIM passes but DMARC fails, check alignment with the DMARC Analyzer

Once DKIM is passing and DMARC shows alignment, your Google Workspace emails will have proper authentication and you'll stop hitting spam filters.

For a complete setup checklist with copy-paste records for your exact domain and Google Workspace, try the InboxGreen FixKit.

Related Guides

Google Workspace Authentication Guide

Full step-by-step SPF, DKIM, and DMARC setup for Google Workspace with exact DNS records and verification commands.

DKIM Errors and Fixes

Complete reference for all DKIM failure types: selector not found, body hash mismatch, key length, and alignment.

DMARC Errors and Fixes

When DKIM passes but DMARC still fails, the cause is almost always alignment. Here is how to fix it.

Common Questions

How do I know if Google Workspace DKIM is actually working?

Send a test email to a Gmail address, open it, and click More (three dots) then "Show original". Look for dkim=pass header.d=yourdomain.com in the Authentication-Results line. You can also use the DKIM Checker with selector google and your domain to verify the DNS record is live.

Do I need to click "Start authentication" after publishing the DNS record?

Yes. Publishing the DNS TXT record alone does not enable DKIM signing. You must return to the Google Admin Console (Apps → Google Workspace → Gmail → Authenticate email) and click "Start authentication" after the DNS record has propagated. Google verifies the record is live before enabling signing.

Why does Google say "authenticating" but emails still show DKIM fail?

The Admin Console status can be slow to update. The reliable test is to send an email and check "Show original" in Gmail. If the record is live in DNS but signing still fails, check that the TXT value was copied completely without truncation, and that the hostname is exactly google._domainkey (not the full domain).

What should the Google DKIM TXT record look like?

The Google DKIM record is published at google._domainkey.yourdomain.com and starts with v=DKIM1; k=rsa; p= followed by a long RSA public key string. Google generates this key for you in the Admin Console. Use 2048-bit when prompted for key length.

Free Deliverability Scan

Check SPF, DKIM, DMARC and List-Unsubscribe for your domain in seconds.