Gmail: Configure DKIM, SPF, and DMARC

Before using Gmail with Mojo Helpdesk, configure DKIM, SPF, and DMARC records for your domain. These DNS-based settings authenticate outgoing emails and prevent them from being flagged as spam or spoofed.

To make things practical and relatable, we’ll use the email address mojomailbox@metadot.com as an example.

Set up DKIM

DKIM adds a digital signature to outgoing emails so receiving servers can verify they were sent from your domain.

Log in to Your DNS Provider's Management Console:

This is where DNS settings for your domain are managed (e.g., AWS Route 53, GoDaddy, Cloudflare).

Generate a DKIM Key in Google Admin Console:

  1. Sign in to the Google Admin Console.
  2. Go to Apps > Google Workspace > Gmail > Authenticate email.
  3. Select your domain if you manage multiple domains.
  4. Click Generate new record. Google provides a DKIM key in this format:
    1. Name: google._domainkey
    2. Type: TXT
    3. Value: v=DKIM1; k=rsa; p=YOUR_PUBLIC_KEY
  5. Add this TXT record in your DNS provider's management console.
  6. Return to the Admin Console and click Start authentication to enable DKIM signing.

DNS changes can take up to 48 hours to propagate before DKIM signing becomes active.

Enable DKIM Signing:

  1. After saving the record in your DNS and waiting for propagation, return to the Admin Console.
  2. Click Start Authentication or Turn On to enable DKIM signing for your domain.

Check SPF

Verify Your SPF Record:

  • SPF ensures authorized servers can send emails on behalf of your domain.
  • Check your existing DNS records for an SPF TXT record. It might look like:

v=spf1 include:_spf.google.com ~all

Update the SPF Record if Missing or Incorrect:

If no SPF record exists, create a new TXT record with the following:

  • Name: @ (or leave it blank, depending on your DNS provider).
  • Type: TXT.
  • Value: v=spf1 include:_spf.google.com ~all.

If an SPF record exists but doesn't include Google's servers, update the value to ensure it contains include:_spf.google.com.

Verify Propagation:

  • Use a tool like dig or MXToolbox SPF Checker to confirm the SPF record is correctly configured.

Configure DMARC

Add a DMARC Record:

  • DMARC ensures that SPF and DKIM align and specifies how to handle unauthorized emails.
  • Add a TXT record with the following:
    • Name: _dmarc (or _dmarc.metadot.com if your provider requires the full domain).
    • Type: TXT.
    • Value:v=DMARC1; p=quarantine; rua=mailto:postmaster@metadot.com

Customize Policy and Reporting:

  • Replace postmaster@metadot.com with your desired email address for DMARC reports.
  • You can adjust the p= policy:
    • none: Monitor emails without enforcement.
    • quarantine: Flag unauthorized emails as spam.
    • reject: Block unauthorized emails.

Test the DMARC Record:

  • Use a tool like DMARC Analyzer to confirm correct setup.

Verify the configuration

Use the following tools to confirm DKIM, SPF, and DMARC are configured correctly:

For mail server configuration options, see Bring Your Own Mail Server to Mojo Helpdesk.