How to Set Up DKIM for Google Workspace and Microsoft 365
If you're sending business email from Google Workspace or Microsoft 365, enabling DKIM (DomainKeys Identified Mail) is no longer optional — it's essential. With Google, Yahoo, and now Apple enforcing stricter authentication requirements for bulk senders, unauthenticated email is increasingly being filtered to spam or rejected outright.
This guide shows New Zealand businesses exactly how to configure DKIM on both platforms, with practical DNS examples you can apply to your .co.nz or .nz domain.
What Is DKIM and Why Does It Matter?
DKIM adds a cryptographic signature to every outgoing email. Receiving mail servers use a public key published in your DNS to verify that the message genuinely came from your domain and hasn't been tampered with in transit.
Combined with SPF and DMARC, DKIM helps:
- Prevent spoofing of your brand by scammers and phishers
- Improve deliverability into Gmail, Outlook, and Xtra inboxes
- Meet compliance requirements for sender reputation programs
- Unlock BIMI (your logo appearing next to emails)
Without DKIM, your DMARC policy cannot fully protect your domain — and your emails may not reach customers at all.
Part 1: Setting Up DKIM for Google Workspace
Google Workspace generates a DKIM key for you, which you then publish in your DNS. Here's how.
Step 1: Generate Your DKIM Key in the Admin Console
- Sign in to the Google Admin Console as a super administrator.
- Navigate to Apps → Google Workspace → Gmail.
- Click Authenticate email.
- Select your domain from the dropdown (e.g.
yourbusiness.co.nz). - Click Generate new record.
- Choose 2048-bit key length (recommended) and leave the prefix selector as
google. - Click Generate.
Google will now display a TXT record containing your DKIM public key.
Step 2: Add the DKIM Record to Your DNS
Log in to your DNS provider (for NZ businesses, this might be 1st Domains, Freeparking, SiteHost, Cloudflare, or your web host). Add a new TXT record:
Host/Name: google._domainkey
Type: TXT
Value: v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A...
TTL: 3600
Note: Some providers require just google._domainkey while others need the full google._domainkey.yourbusiness.co.nz. Enter only the subdomain portion unless your provider says otherwise.
Step 3: Activate DKIM Signing
- Wait 15–60 minutes for DNS to propagate.
- Return to Authenticate email in the Admin Console.
- Click Start authentication.
Once activated, Google will sign all outbound email from your domain.
Part 2: Setting Up DKIM for Microsoft 365
Microsoft 365 creates two DKIM selectors (selector1 and selector2) to allow automatic key rotation. You'll publish both as CNAME records.
Step 1: Locate Your CNAME Values
- Sign in to the Microsoft Defender Portal.
- Go to Email & collaboration → Policies & rules → Threat policies.
- Under Rules, select Email authentication settings → DKIM.
- Click on your domain (e.g.
yourbusiness.co.nz).
Microsoft will show two CNAME records you need to publish.
Step 2: Add Both CNAME Records to DNS
Your records will look similar to this (the exact values depend on your tenant's initial domain):
Host: selector1._domainkey
Type: CNAME
Value: selector1-yourbusiness-co-nz._domainkey.yourtenant.onmicrosoft.com
Host: selector2._domainkey
Type: CNAME
Value: selector2-yourbusiness-co-nz._domainkey.yourtenant.onmicrosoft.com
Replace yourtenant with your Microsoft 365 initial domain (usually visible in the portal).
Step 3: Enable DKIM Signing
- Return to the DKIM panel in the Defender Portal.
- Toggle Sign messages for this domain with DKIM signatures to On.
If you see an error about missing CNAME records, wait another 30 minutes and try again — DNS propagation can be slower on some NZ registrars.
Common Mistakes to Avoid
Even experienced admins trip up on DKIM setup. Watch out for these:
1. Splitting the TXT Record Incorrectly
DKIM public keys are long. Some DNS editors split them across multiple lines, which can break validation. Ensure the full string is wrapped in quotes or pasted as one continuous value.
2. Using the Wrong Selector
Google uses google._domainkey by default. Microsoft uses selector1 and selector2. If you're migrating between providers, don't delete the old selector until all legacy mail has cleared the queue.
3. Forgetting Third-Party Senders
Do you send through Xero, MailerLite, Campaign Monitor, or HubSpot? Each needs its own DKIM selector published under your domain. Check each platform's documentation for the required records.
4. Skipping DMARC
DKIM alone won't stop spoofing. You need a DMARC policy to tell receivers what to do when authentication fails. Start with:
Host: _dmarc
Type: TXT
Value: v=DMARC1; p=none; rua=mailto:dmarc@yourbusiness.co.nz
Then monitor reports before tightening to p=quarantine or p=reject.
Verifying Your DKIM Setup
After publishing your records, always verify:
- Send a test email to an external address (e.g. a personal Gmail).
- View the email headers — look for
dkim=passin the Authentication-Results line. - Check alignment — the
d=domain in the DKIM signature should match your From address.
For a quick check without digging through headers, paste your domain into a DKIM lookup tool.
Next Steps: Lock Down Your Email Security
DKIM is one leg of the authentication tripod. To fully protect your brand and maximise inbox placement, you should also:
- Publish a strict SPF record listing all legitimate senders
- Deploy DMARC with monitoring, then move to enforcement
- Consider BIMI once DMARC is at
p=quarantineor stricter
Check Your Domain for Free with xteam MailCheck
Not sure if your DKIM, SPF, and DMARC records are correctly configured? xteam MailCheck is our free tool built for New Zealand businesses. Enter your domain and instantly see:
- Whether DKIM is published and valid
- Your current SPF and DMARC status
- Specific, plain-English fixes for any issues found
Run your first check at xteam.co.nz and take the guesswork out of email authentication.