How to add Google Apps DKIM (DomainKeys) and SPF records to DNS

(Note: As of 12/7/2012, Google Apps is no longer offering free accounts… dang it!!)

While I lease server space and host my own sites, I’ve had a lot of issues over the years with the mail server. Sometimes I don’t get emails that I should or some emails get massively delayed. So the solution I went with was to use an external mail server. Google has a free service that allows you to use their mail servers, called Google Apps.

Google Apps offers more than just free email services, but that’s all I’ll focus on here. If you go to the Google Apps site, they’ll try to get you to sign-up for a demo of their premium services (not free). However, there is a free option if you click on Pricing. There, you’ll see a FREE option that allows you to have up to 10 users (plenty for a small website). Go ahead, sign up.

Once you get all signed-up and squared away, you’ll need to update your MX records to show Google’s servers. This page will show you the correct values: Google’s MX record values

The MX changes will take some time to propagate and take effect, but once they do, you’re all set to send/receive mail! BUT… there are a couple more steps you should take to ensure that the mail you’re sending/receiving is properly authenticated. That’s where Sender Policy Framework(SPF) and DomainKeys Identified Mail(DKIM) comes into play.

  • Sender Policy Framework (SPF) is an email validation system designed to prevent email spam by detecting email spoofing, a common vulnerability, by verifying sender IP addresses.
  • DomainKeys Identified Mail (DKIM) is a method for associating a domain name to an email message, thereby allowing a person, role, or organization to claim some responsibility for the message.

 

SPF

To setup SPF, you’ll need to add a TXT entry to your DNS record. If you use CPanel, you can do it from the “Advanced DNS Zone Editor”. The entries should be similar to this:

    Name: yourdomain.com.
    TTL: 300
    Type: TXT
    TXT Data: v=spf1 include:_spf.google.com ~all

And yes, that period(.) should be there at the end of your domain name. For additional information, see Google’s page about creating SPF records.

 

DKIM

Setting up DKIM is fairly easy to do as well. First, login to your Google Apps account and head to the “Domain Management” section. Next, click on “Advanced tools”. Scroll down to the very bottom, click “Set up email authentication (DKIM)”.

Next, click “generate new record”. Leave the default “google” selector there, click “Generate”. You’ll need both of the values that were generated (text record name and value). Keep that page open, and go add another TXT entry to your DNS record as follows:

    Name: google._domainkey
    TTL: 300
    Type: TXT
    TXT Data:v=DKIM1; k=rsa; p=MIGfMA0GCS………………..AB

That’s it! It may take a day or so for all your changes to fully propagate through the ‘net, but that’s all you have to do. Next… you’ll want to run some tests.

 

Testing Tools

Now that you have SPF and DKIM setup, you’ll want to run some quick tests to ensure everything is working. There are four sites that I’ve found very useful for this.

1) www.Mail-Tester.com – This site is just awesome! Upon visiting, you’ll be presented with a randomly-generated email address. Copy this address and send a blank email to it. Next, click “Then Check Your Score”. It will retrieve your email and run a quick analysis on it. You’ll see the results clearly displayed, with explanations. Don’t worry if you don’t get a 10/10 right away. I’ve found it takes about a full day before your DNS fully propagates. Once that happens, you can expect a 10/10 (unless you have other issues, or typed something wrong in your DNS).

2) DKIM Key Checker – A simple tool for checking to see if your DKIM key is configured correctly and working. Simply enter “google” as your selector (unless you used something else) along with your domain and click “Check Key”.

3) SPF Query Tool – Another simple tool to check your SPF record. Just type in your domain name and click “Get SPF Record”. If all is well, you’ll get a message that says, “SPF record passed validation test with pySPF (Python SPF library)!“.

4) DNSsy – DNS Test and Check – This is an additional tool that I found very helpful, not just for SPF and DKIM. It will analyze everything about your domain’s DNS records and display the results in an easy-to-read table format.

Lastly…

If you use a mail client to send/receive mail (such as Thunderbird, Outlook, etc.), make sure to update your account settings! Since you are now sending/receiving mail through Google’s servers, you need to make sure your mail client’s settings reflects that. Here are the settings I use:

INCOMING MAIL SETTINGS:
Mail Server: pop.gmail.com
Username: you@yourdomain.com (your actual email address)
Port: 995
Connection Security: SSL/TLS
Authentication Method: Normal password

OUTGOING MAIL SETTINGS:
Server Name: smtp.googlemail.com
Port: 465
Username: you@yourdomain.com (your actual email address)
Authentication Method: Normal password
Connection Security: SSL/TLS