Hi everyone, just trying to set up SPF and DKIM (and DMARC?) for our small company switching to the new domain: future-matters.org. I have all three in my Cloudflare DNS records, but some issues. We’re only going to be sending emails via our Google Workspace associated with the email, with Gmail activated - and soon, MailerLite for our newsletter.
Somehow, whatever I do, Gmail doesn’t confirm the DKIM authentication. At Apps > Google Workspace > Settings for Gmail > Authenticate email, it just keeps saying in red “Email authentication was not verified. Please allow 48 hours for DNS to update and make sure you entered the correct TXT record into your domain provider’s DNS settings page.”
On SPF, mail-tester.com says it is working - with the record below:
v=spf1 a mx include:_spf.google.com include:_spf.mlsend.com ?all
But Cloudflare says “SPF policy: N/A” at the top. Plus, a bunch of emails apparently sent by Google and Amazon (why Amazon?) on our behalf all failed - some were bounced calendar invites etc, where it seems legitimate (and as our website was noindexed so far, with just a few people on the team step by step getting their emails switched over to the new domain already for testing, I wouldn’t see how this would be spammers imitating us).
All I want to do is set this up well but it’s looking complex to really understand. I would greatly appreciate any advice on how to proceed and whether I have a problem here.
Update: To me, using various tools it appears that my SPF and DKIM are actually fine (Google just doesn’t turn green or anything, the only “confirmation” I got now was that it says “Authenticating” and the button has switched to saying “Stop authenticating”).
But the question still remains of whether to take all those Google and Amazon (no idea how/why Amazon) IPs into our SPF so they don’t fail DMARC anymore (right? So that I can someday turn the DMARC to “reject” instead of “None” like now?).
@Laudian, thank you so much. All that is very, very helpful orientation.
I’ll change the SPF record, that makes sense. Ugh, thanks for the clarity on that.
Wild that the Google and Amazon DMARC fails might all be spam attempts to spoof our domain, done by someone completely different. Good to know. I don’t understand the calendar invites thing, is it to make it look legitimate to webmasters like me so they greenlight that IP? Or is it just how spammers try to reach people, sending a calendar invite?