How to setup SPF, DKIM and DMARC in G Suite

It is thought that of the 244 billion emails sent every day, 90% are unwanted, unsolicited spam advertising. Little surprise then that email services and clients are keen to help their users to filter out the junk so that only genuine messages get through to the inbox.


As a reputable business owner, you know that your messages are truly valuable, and that you aren’t peddling generic pharmaceuticals, non-surgical augmentation techniques or not-safe-for-work webcam sites. But the problem is that spam filters may not, and they could be canning your messages because you haven't completed your Gmail setup.

Proving your identity

Because spammers want to appear legitimate, they often “fake” the from address on their messages; spam filters usually try to verify the sender’s address matches the email encoding, and automatically dumps those messages which don’t pass the test.

However it is up to you to ensure that your email addresses resolve correctly through the use of SPF, DMARC and DKIM records. If you did not use the services of a Google Suite partner and set up the system yourself, there is a chance this crucial stage may have been missed; and unless you link up with a specialist Google partner, staying on top of future changes will be time consuming.  The good news is that the process is relatively straightforward. The even better news is that as a certified Google Suite Partner, Kimbley IT can help – so you don’t even need to read through to the end of the article if you’d rather we did it for you…

Below are brief instructions for setting up SPF, DKIM and DMARC. You should only follow them if you're confident and experienced in deploying G Suite. These instructions are to be used at your own risk. More detailed instructions can be found at the G Suite support site.

Setting up an SPF record (Sender Policy Framework)

Nothing to do with sun cream, SPF – Sender Policy Framework – is a simple system used to check email is coming from the address claimed in the message headers (the information used by computers to ensure your email gets to its intended recipient).

  • Log into your admin console for your domain e.g. (1and1, Go Daddy, 123Reg etc).
  • Locate the advanced DNS record settings.
  • Create a new TXT record and assign it the value: v=spf1 ~all
  • Click Save.

Simple huh?

Setting up a DKIM record (DomainKeys Identified Mail)

As spammers get more sophisticated, so too do the methods used to out them. To prevent being incorrectly identified as a spammer, you should also create a DKIM – DomainKeys Identified Mail – record. This is a three-stage process – first you need to generate a DKIM domain key:

  • Sign into your G Suite Admin console, then select Apps -> G Suite -> Gmail -> Authenticate email 
  • Select your domain from the drop-down list and click the Generate new record button.
  • Copy the generated text.

Now you need to create an accompanying record to tie that key to your email domain:

  • Log into your domain providers admin console.
  • Locate the advanced DNS settings page.
  • Create a new TXT record with the name google._domainkey and then assign it the values generated in the first step. It should look something like: v=DKIM1; k=rsa; p=ALb9a35QAA35in7qDAB (although the ‘p’ section of yours will be much longer).
  • Click Save to apply the changes.

Now that the DNS records have been updated, the final step is to tell Google Apps to use DKIM to protect your email:

  • Log into the G Suite Admin console again.
  • Select Apps -> G Suite -> Gmail -> Authenticate email 
  • Choose the correct domain from the drop-down.
  • Click Start authentication.

Note that it may take be as much as 48 hours before the setting takes effect globally.

Setting up a DMARC record (Domain Message Authentication Reporting & Conformance)

The final step to proving you are not an evil spammer is the creation of a DMARC - Domain-based Message Authentication, Reporting and Conformance – record. Because DMARC is built on both SPF and DKIM technologies, you will need to ensure you have completed both stages above before continuing:

  • Log into your domain providers admin console.
  • Locate the advanced DNS settings page.
  • Create a new TXT record with the name and then assign it the value: v=DMARC1; p=reject;
  • Click Save to apply the changes.

At the most basic level, this record check all outgoing email to verify that it really has been sent from your domain. If not, the message is automatically rejected, so your customers never receive spam pretending to be from you. There will also be a daily report emails to (you can change this any address you want) with details of all messages that have been rejected so you can check nothing is being filtered incorrectly.

Has it worked?

Finally you need to check that SPF, DKIM and DMARC have all been configured correctly for your domain. Visit the G Suite MX tool and type your domain name into the supplied box. When you click Run checks! you will see a report that confirms you have an SPF record, and that both DKIM and DMARC are set up. 

You should now find that even more of your email makes it into your customers’ and prospects’ mailboxes, helping to boost campaign success. You will also see a lower incidence of emails going “missing” where they have been incorrectly filtered by enthusiastic spam filters.

And don’t forget – if that all seems far too complicated, Kimbley IT can do it for you.