Google has announced recently that they will show an alert if they can’t authenticate the identity of the sender, in both the Gmail website, Android, and Apple iPhone, instead of showing your contact photo. Read on to see how to do something about this by setting up DKIM and SPF on your domain.

Setting up DKIM and SPF

The key to this is enabling sender authentication using DKIM or SPF, technologies designed to authenticate that email is from someone authorized to send from that domain.

How you set this up varies depending on your email provider. For standard cpanel hosting the easiest option is to set up an SPF record. For FastMail, our email provider, has instructions for DKIM here and SPF here.

To set up DKIM for Google apps you login to the admin console and choose “apps” (which may be under “more controls” at the bottom of the screen), choose Google Apps, Gmail, then Authenticate Email. You need to enable DKIM for your domain, then copy the TXT record value. You then need to go into your DNS provider, which can be your domain registrar, your web host, or a third party like CloudFlare and enter this information, as shown below. They key points are:

• The record type is TXT
• The record name is google._domainkey
• You need to copy and paste the value that Google generates for you

 

 

 

SPF is relatively simple to set up. You simply create another TXT record with the name set as your domain (without the WWW), and the value as below. If you don’t need

v=spf1 a mx include:_spf.google.com ~all

Or if you have another IP that needs to be able to send on your behalf (eg a shopping cart or your website) use the format below

v=spf1 ip4:ANOTHERIP a mx include:_spf.google.com ~all

 

One thing to note is with some domain registrars you need to enter a dot (ie full stop) at the end of your domain name in the name field. So the name of the DNS record might be “photographerstechsupport.com.”. You’ll need to consult documentation or technical support to determine this, or simply follow the format of existing records.

How to Check If DKIM and SPF are Working

Of course you’ll want to check if DKIM and SPF are working. You should give it 24 hours to work from when you set this up. The easiest way is to send a message from the email account you set this up for to another email service, preferably a reliable service that checks these records. With the received email you’ll need to “view source”, “view headers”, or “view raw message”. This will show you a lot of confusing looking text, but you’re looking for something like this.

Authentication-Results: mx3.messagingengine.com;
 dkim=pass (2048-bit rsa key) header.d=(removed).com header.i=@(removed).com header.b=TIw/94Hh;
 dmarc=none (p=none) header.from=(removed);
 spf=pass smtp.mailfrom=(removed) smtp.helo=mail-it0-f67.google.com;
 x-google-dkim=pass (2048-bit rsa key) header.d=1e100.net [email protected] header.b=Kax/fJce
Received-SPF: pass
 ((removed): Sender is authorized to use '(removed)' in 'mfrom' identity (mechanism 'include:_spf.google.com' matched))
 receiver=mx3.messagingengine.com;
 identity=mailfrom;
 envelope-from="(removed)";
 helo=mail-it0-f67.google.com;
 client-ip=209.85.214.67

If you see any failures you’ll need to do some problem solving. MXToolbox is an excellent site to help diagnose email issues, for example checking if records exist, but at this point you may need to engage the services of a professional who really understands this area.