Configure SPF DKIM and DMARC record for gmail

Setting up SPF, DKIM, and DMARC for Google Workspace ensures your emails are authenticated, prevents spam, and improves deliverability.

What Are SPF, DKIM, and DMARC?

• SPF (Sender Policy Framework): It specifies which mail servers are allowed to send emails on behalf of your domain. Why? Prevents unauthorized servers from sending emails, reducing spam and phishing.

• DKIM (DomainKeys Identified Mail): Adds a digital signature to your emails, ensuring they aren't tampered with during transit. Why? Ensures the integrity of the message and verifies that it originated from your domain.

• DMARC (Domain-based Message Authentication, Reporting, and Conformance): Sets policies for how recipient servers should handle SPF/DKIM failures and provides reports. Why? Protects your domain from misuse and provides visibility into unauthorized email usage.
  
  

Learn More in Advance

What Happens If an MX (Mail Exchange) record is Not Added or Incorrect? a) if the MX record is missing or incorrect, emails sent to your domain (e.g., yourname@yourdomain.com) will fail or bounce back with an error of "530 5.7.0 Authentication Required." b) Emails Might Go to the Wrong Server – If the MX record points to the wrong mail server, emails may be misrouted or undelivered. What Happens If SPF is Not Added or Incorrect? a) Emails May Go to Spam – Without SPF, email providers may not trust your emails and send them to the spam folder. b) Emails Might Be Rejected – Some mail servers may block or reject emails from your domain. c) Hackers Can Fake Your Emails – Without SPF, anyone can send fake emails pretending to be from your domain (email spoofing). What Happens If DKIM is Not Added or Incorrect? A DKIM record is a DNS record that adds a digital signature to your emails. It helps email providers verify that the email was not tampered with during delivery and actually comes from your domain. a) Emails May Go to Spam – Email providers may not trust your emails and move them to the spam folder. b) Emails Might Be Rejected – Some mail servers may block or reject unsigned emails. c) Hackers Can Modify Your Emails – Without DKIM, attackers could alter email content during transmission without detection. What Happens If DMARC is Not Added or Incorrect? (Domain-based Message Authentication, Reporting, and Conformance) a) Higher Risk of Spoofing – Without DMARC, it's easier for attackers to send fake emails that appear to come from your domain. b) Emails May Be Treated as Less Trustworthy – Without DMARC, your emails may have a lower chance of passing security checks, leading to delivery issues or them being marked as spam. c) No Visibility into Email Failures – Without DMARC, you won’t receive reports to see if someone is attempting to use your domain for fraudulent purposes.


Before Going to Diagnose lets know the email status by following.

• EMail Tester : https://app.mailgenius.com/
• DNS Lookup   : dig domain.com ANY
• Mxtoolbox    :

Step 1: Add SPF Record

Log in to your domain registrar's DNS settings.
Add a new TXT record:

• Name/Host: @ or leave blank
• Type: TXT
• Value: v=spf1 include:_spf.google.com ~all

Step 2: Set Up DKIM

Go to the Admin Console in Google Workspace:

Navigate to Apps > Google Workspace > Gmail > Approve mail "Configure a mail authentication (DKIM)"

• Generate DKIM Key:

Select your domain and click Generate New Record.
Choose 2048-bit for better security.

• Add the DKIM Key to DNS:

Copy the generated TXT record details.

In your domain's DNS settings:

• Name/Host: google._domainkey
• Type: TXT
• Value: Paste the DKIM key provided by Google.

Return to the Admin Console and click Start Authentication.

• Verify DKIM: https://dkimcore.org/

Step 3: Set Up DMARC

 
Create a DMARC Policy:
Add a TXT record in your DNS settings:

• Name/Host: _dmarc
• Type: TXT
• Value: v=DMARC1; p=none; rua=mailto:subhash@tech2towards.com