How To Set Google Workspace DKIM Records Automatically?
If your emails keep landing in spam and you're using Google Workspace… this article is written exactly for you.
Because let’s be real, setting up DKIM on Google Workspace is a nightmare.
There’s no API.
You have to log in to three different places.
You’re stuck copying TXT records and praying you did it right.
And if you mess it up?
You don’t get a warning. You just stop hitting the inbox.
I’ve been there.
So instead of guessing, I wrote this article to show you how to set up Google Workspace DKIM records automatically, with real code, actual scripts, and the exact API calls you’ll need.
You’ll get:
- A step-by-step breakdown of how DKIM works inside Google Workspace
- Code samples to automate DNS updates (Cloudflare, etc.)
- Monitoring tips to keep your authentication alive
- And a shortcut if you want to skip this mess altogether
You’ll also learn how cold email tools like Mailforge handle all of this for you, no manual setup, no broken DNS records, just premium deliverability by default.
Ready to stop hoping and start hitting inboxes?
Let’s fix your setup.
What is DKIM in Google Workspace?
DKIM (DomainKeys Identified Mail) is an email authentication method in Google Workspace that proves your emails came from your domain and weren’t tampered with in transit.
It helps inboxes like Gmail, Outlook, and Apple Mail trust your emails, so they land in Primary, not Spam.
If you’re sending cold emails and not using Google Workspace DKIM, you're doing all the work… for zero return.
Also Read: What are the 3 Best Email Service Providers (ESPs) for Cold Email?
Here’s how DKIM works in Google Workspace:
- Google holds the private key — this signs every email you send.
- You publish a public key in your DNS as a TXT record (e.g., google._domainkey.yourdomain.com)
- Receiving servers use that public key to verify the email wasn’t forged or altered.
It's a handshake between your domain and the inbox.
If the keys match? ✅ Inbox.
If they don’t? 🚫 Spam folder.
Don’t Confuse “Delivered” With “Seen.”
Just because your email shows as “delivered” doesn’t mean it hit the inbox.
Let me say that again:
Delivered ≠ Seen
You can have a 99% delivery rate and still end up in:
- Spam
- Promotions
- Or worse… filtered out completely
Without DKIM, you're invisible to the inbox.
With DKIM, you look legit—even at scale.
Setting up DKIM for Google Workspace is not optional.
It's the baseline for cold email deliverability, domain reputation, and actually getting replies.
Why DKIM Automation Matters for Cold Email Deliverability
If you’re sending cold emails without a properly configured DKIM, your emails are going straight to spam, and you’re wasting time, domains, and money.
Here’s the truth no one tells you:
Email deliverability is 80% setup, 20% copy.
Most founders and SDRs mess this up.
They launch a sequence, expect replies… and get none.
Why?
Because Gmail, Outlook, and Yahoo never even let their emails hit the inbox.
DKIM Is Non-Negotiable
If you’re using Google Workspace for cold outreach and not setting up DKIM, you’re sending unsigned emails into a battlefield of spam filters.
These providers are ruthless.
- Gmail? Filters hard.
- Outlook? Even harder.
- Apple Mail? You’ll vanish without authentication.
DKIM tells inbox providers:
“This email is legit. It came from who it says it did. Don’t flag it.”
No DKIM = No trust = No inbox.
That’s the chain.
And look—doing it once isn’t enough.
You need automation to scale, rotate keys, and keep domains healthy as you grow.
How to Set Up Domain & Mailbox for Cold Email?
Before we dive into how to automate the DKIM setup step-by-step, let’s make sure you have the basic requirements ready to go.
Prerequisites for Automating DKIM Setup
Before you start coding or connecting APIs, you need to check four boxes.
Miss even one, and the whole automation stack breaks.
✅ 1. A Verified Google Workspace Domain
Your domain must already be added and verified in Google Workspace.
If Google doesn’t trust the domain, you can’t generate or manage DKIM at all.
✅ 2. Access to the Admin Console
You’ll need Super Admin rights.
This is the only way to manually generate the DKIM key (because yes—Google still makes you do this part manually).
✅ 3. API Access to Your DNS Provider
You can’t automate DKIM without API access to your DNS zone.
This could be:
- Cloudflare
- AWS Route 53
- GoDaddy
- Namecheap (if supported)
If your DNS provider doesn’t support API-based updates, you’re stuck doing it manually or switching providers.
✅ 4. A Script-Ready Environment (Python or Node)
For most users, Python is the easiest to get up and running.
You’ll need:
- Python 3.10+
- google-api-python-client
- dns.resolver
- requests or httpx for API calls
If you’re using Mailforge, you don’t need to write or manage any scripts. Just plug in your domains, and it handles DKIM, SPF, and DMARC out of the box.
Now that you’ve got everything lined up, let’s break down how to automate your DKIM setup—step by step.
Step-by-Step: Automate Google Workspace DKIM Setup
You’re here because you don’t want to touch DNS manually every time.
Good. Let’s automate the boring stuff.
This 4-part workflow gets your Google Workspace DKIM set up with minimal manual effort.
Let’s get into it.
1. Authenticate With Google Admin SDK
The first step is getting access to your Google Workspace account programmatically.
You’ll need a service account JSON file and these scopes:
SCOPES = ['https://www.googleapis.com/auth/admin.directory.domain.readonly']
Here’s your starter script:
from google.oauth2 import service_account
from googleapiclient.discovery import build
def initialize_admin_sdk():
credentials = service_account.Credentials.from_service_account_file(
'service-account.json',
scopes=SCOPES
)
service = build('admin', 'directory_v1', credentials=credentials)
return service
✅ What you can do with this:
- Authenticate your app
- Fetch domain info
- Access DKIM settings metadata
❌ What you can’t do:
- Generate DKIM keys via API (thanks, Google…)
Now that you’re authenticated, here comes the one step you still have to do manually (for now).
2. Generate DKIM Keys (Manual but Required)
There’s no way around this.
Google forces you to generate DKIM keys manually via the Admin Console.
Why?
Because they haven’t opened this feature to their API yet. Frustrating, but real.
Here’s how to do it:
- Log in to admin.google.com
- Go to Apps > Google Workspace > Gmail > Authenticate Email
- Choose your domain and generate a 2048-bit DKIM key
- Copy the TXT record (you’ll need this in the next step)
💡 Pro Tip: Do this once per domain, then automate everything else moving forward.
Once you’ve got your DKIM key, it’s time to let the robots take over by automating your DNS update.
3. Automate DKIM DNS Record Updates Using API
Now, take that DKIM TXT record and push it to your DNS provider using their API.
Example using Cloudflare API:
import requests
def update_dkim_dns(api_key, zone_id, dkim_record):
headers = {
'Authorization': f'Bearer {api_key}',
'Content-Type': 'application/json'
}
data = {
'type': 'TXT',
'name': 'google._domainkey',
'content': dkim_record,
'ttl': 3600
}
response = requests.post(
f'https://api.cloudflare.com/client/v4/zones/{zone_id}/dns_records',
headers=headers,
json=data
)
return response.json()
👨🔧 Adapting it to other providers:
Each DNS provider has their own API docs.
You’ll need credentials, zone ID, and endpoint structure. Use similar logic with AWS Route 53, GoDaddy, or Namecheap.
💣 TTL best practices:
Set a reasonable TTL (3600 = 1 hour). Too low = instability. Too high = long propagation delays.
🚨 Error handling:
Add retry logic and log failures. If your API call fails silently, your DKIM will never go live.
With your DKIM record now live in DNS, the last piece is verifying it actually works, before you start sending.
4. DKIM Verification and Propagation Check
Just because you pushed a record doesn’t mean it’s live.
DNS takes time to propagate.
Here’s how to check it using dns.resolver:
import dns.resolver
def verify_dkim_record(domain, selector='google'):
try:
answers = dns.resolver.resolve(f'{selector}._domainkey.{domain}', 'TXT')
return any('v=DKIM1' in str(rdata) for rdata in answers)
except:
return False
⏳ Add retry logic:
Use exponential backoff and check every 5–10 minutes. Some providers take longer than others.
📬 Bonus: Send a test email to a Gmail or Outlook inbox
Open headers → Look for DKIM=pass
If it says “fail” or “neutral,” something’s broken.
So your DKIM setup is automated, but there are still places where things can break.
Let’s walk through the most common DKIM issues and how to fix them.
Common DKIM Setup Errors (And How to Fix Them)
Even if you follow every step perfectly, the DKIM setup can still go sideways.
Here’s a breakdown of the most common problems—and exactly how to fix each one.
❌ Problem 1: “DKIM Record Not Found”
Cause:
- DNS hasn’t propagated yet
- Wrong selector used
- The record never got published
Fix:
- Double-check your DNS entry (google._domainkey.yourdomain.com)
- Wait 15–60 minutes, then retry the check
- Use a tool like MXToolbox DKIM Lookup
❌ Problem 2: “Incorrect DKIM Selector”
Cause:
- You used a custom selector, but your code defaults to Google
- Typo in the selector or domain string
Fix:
- Go to Google Admin Console and confirm the selector
- Match that in your script or DNS API logic
❌ Problem 3: “Invalid Record Format”
Cause:
- You added quotes around the record
- You broke the record into multiple lines
- You pasted a malformed value
Fix:
- Ensure the entire DKIM TXT value is in a single string
- Remove unnecessary quotation marks
- Compare it to what Google gave you, character for character
❌ Problem 4: “Gmail Not Detecting DKIM”
Cause:
- DKIM is published, but still marked as fail in Gmail headers
- TTL is too high, or DNS is cached
Fix:
- Wait a few hours (especially if TTL > 3600)
- Try from a different network or flush DNS
- Use Gmail’s “Show Original” → check DKIM=pass line in header
⚠ Bonus Tip: Add Logging and Monitoring Early
Don’t wait for emails to land in spam before checking DKIM health.
Log every automation step, and set alerts for failures or missing records.
Now that you know what to watch out for, let’s walk through the best practices to keep your DKIM setup rock solid, especially if you're scaling across multiple domains.
Best Practices for DKIM Automation
Here’s how to protect your setup, reputation, and sanity.
✅ 1. Rotate DKIM Keys Annually
Why?
Because stale keys become a security risk and eventually get flagged by inbox providers.
Best practice:
- Rotate every 12 months
- Generate new DKIM keys in the Google Admin Console
- Replace old DNS records through your automation script
✅ 2. Monitor DNS Health Continuously
What gets monitored gets managed.
DKIM can break silently, especially when teams update DNS settings and forget to notify ops.
How to do it:
- Schedule DNS lookups daily using dns.resolver
- Set alerts for missing or malformed TXT records
- Bonus: Use uptime monitors to watch critical records
You can do this with your own scripts or use Mailforge, which includes automatic DNS monitoring and alerts when DKIM or SPF records break.
✅ 3. Store Credentials Securely
Your service account keys and DNS API tokens = gold.
One leak, and your domain’s a sitting duck for spoofing or takeover.
Do this:
- Use .env files + environment variables
- Lock down access via vaults like AWS Secrets Manager or HashiCorp Vault
- Never hardcode credentials—ever
✅ 4. Log Everything (and Review Weekly)
You need a paper trail. Not just for debugging, but for growth.
If a domain starts failing, you want to know when, why, and what changed.
Track:
- Each DKIM update request
- Propagation success/failure
- Selector version and key length
- Last rotation date
Now, if you're thinking, “This is a lot of moving parts,” you’re right.
Mailforge logs every change to your domain records, including DKIM propagation, key updates, and failures—no custom logging setup required.
Now, for teams managing 10+ domains or 50+ inboxes, Mailforge saves hours by automating DKIM, SPF, and DMARC with just a few clicks.
The Fastest Way? Use Mailforge for Instant DKIM Setup
Let’s be real, manual DKIM setup is a time sink.
You’re juggling:
- Google Admin Console
- DNS APIs
- Code
- TTLs
- Logs
- Verifications
- And oh yeah… not screwing it up
That’s why most people give up, or worse, skip DKIM entirely and wonder why inbox placement tanks.
But here’s the shortcut:
Mailforge Does It All for You
The second you add a domain, Mailforge:
✅ Sets up DKIM, SPF, and DMARC
✅ Handles DNS records automatically
✅ Tracks your domain health
✅ Optimizes everything for cold email deliverability
✅ Works with any sending platform
(including Agent Frank by Salesforge, Smartlead, Instantly, or even your custom system)
How Mailforge Works (In 60 Seconds)
- Add your domain
- Mailforge sets up DKIM (no copy-pasting, no scripts)
- Start sending with infrastructure optimized for inbox placement
- Rotate keys, monitor reputation, and scale—on autopilot
Pair with Warmforge for automatic inbox warm-up or Primeforge for Google/MS365-native cold email setup if you’re scaling across corporate domains.
⏱️ Setup time: under 5 minutes
💸 Cost: ~$2 per mailbox
📈 Deliverability: Premium-grade, cold outreach ready
Why It Beats Google Workspace for Cold Email
Mailforge is Perfect for:
- Founders who want to scale cold outreach fast
- Teams managing 50–200 domains
- People who’d rather focus on results, not DNS headaches
Do you still want to build your own automation flow? No problem.
Here’s a sample Python script that does 90% of it, minus the pain.
🧪 Dev-Only: Complete Sample: Python DKIM Automation Script
If you’re the type who likes building your own infrastructure, here’s your base script to automate everything after generating the DKIM key in Google Workspace.
This script will:
✅ Verify your domain
✅ Update your DNS with the DKIM record
✅ Check propagation
✅ Log the result
✅ Scale across multiple domains
Let’s go.
Full Python Class to Automate DKIM Setup
import requests, time, dns.resolver
from google.oauth2 import service_account
from googleapiclient.discovery import build
class DKIMAutomation:
def __init__(self, domain, zone_id, api_key, dkim_record):
self.domain = domain
self.zone_id = zone_id
self.api_key = api_key
self.dkim_record = dkim_record
self.admin_service = self.initialize_admin_sdk()
def initialize_admin_sdk(self):
SCOPES = ['https://www.googleapis.com/auth/admin.directory.domain.readonly']
credentials = service_account.Credentials.from_service_account_file(
'service-account.json', scopes=SCOPES
)
service = build('admin', 'directory_v1', credentials=credentials)
return service
def update_dns(self):
headers = {
'Authorization': f'Bearer {self.api_key}',
'Content-Type': 'application/json'
}
data = {
'type': 'TXT',
'name': 'google._domainkey',
'content': self.dkim_record,
'ttl': 3600
}
url = f'https://api.cloudflare.com/client/v4/zones/{self.zone_id}/dns_records'
return requests.post(url, headers=headers, json=data).json()
def verify_dkim(self, retries=6, delay=60):
for _ in range(retries):
try:
answers = dns.resolver.resolve(f'google._domainkey.{self.domain}', 'TXT')
if any('v=DKIM1' in str(rdata) for rdata in answers):
return True
except:
pass
time.sleep(delay)
return False
Where to Extend This Script:
- 🔁 Loop through multiple domains
- 🛠️ Add logging with timestamps
- 🧪 Add test email sending and header parsing
- 🔐 Store secrets securely with .env or AWS Secrets Manager
- 📈 Integrate Slack/email alerts if DKIM fails after retries
This script is a great foundation, but building for scale means constant updates, error handling, and watching for Google or DNS API changes.
If that sounds like overkill for your team… again, Mailforge handles all of this automatically.
Have questions about Google Workspace DKIM setup?
You're not alone. Let's hit the most common ones founders ask (and answer them fast).
Final Thoughts:
If you made it this far, you already know: setting up DKIM in Google Workspace is not impossible, it’s just annoyingly manual.
To recap what we covered:
- What DKIM is and how it protects your sender reputation
- Why inbox placement depends more on setup than on your subject lines
- The step-by-step automation process—from Admin SDK to DNS updates and verification
- How to catch and fix the most common DKIM errors
- The exact Python script to automate 90% of the workflow
- And finally, the smarter path—using Mailforge to skip all the pain
Here’s the truth:
If you're sending cold emails and still doing DKIM by hand, you’re burning hours and risking your inbox rate every single day.
You can either:
❌ Keep logging into the Admin Console, copying TXT records, and debugging DNS…
Or
✅ Switch to Mailforge, where DKIM, SPF, and DMARC are done for you—automatically.
With Mailforge, you’re inbox-ready in under 5 minutes. No scripts. No guessing.
Just domains that hit Primary, even at scale.
👉 Get started with Mailforge now — and never touch a DNS dashboard again.