Set up SPF, DKIM, DMARC for a domain with Google Workspace mailboxes

Amplemarket Dev
Amplemarket Dev
  • Updated

SPF, DKIM and DMARC are email security protocols, that once set up, prove your emails are legitimate, thus preventing them from being marked as Spam.

 

SPF

Step 1: Find your Domain DNS management page

This is where you domain was bought and is managed (e.g. GoDaddy, Cloudflare, etc).

If you don't have access to the login credentials, share this guide with someone in your organization who does, usually the IT team, or the person that bought the domain.

You'll need access to the domain management page to set up SPF, DKIM and DMARC.

Step 2: Update or create an SPF record

Search for a TXT record starting with v=spf1:

  • If you find one: jump to the Update an SPF record section.
  • If you do not find any SPF record, go to section below.

Create an SPF record

  1. Add the new SPF record and save changes
    Type Host Value TTL
    TXT Record
    @
    v=spf1 include:_spf.google.com ~all
    5 min
  2. Make sure you Save Changes.
  3. Your record is now created, move to Step 3: Validate your SPF setup.

Update an SPF record

To update the existing SPF record, you will need to add include:_spf.google.com  to the record's Value field.

For example, your current record value may look like this:

v=spf1 ip4:1.2.3.4 include:thirdparty.com ~all

After the update, it should be this:

v=spf1 ip4:1.2.3.4 include:thirdparty.com include:_spf.google.com  ~all

Step 3: Validate your SPF setup

If the validation fails, it may be because DNS changes can take a while to propagate. Try again in a couple of minutes.

Within Amplemarket

  1. Go to the Domain Health Center
  2. Find a mailbox for the domain you just configured, and press the Authentication cell
  3. Press Run tests to run an Authentication check
  4. Once completed, the SPF should now show as pass

Outside Amplemarket

If you don't have access to Amplemarket you can verify if your SPF is correctly setup on a free tool like: https://mxtoolbox.com/spf.aspx

Common SPF Error Cases

Multiple SPF Records

You can not have multiple spf records for the same Host.

If you do, you will need to merge them into one.

For example, if you have 3 SPF records:

Type Host Value TTL
TXT Record
@
v=spf1 include:_spf.google.com  ~all
5 min
TXT Record
@
v=spf1 ip4:1.2.3.4 ~all
5 min
TXT Record
@
v=spf1 include:thirdparty.com ~all
5 min

You will need to transform them into just one, be editing one of them and deleting the others, the final result should be only record with the v=spf1 for the @ Host.

Type Host Value TTL
TXT Record
@
v=spf1 ip4:1.2.3.4 include:thirdparty.com include:_spf.google.com  ~all
5 min

Malformed SPF Record

This could be a typo or a misplaced element.

Copy and paste the record you have to this SPF syntax checker to help you find the issue: https://vamsoft.com/support/tools/spf-syntax-validator

DKIM

Step 1: Find your Domain DNS management page

This is where you domain was bought and is managed (e.g. GoDaddy, Cloudflare, etc).

If you don't have access to the login credentials, share this guide with someone in your organization who does, usually the IT team, or the person that bought the domain.

You'll need access to the domain management page to set up SPF, DKIM and DMARC.

Keep this page opened as you'll need it later

Step 2: Generate DKIM keys on Google Workspace

  1. Go to your Google Workspace Admin Panel - DKIM Authentication page
  2. Select your domain
  3. Press the GENERATE NEW RECORD button
  4. Keep this page opened as you'll need it later

Step 3: Create the DKIM DNS Records

    1. Copy record from Google Workspace to Cloudflare's DNS settings page
    2. Add them as new CNAME records in your DNS management page that you opened earlier.
    3. Go back into Google Workspace and press START AUTHENTICATION
    4. START AUTHENTICATION may fail as it can take a couple of minutes (at worst hours) for Google to recognize the new DNS records you just created. Please try again if that's the case.
    5. The setup is now complete, move to the next section to validate it.

Step 4: Validate you DKIM setup

If the validation fails, it may be because DNS changes can take a while to propagate. Try again in a couple of minutes.

Within Amplemarket

  1. Go to the Domain Health Center
  2. Find a mailbox for the domain you just configured, and press the Authentication cell
  3. Press Run tests to run an Authentication check
  4. Once completed, the DKIM should now show as pass

Outside Amplemarket

If you don't have access to Amplemarket you can verify if your DKIM is correctly setup on a free tool like: https://mxtoolbox.com/dkim.aspx

Use selector1 and selector2 as the selector values

Common DKIM Error Cases

Malformed DKIM Records

This means the DKIM record has an incorrect format, usually caused by mistakenly adding an extra character. Please double check your records, and/or copy/paste them again.

Email body altered after DKIM signature

This can happen when there's special configurations on your email servers to change outgoing emails. It's best to contact your IT department with this issue, since it will affect deliverability.

DKIM Signed from different domain

Your emails have a DKIM signature that did not originate from your domain. This means you haven't performed the DKIM setup for your domain, go to the DKIM setup section of this guide.

DKIM Signed with default Google signature

Google automatically signs all outgoing email with their default DKIM signature.

If you'd like to have an optimal setup for deliverability you can go to the DKIM setup section of this guide, to set up a DKIM signature coming from your domain.

DKIM Signature did not match

Your DKIM record is outdated and it does match the one that Google is using.

Complete the steps in the DKIM setup section of this guide.

    •  

DMARC

Step 1: Find your Domain DNS management page 

This is where you domain was bought and is managed (e.g. GoDaddy, Cloudflare, etc).

If you don't have access to the login credentials, share this guide with someone in your organization who does, usually the IT team, or the person that bought the domain.

You'll need access to the domain management page to set up SPF, DKIM and DMARC.

Step 2: Create a DMARC Record

  1. Add a new DMARC record and save changes
    Type Host Value TTL
    TXT Record
    _dmarc
    v=DMARC1; p=none;
    5 min
    You can learn more about different DMARC policies on microsoft's documentation.

Step 3: Validate your DMARC setup

If the validation fails, it may be because DNS changes can take a while to propagate. Try again in a couple of minutes.

Within Amplemarket

  1. Go to the Domain Health Center
  2. Find a mailbox for the domain you just configured, and press the Authentication cell
  3. Press Run tests to run an Authentication check
  4. Once completed, the DMARC should now show as pass

Outside Amplemarket

If you don't have access to Amplemarket you can verify if your DMARC is correctly setup on a free tool like: https://mxtoolbox.com/dmarc.aspx

Common DMARC Error Cases

Multiple DMARC Records

Keep only one of records, delete the others.

DMARC records are TXT type records, with _dmarc on the Host option.

Malformed DMARC Record

This could be a typo or a misplaced element.

Copy and paste the record you have to this DMARC syntax checker to help you find the issue: https://vamsoft.com/support/tools/dmarc-policy-validator

Malformed Email on the rua and/or ruf option

Your DMARC record has a rua and/or ruf option with a malformed email address.

Please check the syntax of the email address.

Copy and paste the record you have to this DMARC syntax checker to help you find the issue: https://vamsoft.com/support/tools/dmarc-policy-validator

 

Was this article helpful?

0 out of 0 found this helpful

Have more questions? Submit a request