DKIM, DMARC, SPF Setup for Google Workspace and Squarespace
This article has been updated - see the updates.
Just a heads up: This article has some affiliate links (marked with a *). If you click on one of these and buy something, I get a little bit of money, but it doesn't cost you anything extra.
Did you know that nearly 1 in every 5 emails never makes it to the intended inbox? By 'intended inbox,' I mean the primary inbox where it's most likely to be seen.
Instead, these emails might end up in secondary tabs like Promotions or Social, or worse, in the dreaded spam folder.
To steer your emails back on track, think of setting up DKIM, DMARC, and SPF as creating a '2-factor authentication' for your emails. It's a double-check system to make sure your emails are not only delivered but trusted.
In this blog, we're diving into the world of DKIM, DMARC, and SPF setup, but this time we're focusing on Google Workspace and Squarespace. Last time we tackled ActiveCampaign and Squarespace.
Whether you're a Google Workspace guru or just starting out, I've got you covered with easy-peasy steps. So, let’s roll up our sleeves and get those emails shining in the inbox spotlight!
DKIM, DMARC, and SPF and Their Significance
DKIM (DomainKeys Identified Mail): This is like a digital signature for your emails, ensuring they're genuinely from you.
DMARC (Domain-based Message Authentication, Reporting, and Conformance): Think of DMARC as the manager overseeing your email's security policies. It decides what happens to emails that don't pass the authenticity check:
reject it (emails get sent back to the sender)
quarantine it (emails get sent to the spam or junk folder)
or let it slide through with a warning (no action monitor).
Then it sends you an email reports on who's trying to use your domain to send emails.
SPF (Sender Policy Framework): SPF is like the guest list at the door of your email's party. It lists which mail servers are allowed to send emails on behalf of your domain (ex: email marketing platform like ActiveCampaign*, email service providers like Google Workspace, or other tools used in your biz for sending emails (like Dubasado).
When managing your email authentication, it's important to note that each email service you use requires its own unique DKIM key. For instance, if you're using Google Workspace for client communications and ActiveCampaign for sending out newsletters, each will need a distinct DKIM key. This is crucial because it ensures that emails sent from each platform are independently verified, enhancing security and authenticity.
If you're using other platforms like ThriveCart, Honeybook, or Dubsado for sending emails, they've probably got your back with DKIM setup.
Why? Because those emails don’t usually come directly from your domain. But hey, just to be super sure everything's on point, a quick message to their support team can give you that sweet peace of mind.
And here’s some chill news: when it comes to SPF and DMARC records, it's a one-time deal. No matter how many email services you're juggling, you just need one SPF and one DMARC record for your entire domain.
How to add DKIM, DMARC, SPF
This is for my Google Workspace users with their domain hosted with Squarespace (or Google - now owned by Squarespace 🙃).
DKIM
You’re going to be bouncing back and forth from Google Workspace to Squarespace, then back to Google Workspace. So don’t close any tabs or windows yet.
In Google Workspace:
Log in to your Google Admin Console ↗.
At the left panel, click on “Apps” > “Google Workspace” > “Gmail” > “Authenticate Email”
3. Select your domain > click on “Generate new record”
4. A blue screen will pop up. Click “Generate” at the bottom right.
5. Now we’re going to copy this data over to your Squarespace DNS records.
In Squarespace:
Before you make any changes to your record, be sure to take a screenshot of what's already there, just in case you need to go back to your old settings.
1. Open the Squarespace Domains Panel ↗.
2. Click on “Domains managed by Squarespace”.
3. At the top right, click on “Edit DNS”.
4. Scroll down to “Custom Records” and click on “Add Record”.
5. Then update the record as below:
You can copy the Host (Name) and Data (Value) from the “In Squarespace” section above at Step 3.
Data:
Copy and paste from Google Workspace
Host:
google._domainkey
6. Then head back to Google Admin Console ↗ and press “Start Authentication”.
7. If you see this red message below, come back within 48 hours to see if the message goes away by clicking on “Start Authentication” again by following “In Google Workspace (after waiting 48 hours)”.
In Google Workspace (after waiting 48 hours) :
Log in to your Google Admin Console ↗.
At the left panel, click on “Apps” > “Google Workspace” > “Gmail” > “Authenticate Email”
3. Click on “Start Authentication”.
4. It should update to say “Stop Authentication”. Then, you’re all set! Now time to set up your DMARC record.
Seeing red messages?
If you see a red message like the above, try again the next day. It may need more time to update or troubleshoot by using Google’s guide.
If you see this red message “DKIM authentication settings update failed” and you don’t see any red message, you probably just need to refresh your browser.
Once you do so, click on the “Start Authentication” button again and it should update to “Stop Authentication”.
If you need more support, check out this detailed DKIM guide from Google.
DMARC
We only need to set this up once. So check to see if you have _dmarc listed already in your DNS records. If you do, you can skip this setup.
In Squarespace:
Click on “Domains managed by Squarespace”.
At the top right, click on “Edit DNS”.
Scroll all the way down to “Custom Records” and click on “Add Record”.
Then update the record as below:
Data:
Email Reports: v=DMARC1; p=none; pct=100; rua=mailto:youremail@example.com
No Email Reports: v=DMARC1; p=none;
Host:
_dmarc
DMARC Policy Settings
Remember how early we talked about the benefits of setting up your DMARC record? Where you can set the policy settings to:
- None: Let emails slide through with a warning
- Quarantine: Send emails to the spam or junk folder
- Reject: Send emails back to the sender
For this setup, we're going to play it cool and start with the 'none' policy – that's what 'p=none' is all about in our data column. Think of it as training wheels while you're getting the hang of your DKIM setup. We don't want any oopsies messing with your email's journey to the inbox.
Once you start getting those DMARC reports, you can think about setting up a stricter policy – using 'quarantine' or 'reject'. For recommendations on how to set up a stricter policy, swing by dmarc.org for the deets.
Make DMARC Reports Easy to Read
And let's be real, DMARC reports in XML format aren't exactly a breeze to read. Pro tip? Pair up with a DMARC Monitoring tool like DMARC Digests.
SPF
We only need one record of this. So check to see if you have v=spf1 listed already in your DNS records (under the “Data” column). If you do, you can add 'include:_spf.google.com' in the syntax.
Click on “Domains managed by Squarespace”.
At the top right, click on “Edit DNS”.
Scroll all the way down to “Custom Records” and click on “Add Record”.
Then update the record as below:
Data:
v=spf1 include:_spf.google.com ~all
Host:
@
If you set up DKIM records for other mail servers, you’ll want to include that’s sender’s domain in the existing record (you can get that from searching their help documentation).
For example, for just Google Workspace, it will look like this: v=spf1 include:_spf.google.com ~all
If you’re setting up for two senders, (ActiveCampaign and Google Workspace), it would look like this: v=spf1 include:emsd1.com include:_spf.google.com ~all
However, be careful about including too much of this syntax 'include' in your SPF setup. There is typically a limit of 10. Any more than that can cause delays in email processing and do the opposite of what we want it to do – sending the emails to the spam folder.
So for the ActiveCampaign and Google Workspace example, you don’t need to include ActiveCampaign’s domain (include:emsd1.com) since they handle it already.
If you need more support, check out this detailed SPF guide from the ActiveCampaign Postmark Team or this detailed SPF guide from Google.
Verifying Your Setup
Alright…so let’s see how you did, shall we?
Send an email message to your personal Gmail account.
Open the message and click on the three-dotted icon > Show original
3. In the message header, look for SPF, DKIM, and DMARC. They should all say “Pass”
After you've got your DKIM, DMARC, and SPF all set up, the next step is making sure everything's running smoothly. And for this, let me introduce you to another FREE tool – Google Postmaster Tools. It's like having a health checkup for your emails, specifically for Gmail.
Using this tool will give you:
Inbox Insights: Get the scoop on where your emails are landing in Gmail users' inboxes. Are they hitting the inbox or getting lost in spam?
Check Your Rep: These tools give you a lowdown on how Gmail views your domain. Are you the email equivalent of a trusted friend or that unknown caller at midnight?
Spam Stats: Ever wonder if your emails are being marked as spam? This tool spills the beans.
Authentication Check: This is where you see if all your hard work on setting up DKIM, DMARC, and SPF is paying off.
Just sign up for Google Postmaster Tools with your domain and update your DNS records with your unique data (this will be given to you when you sign up):
Key Takeaways
✓ About 1 in every 5 emails ends up somewhere it shouldn't. To fix this, we use special tools (DKIM, DMARC, and SPF) that act like a security check, making sure your emails go where they're supposed to.
✓ DKIM
- It's like a secret seal on your email that proves it's really from you.
- Each email service you use needs its own DKIM.
✓ DMARC
- This one's like a manager. It checks your emails and decides what to do with them if they don't have the seal. It also tells you who's trying to send emails pretending to be you.
- One DMARC record is enough, no matter how many email services you use.
- Start with a 'soft' setting on your DMARC (p=none) to avoid messing up your email delivery. Later, you can make it stricter based on the reports you get.
- DMARC reports can be tough to understand. Use tools like DMARC Digests to make sense of them.
✓ SPF:
- This is your guest list. It tells email services which mail carriers are allowed to deliver emails for you.
- One SPF record is enough, no matter how many email services you use. Be sure to update your SPF record whenever you add a new email service.
- Don’t go overboard with too many 'include' entries. Too many can cause your emails hitting the spam folder.
✓ Use a site called dmarcian.com to make sure everything is set up right. It's like a final check to make sure your email security is good to go.
✓ Use Google Postmaster Tools to gain valuable insights into your email's performance in Gmail, including inbox placement, domain reputation, spam rates, and the effectiveness of your DKIM, DMARC, and SPF setups.
FAQ
Do I really need DKIM, DMARC, and SPF for my emails?
If you're sending business emails, newsletters, or communicating with anyone for business, you need them. Without this update, your emails will hit the spam folder.
How often should I check or update these email security settings?
It's a good idea to check them periodically, especially if there are changes in your email service providers or if you start using new tools that send emails. Generally, reviewing them once or twice a year should be sufficient.
Can I use the same DKIM, DMARC, and SPF settings for different email platforms?
For DKIM, each platform needs its setup — so list out all the platforms that are sending emails on your behalf, including transactional emails (think Squarespace, Shopify, ThriveCart, Acuity, Honeybook, Dubsado, et).
But SPF and DMARC? One per domain, no matter how many email platforms you're using. Just be sure to update your SPF record whenever you add a new email service.
How can I check if my emails are DMARC, DKIM, and SPF compliant?
You can use various online tools to check your settings.
For email service providers such as Google Workspace, Microsoft 365, Zoho Mail, etc, you can use this tool to check.
Email marketing platforms such as ActiveCampaign, Mailchimp, MailerLite, etc. may have their own tool to check. If you’re using ActiveCampaign, use this tool to check. Just be sure that you enter your domain as “websitename.com” and not one of these variations: “www.websitename.com” or “https://www.websitename.com”.
If you want to go the extra mile, this video with Rache from Squarestylist provides a comprehensive checklist in her description to manually check your setup.
Download the Checklist
Inside the checklist you’ll get:
✓ What you need to do to stay compliant with the email changes.
✓ An organizer to save you time in figuring out what you need to get set up.
✓ A list of experts that you can connect with to help you set up your DNS records.
Conclusion
There you have it – the essentials of securing your emails with DKIM, DMARC, and SPF.
Now's the time to put this knowledge into action. Head over to your DNS settings, get these email safeguards in place, and see the difference it makes in your email delivery.
If you get stuck or prefer for me to take over your setup, check my availability and get on my calendar.
-
February 5, 2024 - Updated “Verifying Your Setup” walkthrough
February 2, 2024 - Updated with checklist resource, links to sources, and images for walkthrough.
Related Posts
Hey, I’m Helen. I’m an SEO and web design strategist. My goal is to help you get found and look good in the digital space 🫶🏻
Let’s get social