Email authentication

Email authentication

Email authentication is what keeps your messages out of spam and stops others spoofing your domain. Four records work together. Set them up once, in your DNS, after your domain is live (see  Domain & DNS ).

The four records

  • MX routes incoming mail to your provider (for example Google). Without it, mail sent to you never arrives.
  • SPF lists which servers may send mail as your domain. Receivers use it to spot forgeries.
  • DKIM adds a signature to outgoing mail so receivers can confirm it wasn't tampered with.
  • DMARC tells receivers what to do with mail that fails SPF or DKIM, and sends you reports.

Step 1: MX records (incoming mail)

Google gives you 5 MX records in the Admin Console setup wizard. Add all 5 to your DNS:
Priority
Server
1
 ASPMX.L.GOOGLE.COM 
5
 ALT1.ASPMX.L.GOOGLE.COM 
5
 ALT2.ASPMX.L.GOOGLE.COM 
10
 ALT3.ASPMX.L.GOOGLE.COM 
10
 ALT4.ASPMX.L.GOOGLE.COM 
Remove any old MX records from a previous provider.

Step 2: SPF (who can send)

Add one TXT record at the domain root (@):
v=spf1 include:_spf.google.com ~all
Only one SPF record per domain. If you also send through a newsletter or CRM tool, add it to the same record. Don't create a second one:
  • Google + Brevo: v=spf1 include:_spf.google.com include:spf.brevo.com ~all
  • Google + Sendgrid: v=spf1 include:_spf.google.com include:sendgrid.net ~all

Step 3: DKIM (signing)

    Admin Console → Apps → Google Workspace → Gmail → Authenticate email.
    Generate new record for your domain.
    Add the TXT record Google gives you (name like google._domainkey, a long value starting v=DKIM1...).
    Wait up to 24-48 hours, then return and click Start authentication.
Each sending tool (Brevo, Sendgrid, Mailchimp) needs its own DKIM, set up in that tool and added to DNS.

Step 4: DMARC (the policy)

Add a TXT record named _dmarc:
v=DMARC1; p=none; rua=mailto:dmarc@yourorg.org; pct=100
Start with p=none (monitor only). Moving to a stricter policy before every sender is set up will send your own mail to spam.
Progression: start at p=none, set up all senders with SPF and DKIM, watch reports for 2-4 weeks, move to p=quarantine, then eventually p=reject.

Step 5: Test

Send test mail to a Gmail, an Outlook/Hotmail, and a work address. Check it lands in the inbox and that SPF and DKIM pass (view the headers). Useful tools:
  •  mail-tester.com , a deliverability score out of 10.
  •  mxtoolbox.com , checks your DNS records.

Common senders (SPF includes)

Service
SPF include
Google Workspace
include:_spf.google.com
Brevo
include:spf.brevo.com
Sendgrid
include:sendgrid.net
Mailchimp
include:servers.mcsv.net

Common issues

Mail goes to spam. Check SPF has no typos, DKIM is active (green in Admin Console), and DMARC exists (even p=none). Confirm your newsletter tool is in SPF and has DKIM.
DKIM not working. Propagation can take 48 hours. Check the record name matches Google's exactly and the long value wasn't truncated.
SPF failures. Only one SPF record may exist. Merge all senders into it.

Puzzle Piece A Moral Fabric pattern, free for any nonprofit to use and adapt.