Adding SPF, DKIM and DMARC record for Google Workspace (Gsuite) Emails
We used to receive inquiries from our customers saying their emails are getting rejected/blocked by the recipient address. Few customers go in deep and observe they are blacklisted by SPAM filters. In most cases you are not actually sending bulk emails but you are getting under blacklist. This happens because of someone misusing your DNS to spread his email. In many cases the SPAM filters blacklist the emails if they don’t find SPF, DKIM or DMARC records.
Hence this is imperative that we have proper SPF, DKIM and DMARC records added in our DNS. This is just few minutes of effort but likely a progress that we need to watch every day as some misconfiguration may lead all our emails to go under SPAM list. In this article we are dealing with Gsuite however this is a good practice that we have these standards applied for all email systems for best reputation.
We need to Add SPF and DKIM before adding DMARC record.
SPF: Sender Policy Framework
DKIM: Domain Keys Identified Mail
DMARC: Domain-based Message Authentication, Reporting, and Conformance
Setting up SPF for G Suite
The standard SPF record recommended by Google is
v=spf1 include:_spf.google.com ~all
If you are using other systems for Mass Mailings, CRM etc, then you need to get their SPF records and add them to the Google SPF; otherwise those set of emails could end up being “blocked”. For example I am using mailjet for my email campaigns so my SPF should look like,
v=spf1 include:spf.mailjet.com include:_spf.google.com ~all
Let us add the SPF to DNS Zone
- Login to your DNS/Domain management or Control panel.
- Go to your Domain and DNS management.
- Add TXT Record.
- Enter @ to host/name.
- Enter v=spf1 include:_spf.google.com ~all in the value box.
- Set TTL to the lowest.
Setting up DKIM for G Suite
We need to generate a domain key at email provider and add that as TEXT value in our DNS. That is the process. Generally Google Workspace allows us to generate Domain key after 24 hours of Gsuite account creation.
- Go to admin.google.com
- Login with your super admin account.
- Go to Apps >> Google Workspace >> Gmail
- Then click on Authenticate Email.
- You will be presented with a screen like the below one. Make sure the right domain is selected if you have multiple domains.
- Just Copy the value TXT Record Value and keep it in a notepad.
Let us add the SPF to DNS Zone
- Login to your DNS/Domain management or Control panel.
- Go to your Domain and DNS management.
- Add TXT Record.
- Enter google_domainkey to host/name.
- Copy and paste the key value from the notepadto the value box.
- Set TTL to the lowest.
Generally SPF and DKIM will stop most of your SAPM issues and getting blacklisted. However setting up DMARC as final step will add more reputation to your email deliveries. DMARC will direct what should be done to the received message based on the published SPF and DKIM and will enforce the policies you have set based on the aforementioned mechanisms. Also DMARC reports will help you analyze what is happening around your email deliveries thus your monitoring is powered.
Setting up DMARC
The DMARC record should look like this
v=DMARC1; p=none; rua=mailto:[email protected]
Where the email you add above will receive DMARC reports.
You are suggested to generate DMARC record using one of the online tools. For example, DMARC Generator.
Let us add the DMARC to DNS Zone
- Login to your DNS/Domain management or Control panel.
- Go to your Domain and DNS management.
- Add TXT Record.
- Enter _dmarc.domain.com to host/name (At some providers they add domain automatically so they only accept _dmarc in the host value. That’s fine so let’s leave that.
- Copy and paste the value generated by the DMARC generation to the Value field.
Ex: v=DMARC1; p=none; rua=mailto:[email protected] - Set TTL to the lowest.
There are many online tools that can verify your DMARC as well other SPF and DKIM records. Please do so and make sure all your records are perfect.