This is a guide on how to set up DNS records SPF, DKIM and DMARC when using google as an email service provider.
When you send emails, mailbox providers (such as Gmail, Outlook, AOL and Yahoo) need to identify whether the message is a legitimate email sent from the owner of the domain name or email address, or a forged email sent by a spammer or phisher.
There are three established methods used to verify a sender's identity. These are SPF, DKIM, and DMARC. We recommend setting up these email authentication methods for several reasons.
The most common reasons are:
Improve your deliverability by authenticating your emails properly. Email providers are much less likely to send emails to spam if they are properly authenticated
Build a reputation as an email sender on your own domain name. DKIM authentication in particular helps build your reputation as an email sender.
Enforce stricter security on your domain name. Authentication standards such as DMARC help protect your domain name from fraudulent use by spammers and phishers who want to hurt your reputation or scam your customers.
SPF - Sender Policy Framework
SPF (Sender Policy Framework) records are TXT records on your domain that authorize certain servers to send mail using your domain name.
Sign into your domain management account on your domain host's site
This can be GoDaddy, Cloudflare, Namecheap, etc. Or whichever provider you purchased your domain from
Navigate to the page for updating your domain’s DNS records
It should be called DNS Management, Name Server Management, or Advanced Settings
Create a new TXT record with these values:
Name/Host/Alias - Enter @ or leave blank
Other DNS records for your domain might indicate the correct entry.
Time to Live (TTL) - Enter 3600 or leave the default.
Value/Answer/Destination - Enter v=spf1 include:_spf.google.com ~all.
This can take up to 48 hours to take effect.
DKIM - Domain Key Identified Mail
DKIM (Domain Keys Identified Mail) is essentially a signature any sender can apply to their email messages. This signature makes clear that the purported sender of the message is actually the sender of the message. Any domain can be used as the signature. For example at mailivery we sign our messages with the mailivery.io domain to confirm that the message was actually sent by mailivery.
sLog into your Google Admin dashboard under: admin.google.com
In the navigation menu on the left hand side: Menu > Apps > GSuite > Gmail > Authenticate email
Generate a DKIM Key
Create a DNS TXT Record with the DKIM Key generated in the previous step.
Again go to your domain provider (GoDaddy, Cloudflare, Namecheap, etc.)
After creating the DNS TXT Record in your domain with the DKIM key, you can start authenticating
DMARC - Domain-based Message Authentication, Reporting, and Conformance
DMARC (Domain-based Message Authentication, Reporting & Conformance) is a standard that builds on top of SPF and DKIM. It allows the domain owner to create a policy that tells email service providers (such as Google or Microsoft) what to do if email fails SPF and DKIM checks.
Go to your domain manager. Find DNS Management or Settings.
Add this TXT Record to your DNS:
Host Name: _dmarc
VALUE (with email): v=DMARC1; p=quarantine; rua=mailto:{email}; pct=90; sp=none
The email version will send reports to the email you entered
You can also create a record without the email for reports:
VALUE (no email): v=DMARC1; p=quarantine; pct=90; sp=none