Set up DKIM, DMARC, SPF for Google Workspace will help your emails be sent to the main mailbox more, reducing the rate of spam, especially sending mass mail. But most current users do not know this even though they have been using Google Workspace for a long time. This article Lucid Gen will guide you to set up DKIM for Google Workspace properly and use the standard DKIM, DMARC, SPF configuration check tool. Come on, let’s get started now!
What are DKIM, DMARC, SPF and why are they needed
I know some of you who are just starting out wondering what these 3 are. So I also have to learn to explain it back to you in a language that “ordinary people” understand. But if you are not a technology person, reading some documents will also twist your brain.
- DKIM: To verify that the message you send is fake or authoritative from the domain owner.
- DMARC: A mail authentication protocol that helps protect domain names from unauthorized use, or email spoofing.
- SPF: To prevent spam, detect if the sender’s address is real or fake.
We need them so that outgoing mail is limited to spam. That’s the truth, but we don’t care about the details of the 3 above. The picture below is a chat of me with the Google Workspace support team, they confirm that when we set up it correctly and authenticate DKIM successfully, the outgoing mail will not be tagged as spam.
How to check if DKIM, DMARC, SPF are set up correctly?
To check if your DKIM, DMARC, and SPF settings are set up correctly, go to Google’s Check MX page. Paste your domain name into the Domain name box and then click the Run Checks! button.
For example, lucidgen.com now has a yellow warning in the DKIM and DMARC sections, then we know that lucidgen.com has set up DKIM and DMARC incorrectly. Try with your domain name and see how it goes, I guess you will also have some warning.
After I corrected the DKIM and DMARC configuration, the warnings were gone. Now lucidgen.com’s MX is green as soup. I will guide you to set up to get the same results as me!
Set up DKIM, DMARC, SPF for Google Workspace
How to set up DKIM Google Workspace
To set up DKIM for Google Workspace you need to use the most authorized account in your (or company’s) Google Workspace.
Step 1: Go to admin.google.com > search for DKIM in the search bar > click DKIM authentication.
Method 2: Click Apps > Google Workspace > Gmail > Authenticate email.
Method 3: Click admin.google.com/ac/apps/gmail/authenticateemail if you are logged in with the account with the highest permissions in Google Workspace.
Step 2: Click the Generate new record button > select the DKIM key length > click the Generate button.
I will explain a bit about the numbers 2048 and 1024 so you don’t have to wonder. In a simple easy to understand way.
- 1024: Compatible with many older email systems. Suitable for any DNS that only allows 255 characters to be filled in. Most used, temporarily Lucid Gen suggests you choose this option.
- 2048: More secure, compatible with popular mail systems such as Gmail, Outlook. Suitable for any DNS that allows the field to be filled with more than 255 characters. Will be the trend of the future.
Step 3: Copy google._domainkey and DKIM value to add to your DNS.
Step 4: Go to domain management > DNS configuration > add DKIM record as follows.
|google._domainkey||TXT||1h||Khóa DKIM của bạn|
If you don’t know how to get to the DNS configuration page, ask your domain registrar.
After you set up DKIM to DNS, it takes 48 hours for the record to take effect (according to Google). Depends on your domain registrar. Lucid Gen is using Google Domains and finds that it takes about 30 minutes to take effect.
Step 5: After you have waited 30 minutes (or more up to 48 hours), then go back to the DKIM authentication page > click the Start Authentication button to verify your domain name already has Google Workspace DKIM.
When you see the status has changed to Authencating email, you have successfully authenticated.
But if you fail to authenticate and receive a message like the one below, wait another 30 minutes to 48 hours and then click the Start Authentication button again.
Email authentication was not verified. Please allow 48 hours for DNS to update and make sure you entered the correct TXT record into your domain provider’s DNS settings page.
How to set up DMARC Google Workspace
DMARC configuration has 3 popular types introduced by Google as follows, you only choose 1 of these 3 types to add to DNS.
|_dmarc||TXT||1h||v=DMARC1; p=none; rua=mailto:email@example.com||When the outgoing mail fails to authenticate successfully > Do nothing, just send it to the recipient, and then it’s bad luck in any box. Everything is logged in the log and sent you notifications.|
|_dmarc||TXT||1h||v=DMARC1; p=reject; rua=mailto:firstname.lastname@example.org||When the outgoing mail fails to authenticate successfully > Do not send the message but return it to the sender. There is a notice for you.|
|_dmarc||TXT||1h||v=DMARC1; p=quarantine; rua=mailto:email@example.com||When the outgoing mail fails to authenticate successfully > Mark it as spam and send it to the recipient’s spam mailbox. There is a notice for you.|
According to the above explanation, the second option is the most reasonable to control unauthenticated messages. I also recommend that you choose this option. As for the decision, it’s up to each person’s preference, like me, I’m too lazy to look at the notification emails and it keeps telling me so I don’t even receive them anymore.
How to set up SPF Google Workspace
Configuring the SPF of Google Workspace is quite simple and there are no options. You just need to add both these records to DNS and you’re done.
|@||TXT||1h||v=spf1 include:_spf.google.com ~all|
|@||SPF||1h||v=spf1 include:_spf.google.com ~all|
After set up DKIM, DMARC, and SPF, go back to Google’s Check MX page to check if the status has turned completely green like Lucid Gen. If you find this article can help you to do something then please leave your comment on the article and give me a review star, your feedback will help me know that the article was good. not yet and support you if possible. Thank you!