---
title: "Learning to avoid breaking up the Google Workspace DKIM setup | DuoCircle"
description: "Enabling DKIM on Google Workspace is a two-step process but most people stop after completing the first one only."
image: "https://www.duocircle.com/images/og-default.png"
canonical: "https://www.duocircle.com/blog/email-security/learning-to-avoid-breaking-up-the-google-workspace-dkim-setup/"
---

Quick Answer

Google Workspace DKIM setup is two steps and most admins stop after step one, which silently breaks DKIM signing on custom domains. Step one: generate the DKIM key pair in the Workspace admin console and publish the TXT record at google.\_domainkey.example.com in DNS. Step two: after DNS propagates (24-48 hours), return to the Workspace admin console and click Start Authentication. Skip step two and DMARC still passes for normal mail because SPF aligns through \_spf.google.com, but apps that use a Google bounce domain in the Envelope-From (Calendar invites use calendar-server.bounces.google.com) will fail SPF alignment and, with DKIM never enabled, fail DMARC entirely. With p=reject, those messages bounce. Switch DMARC to p=quarantine while testing to avoid losing legitimate mail.

Share 

[ ](https://www.linkedin.com/sharing/share-offsite/?url=undefined%2Fblog%2Femail-security%2Flearning-to-avoid-breaking-up-the-google-workspace-dkim-setup%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=Learning%20to%20avoid%20breaking%20up%20the%20Google%20Workspace%20DKIM%20setup&url=undefined%2Fblog%2Femail-security%2Flearning-to-avoid-breaking-up-the-google-workspace-dkim-setup%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=undefined%2Fblog%2Femail-security%2Flearning-to-avoid-breaking-up-the-google-workspace-dkim-setup%2F "Share on Facebook") [ ](https://reddit.com/submit?url=undefined%2Fblog%2Femail-security%2Flearning-to-avoid-breaking-up-the-google-workspace-dkim-setup%2F&title=Learning%20to%20avoid%20breaking%20up%20the%20Google%20Workspace%20DKIM%20setup "Share on Reddit") [ ](mailto:?subject=Learning%20to%20avoid%20breaking%20up%20the%20Google%20Workspace%20DKIM%20setup&body=Check out this article: undefined%2Fblog%2Femail-security%2Flearning-to-avoid-breaking-up-the-google-workspace-dkim-setup%2F "Share via Email") 

![Google Workspace DKIM setup](https://media.mailhop.org/duocircle/images/2024/10/dkim-validation-2.jpg) 

Enabling DKIM on Google Workspace is a **two-step process** but most people stop after completing the first one only. If that’s what you have also done, then please know that in such scenarios, DKIM and [DMARC](/resources/what-is-dmarc) will function normally, and there won’t be any impact on email delivery, failing to complete the second step will compromise your [email security](/). _However, DKIM will fail to authenticate emails using your custom domain, causing communication problems at multiple levels_. 

This blog shares the right steps so that you don’t break the [Google Workspace](https://workspace.google.com/) DKIM setup.

## The first step of Google Workspace DKIM setup

Begin by producing a pair of public and private [DKIM keys](/email-security/how-do-you-configure-dkim-keys-for-salesforce/) that are protected by cryptography. Next, use your DKIM record and configure the domain’s DNS to serve the record under google.\_domainkeys.example.com. Please be mindful of replacing example.com with your Google Workspace domain.

[![public and private DKIM keys](https://media.mailhop.org/duocircle/images/2024/10/dmarc-report-3.jpg)](https://media.mailhop.org/duocircle/images/2024/10/dmarc-report-3.jpg)

Most people stop their Google Workspace **DKIM setup process** here. _This is a wrong approach since this step alone can’t enable Google to sign emails using your domain as the signing domain. You need to perform another step to do that_. 

## The second step of the Google Workspace DKIM setup

Generate a DKIM record using an online tool and then add it to your domain’s DNS. Wait for 24 to 48 hours for the changes to propagate across the internet. After that, visit Google Workspace to turn on [DKIM](/resources/what-is-dkim) by clicking the ‘**Start Authentication’ button**. 

## Does DMARC work fine?

Many [domain owners](https://thehackernews.com/2024/02/8000-subdomains-of-trusted-brands.html) or administrators are unaware that Google is not **signing emails** with their domains, as DMARC still functions properly. Typically, a malfunction in DMARC is a sign of issues with DKIM and [SPF](/resources/what-is-spf) settings, but this is not the case with Google Workspace.

Two reasons DMARC continues to work in this situation are:

1. [SPF records](/content/spf-records) often include the \_**spf.google.com domain**, allowing emails to pass SPF authentication checks.
2. Gmail, by default, uses the sender’s address in the ‘Envelope-From’ header, ensuring that the ‘Envelope-From’ and ‘From’ domains match.

Due to these factors, SPF alignment is maintained even if DKIM isn’t aligned, and since DMARC only requires one of these **protocols to pass**, the checks succeed.

## Fixing the issue the right way

_Certain Google applications don’t use your domain in the \*\*‘\*\*Envelope-From header’ of the emails sent from your domain_. What they do instead is use your domain in the ‘From’ header and a [Google domain](https://en.wikipedia.org/wiki/Google%5FDomains) is used in the ‘**Envelope-From’ address**. 

In such scenarios, SPF alignment fails. Emails sent from these applications [fail DMARC checks](/email-services/gmail-550-5-7-26-error-for-emails-failing-dmarc-checks/) unless **DKIM is configured** and turned on in Google Workspace. 

Think of **Google Calendar invites** as an example. Even if the emails show your domain in the ‘From’ address, the ‘Envelope-From’ points to calendar-server.bounces.google.com.

[![DMARC policy](https://media.mailhop.org/duocircle/images/2024/10/spf-record-generator-6874.jpg)](https://media.mailhop.org/duocircle/images/2024/10/spf-record-generator-6874.jpg)

In this case, **SPF alignment** will always fail, so DMARC relies only on DKIM to pass. _But if DKIM isn’t used, it will also fail, causing DMARC to fail_, too. If you have a strict [DMARC policy](/resources/dmarc-policy) (like p=reject), these confirmation emails will be rejected.

## What happens when you enable DKIM authentication on an existing domain?

If you are thorough and careful in performing the **two steps mentioned above**, there will be no issues. But just to be on the safer end, switch your DMARC policy from ‘reject’ to ‘quarantine.’ We suggest this so your emails don’t [bounce back](https://mxtoolbox.com/dmarc/email/bounceback) in case of [false positives](https://www.theregister.com/2023/04/03/3cx%5Ffalse%5Fpositive%5Fsupply%5Fchain%5Fattack/).

## Topics

DKIMDMARCemail securityspfSPF record 

![Brad Slavin](https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg) 

Brad Slavin 

General Manager

General Manager at DuoCircle. Product strategy and commercial lead across the email security portfolio.

## Secure your email infrastructure

Protect, authenticate, and deliver. Contact our team to find the right solution.

[Contact Sales](/contact/) [Explore Products](/products/) 

## Related Articles

[  Email Security 6m  Building a zero-trust security model for emails  Dec 11, 2024 ](/blog/email-security/building-a-zero-trust-security-model-for-emails/)[  Email Security 7m  How email authentication helps you prove sender identity under ISO 27001  Nov 18, 2025 ](/blog/email-security/how-email-authentication-helps-verify-sender-identity-for-iso-27001/)[  Email Security 6m  How do you achieve SPF alignment to enhance email security and deliverability?  Mar 25, 2025 ](/blog/email-security/how-spf-alignment-improves-email-security-and-deliverability/)[  Email Security 3m  How SPF, DKIM, and DMARC quietly protect every email you send?  Jun 13, 2025 ](/blog/email-security/how-spf-dkim-dmarc-protect-every-email-you-send-securely/)

```json
{"@context":"https://schema.org","@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}],"sameAs":["https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.facebook.com/duocirclellc","https://www.g2.com/products/phish-protection-by-duocircle/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://support.duocircle.com"},"knowsAbout":["Email Security","Email Authentication","SPF","DKIM","DMARC","Phishing Protection","Spam Filtering","SMTP Relay","Email Deliverability","Email Forwarding"]}
```

```json
{"@context":"https://schema.org","@type":"WebSite","name":"DuoCircle LLC","url":"https://www.duocircle.com","description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}
```

```json
[{"@context":"https://schema.org","@type":"BlogPosting","headline":"Learning to avoid breaking up the Google Workspace DKIM setup","description":"Enabling DKIM on Google Workspace is a two-step process but most people stop after completing the first one only.","url":"https://www.duocircle.com/blog/email-security/learning-to-avoid-breaking-up-the-google-workspace-dkim-setup/","datePublished":"2024-10-09T19:25:39.000Z","dateModified":"2025-09-01T12:54:30.000Z","dateCreated":"2024-10-09T19:25:39.000Z","author":{"@type":"Person","@id":"https://www.duocircle.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://www.duocircle.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin runs DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. His focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://www.duocircle.com/blog/email-security/learning-to-avoid-breaking-up-the-google-workspace-dkim-setup/"},"articleSection":"email-security","keywords":"DKIM, DMARC, email security, spf, SPF record","wordCount":604,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/duocircle/images/2024/10/dkim-validation-2.jpg","caption":"Google Workspace DKIM setup","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}},{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https://www.duocircle.com/blog/"},{"@type":"ListItem","position":2,"name":"Email Security"},{"@type":"ListItem","position":3,"name":"Learning to avoid breaking up the Google Workspace DKIM setup","item":"https://www.duocircle.com/blog/email-security/learning-to-avoid-breaking-up-the-google-workspace-dkim-setup/"}]}]
```

```json
{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://www.duocircle.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://www.duocircle.com/blog/"},{"@type":"ListItem","position":3,"name":"Email Security","item":"https://www.duocircle.comundefined"},{"@type":"ListItem","position":4,"name":"Learning to avoid breaking up the Google Workspace DKIM setup","item":"https://www.duocircle.com/blog/email-security/learning-to-avoid-breaking-up-the-google-workspace-dkim-setup/"}]}
```

```json
{"@context":"https://schema.org","@type":"BlogPosting","headline":"Learning to avoid breaking up the Google Workspace DKIM setup","description":"Enabling DKIM on Google Workspace is a two-step process but most people stop after completing the first one only.","url":"https://www.duocircle.com/blog/email-security/learning-to-avoid-breaking-up-the-google-workspace-dkim-setup/","datePublished":"2024-10-09T19:25:39.000Z","dateModified":"2025-09-01T12:54:30.000Z","dateCreated":"2024-10-09T19:25:39.000Z","author":{"@type":"Person","@id":"https://www.duocircle.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://www.duocircle.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin runs DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. His focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://www.duocircle.com/blog/email-security/learning-to-avoid-breaking-up-the-google-workspace-dkim-setup/"},"articleSection":"email-security","keywords":"DKIM, DMARC, email security, spf, SPF record","wordCount":604,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/duocircle/images/2024/10/dkim-validation-2.jpg","caption":"Google Workspace DKIM setup","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}}
```