Setup a new Business on Google Workspace

Marco BettioloMarco Bettiolo
3 min read

Table of contents

Full guide coming soon ...

Reduce the likelihood of Gmail getting into spam

First of all, go and check with the Google MX Toolbox what is the situation with your domain. You will get a report like the below:

The output will help you identify what is needed for an optimal setup.

Setup SPF records

An SPF (Sender Policy Framework) record identifies the mail servers and domains that are allowed to send emails on behalf of your domain.

  • Go to your DNS provider and setup a TXT record with the name of your domain followed by a "dot", ie example.com. and the value of:

  •     v=spf1 include:_spf.google.com ~all

  • Your DNS provider should end up being configured like this:

A detailed guide on configuring SPF records is available from Google.

Setup DKIM records

DKIM, or DomainKeys Identified Mail, is an email authentication method that uses a digital signature to let the receiver of an email know that the message was sent and authorized by the owner of a domain.

  • Go to https://admin.google.com and click on Apps -> Google Workspace -> Gmail

  • On the list of options select Authenticate email

  • Click on GENERATE NEW RECORD and you will get the below:

  • Now go to your DNS provider and create a new TXT record with the value in the box. Should look something like this:

  • Click the START AUTHENTICATION button. When DKIM setup is complete and working correctly, the status at the top of the page changes to Authenticating email with DKIM.

  • Well done for making your emails safer, remember to check on Google MX Toolbox that everything is OK

A detailed guide on configuring DKIM records is available from Google.

Setup DMARC records

Domain-based Message Authentication Reporting & Conformance (DMARC) is an email security protocol. DMARC verifies email senders by building on the Domain Name System (DNS), DomainKeys Identified Mail (DKIM), and Sender Policy Framework (SPF) protocols.

A recommended value to begin with is:

v=DMARC1; p=none; rua=mailto:dmarc@example.com

This means that when emails fail the DMARC validation, they will still be delivered to the recipient and a report will be sent to dmarc@example.com. This will let you review the reports and decide if you want to send the emails that fail the validation to the spam folder or reject them.

  • Go to your DNS provider and setup a TXT record with the name of _dmarc.example.com with the value above. Of course, instead of example.com, you should configure your domain name.

  • The configuration of the DMARC TXT record on your DNS provider should be:

To improve the handling of rejections follow this tutorial by Google. To see all the possible parameters read this article on Google.

A detailed guide on configuring DMARC records is available from Google.

Setup MTA-STS records

Mail Transport Agent Strict Transport Security (MTA-STS) is a new internet standard that allows you to enable strict force-TLS for email sent between supported email providers. It is similar to HTTP Strict Transport Security (HSTS), where a force-TLS policy is set and then cached for a specified amount of time, reducing the risk of man-in-the-middle or downgrade attacks.

Follow this detailed guide from Google.

Conclusion

If all goes well, Google MX toolbox should do a nice and green report like this:

0
Subscribe to my newsletter

Read articles from Marco Bettiolo directly inside your inbox. Subscribe to the newsletter, and don't miss out.

googleworkspacespamDKIMspfDMARC

Written by

Marco Bettiolo
Marco Bettiolo