DKIM (DomainKeys Identified Mail) cryptographically signs every email you send so receiving servers can verify it actually came from your domain. Without it, Gmail puts your cold emails straight to spam, and DMARC (which depends on DKIM) can't function at all.

This is part of our Complete Guide to Cold Email Deliverability — the four pillars that decide inbox placement.

If you're on Google Workspace, the setup is 5 minutes of clicks plus one DNS record. Here's the complete walkthrough.

Step 1: Generate the DKIM key

Sign in to admin.google.com as a Workspace admin.
Navigate: Apps → Google Workspace → Gmail → Authenticate email.
Select your domain from the dropdown.
Click Generate new record.
Choose 2048-bit key length (recommended; 1024 is being phased out by major providers).
Leave the prefix as the default google (don't change it unless you have a specific reason, we'll explain below).
Click Generate.

You'll get two values:

DNS Host name (TXT record name): google._domainkey
TXT record value: a long string starting with v=DKIM1; k=rsa; p=MIIB...

Copy the TXT record value to a safe place. You won't be able to see it again without regenerating.

Step 2: Add the DNS record

Where you do this depends on your DNS provider. The pattern is the same:

Type: TXT
Host / Name / Subdomain: google._domainkey
- On some providers (Cloudflare, IONOS) you enter just google._domainkey
- On others (GoDaddy, Namecheap) you enter google._domainkey.yourdomain.com, they auto-strip the apex
Value: the long string from Step 1 (starts with v=DKIM1)
TTL: 3600 (1 hour) is fine

Save. DNS propagates in 15 minutes to a few hours depending on TTL caching.

Step 3: Verify and turn it on

Wait at least 30 minutes after adding the DNS record.
Back in Apps → Gmail → Authenticate email, click Start authentication.

Status changes from Not authenticating email → Authenticating email. From this moment on, every outbound email from your Workspace domain is signed.

Step 4: Test it works

Send a test email to a Gmail address and check the message source:

In Gmail, open the test email.
Click the 3-dot menu → Show original.

Look for DKIM: in the headers, you want to see:

DKIM:                 PASS with domain yourdomain.com

If it says FAIL or doesn't appear at all, your DNS hasn't propagated or the record value is mistyped. Use MXToolbox DKIM Lookup to verify the record is published correctly.

Why the prefix matters

The default DKIM selector is google, meaning the DNS record name is google._domainkey.yourdomain.com. Most receivers accept this fine.

If you want to rotate the key (best practice every 12-24 months), generate a new key with prefix google2, add the new TXT record, wait for DNS propagation, then switch the active selector in Workspace admin. Old emails signed with google continue to verify; new emails sign with google2. After a week, delete the old DNS record.

Common pitfalls

Multiple DKIM keys for the same selector, only one TXT record per host name. Adding a second google._domainkey overwrites the first.
Wrong record type, DKIM is TXT, not CNAME. Some providers show "DKIM" as a special record type; if so, use the TXT format.
Leftover quotes, Google's UI sometimes wraps the value in "...". Most DNS UIs auto-strip; some don't. If verification fails, try removing the surrounding quotes.
Long values truncated, DKIM records are >250 characters. Some DNS UIs split them automatically with quoted segments ("v=DKIM1..." "p=MIIB..."). This is correct, don't manually edit.

Next: SPF and DMARC

DKIM alone gets you 30% of the way to inbox placement. For the full authentication trio, also configure:

SPF, declares which servers can send on behalf of your domain.
DMARC, ties SPF + DKIM together with a policy receivers honor.

Both are covered in the cold email deliverability checklist.

If you're sending more than 5,000 emails/day, you also need the List-Unsubscribe header - required by Gmail and Yahoo as of 2024.

Bulk Email Boxer monitors DKIM status per sender mailbox and tells you when alignment breaks (e.g. you accidentally rotated the key without updating DNS). Start your free 14-day trial, no credit card, set up in 5 minutes.