Inbox or Spam? How Google’s 2024 Rules Could Redefine Your Email Reach.
Is your email important? Do I ask rhetorical questions?
In today's digital era, where business interactions often begin and flourish through emails, ensuring your message lands in the intended inbox is crucial. A missed email doesn't just represent lost communication; it could mean lost opportunities, clients, and revenue. Now, imagine a scenario where many of your emails don't even see the light of day. Well, that's the imminent reality many businesses are facing.
Google recently announced that they will be tightening down the rules on what will and will not make it into a Gmail or Google Workspace inbox. Microsoft recently warned that if you want to ensure deliverability of your company’s custom email domain, you need to comply with Gmail’s “Email Sender Guidelines.”
Can you imagine the possibility of your emails not being delivered to Gmail or Google Workspace inboxes? That’s the world that Google is describing starting on February 1st, 2024. Google isn’t making this change to spite you, but to prevent spammers from getting through to inboxes. In this blog post, Be Co wants to help you differentiate your company’s legitimate email from spam email.
But Randall, my email is set up and working.
Is it? Let’s find out. You can go to Dmarcian, enter your email’s domain (web address) and find out. If any of the indicators on this page are red, your email does not fit the criteria for delivery to a Gmail inbox.
When you land on Dmarcian's page and enter your website’s domain, there are three main indicators that need to be checked: SPF, DKIM, and DMARC. If DMARC is yellow or green, it is acceptable according to Google. The rest (SPF and DKIM) need to be green.
How does Be Co know this problem likely affect your company’s email?
Two words: market research. When I’m looking at a prospective client, one of the first things I do is check their domain’s mail records for issues. These issues tell me whether or not a company might have a competent IT person who has taken care of their email and systems. If a company is in good standing, I can roughly assume that they have someone looking after their IT and move on to the next prospect. That said, approximately 95% of companies that I look at don’t have correctly configured email. The other day, I noticed a marketing email from my gym, Equinox, came through that didn’t meet the requirements Google is imposing. It’s not just the little guys who are messing this up either! Companies with dedicated professional IT teams are also getting this wrong.
What the heck is SPF, DKIM, and DMARC?
If you don’t like technical stuff, but Dmarcian is throwing up some red flags, let your IT person know that you’d like to fix it. You’re also welcome to book a free session with me to talk about it. If you’re curious about what all this means on a technical level, and how to fix it, keep reading.
Let’s start by defining DNS
DNS, or Domain Name System is like the internet’s phone book. If you look up “google.com,” DNS sends back the IP address “142.261.50.232” to your computer, so it knows where to go on the internet. Email also uses DNS to route email across the internet, as well as find out if you are who you say you are.
SPF
SPF, or Sender Policy Framework lists the email servers (such as Microsoft’s Outlook, or Google’s Gmail) in DNS that are allowed to send on behalf of your company (or personal) email domain.
DKIM
DKIM, or Domain Keys Identified Mail enables your email server to cryptographically sign an email, so that the recipient email server can be certain that the email is really coming from you, and not a spammer or spoofer (someone who fraudulently sends email using your email domain).
DMARC
DMARC, or Domain-based Message Authentication Reporting and Conformance tells the receiving email server how to handle the email after it checks DKIM and SPF. The options are nothing, send to spam, or reject the email entirely. With this option, you can let everyone on the internet know that unless your message is the real deal, signed, sealed, and delivered, you don’t want the recipient to get a fraudulent mail sent falsely on your behalf.
Okay, enough with the technical mumbo jumbo. How do I fix this?
It depends on your email provider, and I think this is a job for a professional systems administrator. When you are altering DNS records, you can potentially take your email or website offline. Please take EXTRA special care if you do this yourself. If you really are a DIY person, let me point you in the right direction, but don’t say I didn’t warn you.
Correcting this issue if you use Google Workspace.
If your email provider is Google Workspace, head over to Google’s really great tool called Check MX. With this tool, you can very easily check the status of your domain’s DNS records and if you’re compliant. When there is an error, the tool will link you to a Google support article which explains how to correct the issue. You’ll need to interface with your domain’s registrar (such as GoDaddy, Cloudflare, or Network Solutions) and alter or add the DNS records to fix any errors.
Configuring SPF and DKIM with Microsoft 365.
With Microsoft 365, it can be a little more complicated as they don’t give such clear guidance on how to correct the issue, so you have to go digging in the backend to find SPF and DKIM. When you work on these settings, make sure to use a Microsoft 365 admin account to make these changes. (And as a bonus tip, make sure the admin account is a separate account from your normal email account to help prevent security breaches from spreading into your whole organization.)
When you start using Microsoft 365, it usually walks you through how to set up SPF, so this is usually done already. If SPF is not configured, head to Microsoft 365’s Domain Settings page, click the domain you’re trying to setup with SPF, and follow the instructions.
The system administrator that runs The Lazy Admin website has a good article on how to set up DKIM for Microsoft Office. If you want more details on SPF for Microsoft 365, you can read this article.
Configuring SPF for multiple email services.
If for example, you use Microsoft 365 (Outlook) for your business email, HubSpot for your marketing email, and Shopify for your e-commerce platform that sends customer notifications, your SPF record would need to be altered to look something like this:
v=spf1 include:spf.protection.outlook.com include:5815747.spf36.hubspotemail.net include:shops.shopify.com mx -all
If we break the record down, you can see these parts:
v=spf1 – This indicates that it’s an spf record.
include:spf.protection.outlook.com – This means we are allowlisting Microsoft 365.
include:5815747.spf36.hubspotemail.net – That’s the record that allows HubSpot to send mail on your behalf.
include:shops.shopify.com - Lastly, this part is for Shopify’s email servers.
mx – Indicates that only the listed mail servers are allowed to send.
-all – This means that you are sure you have listed all email servers that can send on your behalf. If you are unsure that you have included all your email services, use ~all instead, which is a soft fail, meaning that your email may still be delivered depending on the recipient’s policies, even though it will technically fail SPF.
You can see that Microsoft 365, HubSpot, and Shopify are all listed as acceptable senders of email on behalf of your domain. Email coming from any other email server will be rejected! And that’s a good thing, because you’ve defined who is, and who is not allowed to send email on your behalf.
Setting up DKIM for each sender.
As stated above, DKIM helps the world know that you are who you say you are by using something called public/private key cryptography. While I could go on and on about how amazing public/private key cryptography is, we’re here to fix your email.
You need a set of DKIM records for every email service you use! Since we are using Microsoft 365, HubSpot, and Shopify for email, each of the services can generate DKIM keys for you, which you can then add to your DNS records. I would recommend searching for “<your email service> + setup DKIM” to find a guide.
How to define and build your DMARC policy.
There are three options when it comes to DMARC policy: none, quarantine, and reject. In order to combat spam, Google requires you to have a minimum policy of quarantine set for your domain. Before committing to a quarantine policy, you need to make sure you have SPF and DKIM in place for all email servers authorized to send on your behalf!
To easily build a DMARC record, you can go to Dmarcian’s DMARC Record Wizard. It will ask you a series of questions.
Enter your email’s domain.
Select “Quarantine it for further analysis.”
Leave “Aggregate Report” blank (unless you have a DMARC analyzer, which is not something you likely have in place if you’re reading this article).
“No” on “individual failure reports.”
Select “Relaxed” for both mechanisms.
Select “No” for subdomains.
Select “100%.”
Once you are done, plug the results into your domain registrar’s DNS records (a service such as GoDaddy, Cloudflare, Network Solutions, etc).
Once you finish, let the DNS records propagate, and check the status again.
These changes will take a little bit of time to reach all corners of the internet. DNS records can take as long as 48 hours to update everywhere, but usually you can see the change in as little as 10 minutes.
To wrap up:
Gmail is cracking down on misconfigured email and sending it to spam, which represents a majority of custom domains.
You can check if your domain is compliant by going to Dmarcian.
If your email’s domain does not have the correct SPF, DKIM, and DMARC records in place, you’ll need to add or correct them.
February 1st, 2024, is the deadline to have this done by, so that your email continues to get delivered to Gmail or Google Workspace (Gmail for business) inboxes.
SPF, DKIM and DMARC also help keep your organization safe by disallowing spammers from spoofing (imitating) your domain.
How we can help.
If configuring DNS records aren’t your passion, we’re happy to work with you to get tuned up. We know how incredibly important email is to your business, and want your tech systems to reflect that. Call us at 646-970-7720 or email us at hello [@] beco.technology.