How to set up SPF, DKIM and DMARC in Google Workspace

In today's digital landscape, email remains a cornerstone of business communication. However, with an estimated 361.6 billion emails sent daily in 2024, and over 46.8% of email traffic being unwanted, unsolicited spam, getting your legitimate messages into your customers' inboxes is a growing challenge. Email services and clients are constantly evolving their filters to block junk, but this can inadvertently flag valuable business communications as spam.

As a reputable business owner, you understand the importance of your messages. You're not peddling generic pharmaceuticals or unsolicited offers. Yet, the critical hurdle lies in proving your legitimacy to sophisticated spam filters. If your email in Google Workspace setup isn't correctly configured, your important emails could be mistakenly quarantined.

This guide will walk you through the essential steps to enhance your email deliverability by setting up SPF, DKIM, and DMARC records – crucial components for proving your identity and ensuring your messages reach their intended recipients.

Proving Your Email Identity

Spammers often attempt to impersonate legitimate senders by "faking" sender addresses. Spam filters are designed to detect these fraudulent attempts by verifying if the sender's address aligns with the email's encoding. Emails that fail this verification are typically flagged or discarded.

To prevent your legitimate emails from suffering this fate, you must ensure your email addresses correctly resolve through the implementation of SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting & Conformance) records.

If you set up your Google Workspace yourself without the guidance of a certified Google Workspace Partner, you may have overlooked these crucial configurations. The good news? As a certified Google Workspace Partner, Kimbley IT can expertly handle this for you, ensuring your email deliverability is optimised without you needing to dive into complex technical details.

However, if you are confident and experienced in deploying Google Workspace, the brief instructions below will guide you through the setup.

Step-by-Step Guide

Setting up an SPF Record (Sender Policy Framework)

SPF, which stands for Sender Policy Framework, is a simple email authentication method designed to prevent sender address forgery. It allows recipient mail servers to verify that an email claiming to come from a specific domain is authorised by that domain's administrators.

Here's how to set it up:

1. Log in to your domain's admin console (e.g., for yourbusiness.co.uk). This is typically where you manage your website's DNS settings.

2. Locate the advanced DNS record settings. This section might be labelled "DNS Management," "Zone Editor," or similar.

3. Create a new TXT record.

4. Assign the following value to the TXT record: v=spf1 include:_spf.google.com ~all

5. Click Save to apply the changes.

It's that simple! This record tells receiving servers that Google's servers are authorised to send email on behalf of your domain.

Setting up a DKIM Record (DomainKeys Identified Mail)

As spamming techniques become more sophisticated, so do the methods to combat them. To further prevent your legitimate emails from being incorrectly identified as spam and to prevent scammers from sending emails impersonating your email domain, you should also create a DKIM record. DKIM adds a digital signature to your outgoing emails, allowing recipient servers to verify that the email hasn't been altered in transit and genuinely originated from your domain.

This is a three-stage process:

Stage 1: Generate a DKIM Domain Key in Google Workspace

1. Sign in to your Google Workspace Admin console.

2. Navigate to Apps > Google Workspace > Gmail > Authenticate email.

3. Select your domain from the drop-down list.

4. Click the Generate new record button.

5. Copy the generated text. This will be a long string of characters.

Stage 2: Create the Corresponding DNS Record

1. Log in to your domain provider’s admin console (the same place you managed your SPF record).

2. Locate the advanced DNS settings page.

3. Create a new TXT record.

4. For the "Name" or "Host" field, enter: google._domainkey

5. For the "Value" or "TXT data" field, paste the text generated in Stage 1. It will typically start with v=DKIM1; k=rsa; p= followed by a very long string of characters.

6. Click Save to apply the changes.

Stage 3: Activate DKIM in Google Workspace

1. Log back into the Google Workspace Admin console.

2. Navigate to Apps > Google Workspace > Gmail > Authenticate email.

3. Choose the correct domain from the drop-down list.

4. Click Start authentication.

Setting up a DMARC Record (Domain-based Message Authentication, Reporting & Conformance)

The final, crucial step in proving your domain's authenticity and combating email spoofing is creating a DMARC record. DMARC builds upon both SPF and DKIM technologies, providing a framework for email receivers to authenticate incoming mail. It also offers a reporting mechanism, allowing you to receive feedback on how your emails are being authenticated.

Crucially, you must ensure you have completed both the SPF and DKIM setup stages before proceeding with DMARC.

Here’s how to create your DMARC record:

1. Log in to your domain provider’s admin console.

2. Locate the advanced DNS settings page.

3. Create a new TXT record.

4. For the "Name" or "Host" field, enter: _dmarc

5. For the "Value" or "TXT data" field, add the settings you wish to apply to your DMARC record. A basic, starting point for a DMARC record that monitors your email activity without immediately blocking emails is: v=DMARC1; p=none; rua=mailto:your_email@yourdomain.com; ruf=mailto:your_email@yourdomain.com;

   • Important: Replace your_email@yourdomain.com with a valid email address where you want to receive DMARC reports. These reports provide valuable insights into your email traffic and any potential authentication failures.

6. Click Save to apply the changes.

Remember, DMARC policies can be complex. Starting with p=none is recommended as it allows you to monitor without affecting deliverability immediately. However, running with a policy set to p=none (no action) while handy for reporting, effectively nullifies the core purpose of DMARC, as it does not enforce any protections you've set up. To truly benefit from these settings and enable recipient servers to take action on unauthenticated messages, you should be running with an enforcement policy like p=quarantine (move to spam) or, ultimately, p=reject (block outright) in place. You can gradually increase the policy as you gain confidence in your SPF and DKIM configurations.

Verify Your Setup:

After completing all the steps, it's essential to verify that your domain's SPF, DKIM, and DMARC records have been configured correctly.

1. Visit the Google Workspace MX tool (you can search for "Google MX record checker").

2. Type your domain name into the supplied box.

3. Click Run checks!

The report generated will confirm the presence of your SPF record and that both DKIM and DMARC are set up for your domain.

Upon successful configuration, you should observe a noticeable improvement in your email deliverability. More of your genuine messages will reach your customers’ and prospects’ mailboxes, significantly boosting your email campaign success and reducing instances of legitimate emails going "missing" due to overzealous spam filters. However, it's crucial to understand that merely having these settings in place does not grant permission for mass mailings. Doing so will still harm your domain's reputation and could lead to blacklisting and emails being routed to spam folders. These settings are specifically designed to help legitimate business emails pass through spam filters, not to facilitate bulk or unsolicited communications.

Need Expert Assistance?

If this all seems too technical or time-consuming, remember that you don't have to navigate it alone. As a certified Google Workspace Partner, Kimbley IT specialises in helping businesses like yours leverage Google Workspace to its fullest potential, ensuring your emails consistently land where they belong – in the inbox, not the spam folder.

Book a video call with us today to discuss how we can help your business optimise its email deliverability and get the most from Google Workspace. Let us handle the technical complexities so you can focus on what you do best.