How to setup SPF, DKIM and DMARC in Google Workspace

It is thought that of the 319 billion emails sent every day, 90% are unwanted, unsolicited spam advertising. Little surprise then that email services and clients are keen to help their users to filter out the junk so that only genuine messages get through to the inbox.

As a reputable business owner, you know that your messages are truly valuable and that you aren’t peddling generic pharmaceuticals, non-surgical augmentation techniques or not-safe-for-work webcam sites. But the problem is that spam filters may not, and they could be canning your messages because you haven't completed your Gmail setup.

Proving your identity

Because spammers want to appear legitimate, they often “fake” the from address on their messages; spam filters usually try to verify the sender’s address matches the email encoding, and automatically dumps those messages which don’t pass the test.

However, it is up to you to ensure that your email addresses resolve correctly through the use of SPF, DKIM, and DMARC records. If you did not use the services of a Google Workspace Partner and instead set up the system yourself, there is a chance this crucial stage may have been missed. The good news is that the process is relatively straightforward. The even better news is that as a certified Google Workspace Partner, Kimbley IT can help – so you don’t even need to read through to the end of the article if you’d rather we did it for you…

Below are brief instructions for setting up SPF, DKIM, and DMARC. You should only follow them if you're confident and experienced in deploying Google Workspace. These instructions are to be used at your own risk. More detailed instructions can be found at the Google Workspace support site.

Setting up an SPF record (Sender Policy Framework)

Nothing to do with sun cream, SPF – Sender Policy Framework – is a simple system used to check email is coming from the address claimed in the message headers (the information used by computers to ensure your email gets to its intended recipient).

• Log into your admin console for your domain e.g. mybusiness.co.uk.

• Locate the advanced DNS record settings.

• Create a new TXT record and assign it the value: v=spf1 include:_spf.google.com ~all

• Click Save.

Simple huh?

Setting up a DKIM record (DomainKeys Identified Mail)

As spammers get more sophisticated, so too do the methods used to out them. To prevent being incorrectly identified as a spammer, you should also create a DKIM – DomainKeys Identified Mail – record. This is a three-stage process – first, you need to generate a DKIM domain key:

• Sign in to your Google Workspace Admin console, then select Apps -> Google Workspace -> Gmail -> Authenticate email 

• Select your domain from the drop-down list and click the Generate new record button.

• Copy the generated text.

Now you need to create an accompanying record to tie that key to your email domain:

• Log into your domain provider’s admin console.

• Locate the advanced DNS settings page.

• Create a new TXT record with the name google._domainkey and then assign it the values generated in the first step. It should look something like: v=DKIM1; k=rsa; p=ALb9a35QAA35in7qDAB (although the ‘p’ section of yours will be much longer).

• Click Save to apply the changes.

Now that the DNS records have been updated, the final step is to tell Google Apps to use DKIM to protect your email:

• Log into the Google Workspace Admin console again.

• Select Apps -> Google Workspace -> Gmail -> Authenticate email 

• Choose the correct domain from the drop-down.

• Click Start authentication.

Note that it may take be as much as 48 hours before the setting takes effect globally.

Setting up a DMARC record (Domain Message Authentication Reporting & Conformance)

The final step to proving you are not an evil spammer is the creation of a DMARC - Domain-based Message Authentication, Reporting and Conformance – record. Because DMARC is built on both SPF and DKIM technologies, you will need to ensure you have completed both stages above before continuing:

• Log into your domain providers admin console.

• Locate the advanced DNS settings page.

• Create a new TXT record with the settings you want to apply to your DMARC record.

• Click Save to apply the changes.

Has it worked?

Finally, you need to check that SPF, DKIM and DMARC have all been configured correctly for your domain. Visit the Google Workspace MX tool and type your domain name into the supplied box. When you click Run checks! you will see a report that confirms you have an SPF record, and that both DKIM and DMARC are set up. 

You should now find that even more of your email makes it into your customers’ and prospects’ mailboxes, helping to boost campaign success. You will also see a lower incidence of emails going “missing” where they have been incorrectly filtered by enthusiastic spam filters.

And don’t forget

If this all seems far too complicated, book a video call below and have a chat with us on how you can help your business get the most from Google Workspace and prevent your emails from ending up in your clients’ spam folder!