Issues setting up SPF, DKIM and DMARC - using only Google Workspace + Mailerlite

Hi everyone, just trying to set up SPF and DKIM (and DMARC?) for our small company switching to the new domain: future-matters.org. I have all three in my Cloudflare DNS records, but some issues. We’re only going to be sending emails via our Google Workspace associated with the email, with Gmail activated - and soon, MailerLite for our newsletter.

Somehow, whatever I do, Gmail doesn’t confirm the DKIM authentication. At Apps > Google Workspace > Settings for Gmail > Authenticate email, it just keeps saying in red “Email authentication was not verified. Please allow 48 hours for DNS to update and make sure you entered the correct TXT record into your domain provider’s DNS settings page.”

On SPF, mail-tester.com says it is working - with the record below:

v=spf1 a mx include:_spf.google.com include:_spf.mlsend.com ?all

https://www.mail-tester.com/test-yl8hfvpgi&reloaded=1

But Cloudflare says “SPF policy: N/A” at the top. Plus, a bunch of emails apparently sent by Google and Amazon (why Amazon?) on our behalf all failed - some were bounced calendar invites etc, where it seems legitimate (and as our website was noindexed so far, with just a few people on the team step by step getting their emails switched over to the new domain already for testing, I wouldn’t see how this would be spammers imitating us).

All I want to do is set this up well but it’s looking complex to really understand. I would greatly appreciate any advice on how to proceed and whether I have a problem here.

Update: To me, using various tools it appears that my SPF and DKIM are actually fine (Google just doesn’t turn green or anything, the only “confirmation” I got now was that it says “Authenticating” and the button has switched to saying “Stop authenticating”).

But the question still remains of whether to take all those Google and Amazon (no idea how/why Amazon) IPs into our SPF so they don’t fail DMARC anymore (right? So that I can someday turn the DMARC to “reject” instead of “None” like now?).

There is another topic from today with exactly the same problem. DKIM record seems to be set up correctly, but Google is stuck on “Authenticating”:

Your SPF record could probably be changed to v=spf1 include:_spf.google.com include:_spf.mlsend.com -all
Having A and MX in there doesn’t make much sense as your A record is proxied anyway.

That’s because of the question mark operator at the end. Change that to a -.

Definitely not. Find out if someone in your organization is using methods of sending email other than via workspace. If not, that’s most likely spam.

Doesn’t matter. Your domain has a certificate, so the domain appears on lists of issued certificates. The domain is public knowledge for all practical purposes.

A lot of the spam mails I receive are calendar invites.

4 Likes

@Laudian, thank you so much. All that is very, very helpful orientation.

I’ll change the SPF record, that makes sense. Ugh, thanks for the clarity on that.

Wild that the Google and Amazon DMARC fails might all be spam attempts to spoof our domain, done by someone completely different. Good to know. I don’t understand the calendar invites thing, is it to make it look legitimate to webmasters like me so they greenlight that IP? Or is it just how spammers try to reach people, sending a calendar invite?

1 Like

No idea about other systems, but my iPhone will automatically search mails for calendar events and ask me if I want to add them to the actual calendar app.

So spammers make sure I actually look at what they want me to see, even if I never open their email. But this only happens for email that is not sent to the spam folder.

2 Likes

Ha, wow. I see.

Want to say: Thank you for taking the time today and giving me some orientation and confidence in doing our move! MVP '24 indeed.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.