Google has announced recently that they will show an alert if they can’t authenticate the identity of the sender, in both the Gmail website, Android, and Apple iPhone, instead of showing your contact photo. Read on to see how to do something about this by setting up DKIM and SPF on your domain.
Setting up DKIM and SPF
How you set this up varies depending on your email provider. For standard cpanel hosting the easiest option is to set up an SPF record. For FastMail, our email provider, has instructions for DKIM here and SPF here.
To set up DKIM for Google apps you login to the admin console and choose “apps” (which may be under “more controls” at the bottom of the screen), choose Google Apps, Gmail, then Authenticate Email. You need to enable DKIM for your domain, then copy the TXT record value. You then need to go into your DNS provider, which can be your domain registrar, your web host, or a third party like CloudFlare and enter this information, as shown below. They key points are:
- The record type is TXT
- The record name is google._domainkey
- You need to copy and paste the value that Google generates for you
SPF is relatively simple to set up. You simply create another TXT record with the name set as your domain (without the WWW), and the value as below. If you don’t need
v=spf1 a mx include:_spf.google.com ~all
Or if you have another IP that needs to be able to send on your behalf (eg a shopping cart or your website) use the format below
v=spf1 ip4:ANOTHERIP a mx include:_spf.google.com ~all
One thing to note is with some domain registrars you need to enter a dot (ie full stop) at the end of your domain name in the name field. So the name of the DNS record might be “photographerstechsupport.com.”. You’ll need to consult documentation or technical support to determine this, or simply follow the format of existing records.
How to Check If DKIM and SPF are Working
Of course you’ll want to check if DKIM and SPF are working. You should give it 24 hours to work from when you set this up. The easiest way is to send a message from the email account you set this up for to another email service, preferably a reliable service that checks these records. With the received email you’ll need to “view source”, “view headers”, or “view raw message”. This will show you a lot of confusing looking text, but you’re looking for something like this.
Authentication-Results: mx3.messagingengine.com; dkim=pass (2048-bit rsa key) header.d=(removed).com [email protected](removed).com header.b=TIw/94Hh; dmarc=none (p=none) header.from=(removed); spf=pass smtp.mailfrom=(removed) smtp.helo=mail-it0-f67.google.com; x-google-dkim=pass (2048-bit rsa key) header.d=1e100.net [email protected] header.b=Kax/fJce Received-SPF: pass ((removed): Sender is authorized to use '(removed)' in 'mfrom' identity (mechanism 'include:_spf.google.com' matched)) receiver=mx3.messagingengine.com; identity=mailfrom; envelope-from="(removed)"; helo=mail-it0-f67.google.com; client-ip=184.108.40.206
If you see any failures you’ll need to do some problem solving. MXToolbox is an excellent site to help diagnose email issues, for example checking if records exist, but at this point you may need to engage the services of a professional who really understands this area.