Setting up DKIM

Hey there @rrodrigues !

I happen to have G Suite for Nonprofits myself, so I can offer some advice here. What I’d need to ask though, is whether your domain was purchased and managed via Google Domains, or with some other Domain Registrar instead, such as your web hosting provider? The exact steps will vary slightly depending on this, so it would help to make sure I know which one applies.

It’s also worth noting that setting this stuff up requires more than just DKIM. You also need to make sure that SPF, DMARC and DKIM are ALL fully and correctly configured, otherwise you will break email delivery!

I can’t make changes for you and can’t easily suggest appropriate records, but I can definitely give you advice and tips on where to look. :)

Hi @Blastoise186 thanks for replying. The domain we use for our Google Workspace account was not registered with Google domains.

Perfecto, thanks @rrodrigues .

In that case, I can definitely give you the details you need based on how I’ve got my setup. These steps assume that you’ve got your nameservers configured to a web host that uses a cPanel/WHM setup. While the exact steps may differ slightly if you’ve got something else like Plesk or DirectAdmin instead, the basic flow should be fairly similar for the most part.

This is going to be a long one, but I’ll do my best to explain things without being too complicated.

Most importantly, these steps are based on cPanel 92. Things do change between versions, so I can’t  promise these exact steps will work if your web host has a newer or older version installed.

I might consider writing this up later on as a more proper guide as well.

For anyone else reading this, may I please draw your attention to the fact that these instructions involve some advanced technical steps. If you’re at all unsure about what to do at anytime, please DO NOT proceed and instead seek assistance from inSided and your web host/domain registrar.

 CAUTION: Misconfiguration of DNS and Email Deliverability related records such as SPF, DMARC and DKIM can result in disruption to your email systems/services and will almost certainly break your ability to send emails out or allow spammers to spoof your domain. Please make sure to note down what your existing settings were before making any changes, so that you can revert back if you need to. Ideally, take a backup of everything first as well. If automated backups are enabled and have run recently, you may be able to recover simply by restoring from backup if needed.

Remember, you should NOT remove any existing SPF record when you add something new such as inSided to it (please edit the existing record instead!). The only time you should remove something from SPF is if you no longer need it to be in there, such as if you’ve stopped using a particular service (in which case you should also remove the related DKIM record for that service).

The first thing you’ll want to do, is double check that your existing SPF, DMARC and DKIM Records are already configured correctly. Google Workspace will have helped you out with this during the onboarding flow from their end, and your web host can help as well.

My recommended setup order is DKIM > SPF > DMARC. I like to recommend this exact order because it makes sure all the right settings are in place before you start enforcing them. You can do them all in one go of course and the DNS records will propagate out to all the DNS servers around the world anyway within 72 hours. But it never hurts to do it in this order anyway. :)

Most importantly, if you’re using cPanel then I definitely recommend firing up the Email Deliverability tool to make your life a lot easier! You can use that to double check everything looks good. Please don’t add inSided unless it is. If you’re still stumped, Google has a pretty sweet tool over at https://toolbox.googleapps.com/apps/checkmx/ which can also be a lifesaver. Make sure it reports everything as good!

Once you’re happy with all of that so far, you’ll want to grab the DKIM Public Key for your community from inSided. I’m not sure if you can find it in Control, so you may need to contact support to request it. When you’ve got that handy, head into cPanel > Zone Editor > Manage > Add TXT Record. You can then fill the details in from there, using the info from inSided (don’t forget to save!). If done correctly, you should have something like this example.

I know some providers prefer to use CNAME records for DKIM instead of giving you a DKIM key directly. If that’s the case, inSided will let you know. But 99% of places don’t do it that way anyway.

Once that’s added, you’ll need to set up (or update) the SPF and DMARC Records. Fortunately, that’s also fairly simple. I strongly recommend setting up SPF just before DMARC, so that other email servers don’t get confused.

Default SPF Records are sometimes automatically generated for you and you probably also have one already if Google Workspace is set up. So if you’re on cPanel, head into Email Deliverability > Manage. Then under SPF, click Customize and you can then add the appropriate details from inSided. As with DKIM, you might need to ask inSided support for the details. While you can do this from Zone Manager, I recommend going via Email Deliverability because it can help you get the syntax right.

And finally, there’s DMARC. This one’s probably one of the easiest out of the three to set up. :)

Based on the cPanel setup as mentioned, here’s an example of what you’ll need. You may want to start with Quarantine 5% first and then slowly ramp up to Quarantine 100% before switching to Reject 100%. You’ll need to go into Zone Editor > Manage > Add DMARC Record for this one!

The reason I recommend starting out with just Quarantine 5% is so that you can make sure things are working. As you get more confident, slowly crank it up by say, 5% per week until you’re at Quarantine 100%, then you’ll want to start to switch to Reject 100% only once you’re completely happy (please run at Quarantine 100% for at least a few weeks before going to Reject!). The main warning signs to look for are legitimate emails that don’t get delivered properly (or hit spam!). If this happens, you’ll want to double check SPF, DMARC and DKIM are correct and fix any mistakes, then resume testing.

You may also want to set up reporting alerts in DMARC as well during this time, so that you can be informed about any issues.

I hope this helps. While the exact steps may vary in some setups, the basic concepts will be the same no matter what you’ve got and the resulting records would be the same anyway (the main differences would be more about how you add them).