How to set up a DNS record, SPF, DKIM and DMARC for Google Email Addresses

It's incredibly important to make sure you have the right DNS records set up for your domain before you start doing any sending (even warm-up)! Starting to send without proper DNS records can result in getting flagged for spam or even worse, blacklisted.

Hold up! ✋ You might already have these DNS records set up. Before you start adding the ones we recommend below, we recommend looking at your DNS settings first to see if you already have an SPF, DKIM and DMARC record. If you already have one, two or all of them in your DNS records, then you don't need to add the ones below. None of these are specific to Mailshake, just needed on your domain.

You can verify that all DNS settings were set up correctly here.

Now that you've checked your Domain's DNS settings, follow the steps below for the records you need to add:

  • SPF
  • DKIM
  • DMARC

In our examples, we bought our domain using Google Domains, so we're logged into domains.google.com (not Google Admin Console).

SPF 🕵️

Also known as Sender Policy Framework is an email authentication method designed to detect forging sender addresses during the delivery of the email. Basically, it's helping to prevent spoofing so others can't pretend to send from your email address and mail providers know that you are you.

Reminder: If you already have an SPF record that includes "v=spf1 include:_spf.google.com ~all" you don't need to set it up again.

Set up your SPF record

  1. Sign into your domain account on your domain host's site (not your Google Admin Console).
    • This might be GoDaddy, Squarespace, Namecheap, Google Domains, etc.
  2. Go to the page for updating your domain’s DNS records.
    • This might be called DNS Management, Name Server Management, Advanced Settings, or simply DNS

  3. Find your TXT records and check if your domain has an existing SPF record.
    • The SPF record starts with “v=spf1…”
  4. If your domain already has an SPF record, you may not need to change anything
    • First, if you have a TXT record that has "v=spf1 include:_spf.google.com ~all" then your SPF record is already set up and you can skip the next SPF steps
    • If the SPF record is different, delete the SPF record, then move on to step 5
  5. Create a TXT record with these values:
    • Name/Host/Alias:@ or leave blank
      • Other DNS records for your domain might indicate the correct entry
    • Type: TXT
    • Time to Live (TTL): 3600 or leave the default
    • Value/Data/Destination: v=spf1 include:_spf.google.com ~all

  6. Click Save

Note: SPF Records can take 48-72 hours to propagate. We recommend waiting to start sending until your SPF has been propagated. You can use a tool like MX Toolbox to check this.

DKIM 🔐

Domain Key Identified Mail, also known as DKIM, is a protocol that enables organizations to take accountability for message transmission. This is achieved through a signing process that allows mailbox providers to authenticate the message. 

Now for DKIM, you'll need access to both your Google Admin and your Domain's DNS records.

Reminder: If you already have a DKIM record in your DNS records, you do not need to create a new DKIM record.

Setting up your DKIM record

  1. Log into your Google Admin: admin.google.com
  2. Click Menu, next click Apps, then click Google Workspaces, finally click Gmail

  3. On the Gmail page, click Authenticate Email

  4. Check the Status
    • If you see Authenticating Email with DKIM then you don't need to set up a new DKIM

    •  If you see a different status, click Generate a DKIM Key and move on to Step 5
  5. Now, head to your domain host's site (not your Google Admin Console).
    • This might be GoDaddy, Squarespace, Namecheap, Google Domains, etc.
  6. Create a DNS TXT Record with the DKIM Key generated in step 4
    • Name/Host/Alias: google._domainkey
    • Type: TXT
    • Time to Live (TTL): Leave the default
    • Value/Data/Destination: The special DKIM key in your Google Admin settings
  7. After creating the DNS TXT Record in your domain with the DKIM Key, go back to Google Admin
  8. Click Start Authenticating.

DMARC 👮

DMARC has an acronym for a reason. The full name is Domain-based Message Authentication, Reporting, and Conformance. Basically, this record tells receiving mail servers what to do with messages that don't align or authenticate with SPF and DKIM. 

In the past, if you had SPF and DKIM, there was no need for this. But now, it's required! Without it, expect damage to your domain's reputation and your emails to eventually start landing in spam.

Reminder: If you already have a DMARC record in your DNS records, you do not need to create a new DMARC record.

Set up your DMARC record

  1. Sign into your domain account on your domain host's site (not your Google Admin Console).
    • This might be GoDaddy, Squarespace, Namecheap, Google Domains, etc.
  2. Go to the page for updating your domain’s DNS records.
    • This might be called DNS Management, Name Server Management, Advanced Settings, or simply DNS
  3. Add this TXT Record to your DNS:
    • Host Name: _dmarc
    • Type: TXT
    • VALUE (with email): v=DMARC1; p=none; rua=mailto:email@yourdomain.com

      The email version will send reports to whatever email you put in there. 

  4. Click Save

If you need help with formatting the DMARC Record, we like this DMARC record generator.

Note: We suggest starting with a "none" policy in your DMARC record to gather data and observe how your emails are processed without impacting their delivery. This lets you identify any legitimate emails that might fail DMARC checks.

After about 2-4 weeks of monitoring and ensuring that legitimate emails are passing DMARC checks, you can switch to the "quarantine" policy. This will direct emails that fail DMARC checks to the spam or junk folder, allowing you to see what's being affected.

If, after another 2-4 weeks, the quarantine policy isn't causing any major issues and things seem stable, you can then move to the "reject" policy. This will ensure that emails failing DMARC checks are outright rejected and not delivered.

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.

Still need help? Contact Us Contact Us