5 Steps to Setup Email Authentication: SPF, DKIM & DMARC
If your business emails are going to spam, you should setup email authentication.
It’s free and takes just a few minutes. Here are the steps to do it.
Correctly authenticating email (and the domains they send from) is an important step for your business. Otherwise, the benefits from your conversion optimizations, new site design, and increased organic traffic can be lost. This guide will ensure your messages to new clients will get delivered.
The Problem: Emails sent from my domain-based email address weren’t being delivered.
Right or wrong, I use my work email for some volunteer work. This involves emailing notices and schedules to large groups of people. And while everyone wants to receive them, most emails don’t require a response. So to a server, it appears that I’m spamming large groups of people with unwanted emails, most with attachments and links.
As a result, my overall deliverability has gotten worse. Just a couple of weeks ago, I emailed a new client the results of two technical site audits. But they never received the email. It seems that the attachments and links to the Google Sheets file caused it to be sent to spam. This is embarrassing and it wastes time.
The Solution: Authenticate My Email. This establishes the correct trust signals so mail servers will deliver the message.
Here’s how to do it.
5 Steps to Setup Email Authentication
This guide shows the steps with Google Workspace (email service) and GoDaddy (domain registrar). While the interface will look a little different if you use another company, the steps are the same.
Step 1: Add Your Domain
To begin, you’ll need to add your domain name to your Google Workspace account.
- Go to the Google Workspace Admin Console. https://admin.google.com/
- Go to Account > Domains > Manage Domains.
- Click Add a Domain
- Follow the instructions to Verify and Gmail Activate your domain. This includes adding entries to your DNS via your domain registrar. Mine is GoDaddy, but they are almost all the same.
This is the furthest I went. And my domain-based email addresses have worked fine for the past 15+ years.
That is, until recently, when I started to have problems with messages going to spam/junk folders.
I fixed the problem by authenticating my email. Here’s how to do it.
Curious if your domain has already been authenticated? Go to the Check MX section of your Google Admin Toolbox.
If it hasn’t been authenticated, continue to step 2.
Step 2: Setup Your SPF Record
An SPF record defines (limits) the mail servers that are allowed to send mail for your domain.
SPF stands for Sender Policy Framework.
This TXT record is entered in your DNS for your domain name.
If you only use Google Workspace to send email for your domain, use this line:
v=spf1 include:_spf.google.com ~all
If you want to allow other mail servers, you’ll have to enter a custom SPF record. Here’s how to set that up.
Step 3: Setup DKIM For Your Domain
While most email providers will have a default DKIM, it is recommended to set up your own for your domain.
DKIM stands for DomainKeys Identified Mail.
Your DKIM key will be used on all outgoing messages.
- Go to the Google Workspace Admin Console. https://admin.google.com/
- Go to Apps > Google Workspace > Gmail.
- On the Gmail settings page, go to Authenticate email.
- Select the domain where you’ll be using DKIM key. Then click Generate New Record.
- Copy your new DKIM key and paste it as a new TXT record in your domain DNS settings. Now go back to the Gmail settings page in Google Workspace Admin Console and click Start Authentication.
You’ll wait for 48 hours for the DNS to fully propagate. Then, you can move to the next step and set up DMARC for your domain.
Step 4: Setup DMARC
This final step isn’t required but is recommended.
Using DMARC allows you to manage messages that are checked by SPF and DKIM authentication.
If there is a problem with a message (like not passing these authentications), you get notified, and you can decide how to handle it. You can choose to deliver, reject, or send to spam.
In its most basic form, here’s what your DMARC entry will look like.
DNS TXT Entry
Name: _dmarc
Content: v=DMARC1; p=none;
Here’s the guide to setting up DMARC.
DMARC stands for Domain-based Message Authentication, Reporting & Conformance.
Here is a visual guide to these steps.
5. Consider Setting Up BIMI
BIMI stands for Brand Indicators for Message Identification. BIMI is pronounced bih-mee.
BIMI is a relatively new email security feature. And it works alongside your DMARC record. This is best for larger brands and organizations. Many well-known brands use BIMI, including CNN, Target, and Ikea.
To implement BIMI, you’ll need a Verified Mark Certificate (VMC) – a digital certificate proving your ownership of your trademark. And this costs USD$1299+. And you’ll need a separate VMC for each logo variation you want to use in your email.
How to Implement BIMI: Once you have your VMC issued, you can implement your BIMI by adding a TXT record in your DNS.
More about BIMI.
Do You Need BIMI? Probably not, especially if you are a small business. But it’s worth considering if you have the budget and want that extra reputation boost for email deliverability.
Monitor Your Spam Rate and Domain Reputation
Now that your email is authenticated, you can monitor it with Google Postmaster Tools.
Target Spam Rate: Below 0.1% to avoid having your messages filtered as spam. And you’ll start having trouble if your spam rate goes above 0.3%.
For more help, try these five free tools to check IP reputation and domain health.