While Google has been a long-time supporter of DMARC, there are still a few Google apps that aren't fully equipped to send DMARC-compliant emails using SPF.
If you're using Google Workspace with your own domain, emails send from Google apps (like Docs, Sheets, Slides, Gmail API, and Calendar) will still use a domain that points back to Google, not your own domain. This means SPF can't align with your domain. If your DMARC policy is set to either p=quarantine or p=reject and DKIM isn't properly set up, your emails will fail DMARC checks, and your Google Calendar invites could be blocked.
To make sure your Google Calendar invites reach their intended recipients, please review my article, "Google Workspace (G suite) - Enabling DKIM" with step-by-step instructions on enabling DKIM for Google.
Steps to enable DKIM:
/msdyn_blobfile/$value)
The image above shows our DMARC Director, which has been set up with DKIM signatures with Google Workspace. These signatures are correctly attached and aligned, ensuring the email meets DMARC standards.
We understand that achieving full DMARC compliance using both SPF and DKIM. However, due to the way Google sends Calendar invites and emails from other apps, this isn't possible. At this point, DKIM is the only solution.
If you're using Google Workspace with your own domain, emails send from Google apps (like Docs, Sheets, Slides, Gmail API, and Calendar) will still use a domain that points back to Google, not your own domain. This means SPF can't align with your domain. If your DMARC policy is set to either p=quarantine or p=reject and DKIM isn't properly set up, your emails will fail DMARC checks, and your Google Calendar invites could be blocked.
To make sure your Google Calendar invites reach their intended recipients, please review my article, "Google Workspace (G suite) - Enabling DKIM" with step-by-step instructions on enabling DKIM for Google.
Steps to enable DKIM:
- Sign in to your Google Admin console. (Sign in using an administrator account)
- In the Admin Console, go to Menu > Apps > Google Workspace > Gmail.
- Click Authenticate email.
- In the Selected domain menu, select the domain you want to set up DKIM.
- Click the Generate New Record button. In the Generate New Record box, select your DKIM key settings. During this process, you'll be asked to select the bit strength for the DKIM key. We suggest opting for a bit strength of 2048, as longer keys offer enhanced security. However, keep in mind that not all domain DNS providers can accommodate this key size. It's a good idea to check your domain DNS provider or administrator to see if this DKIM bit size is supported. You'll also be asked to select a DKIM prefix selector. The default option is "google", and we advise keep it as is.
- Copy the DKIM record value provided by Google and publish it with your domain's DNS provider.
The image above shows our DMARC Director, which has been set up with DKIM signatures with Google Workspace. These signatures are correctly attached and aligned, ensuring the email meets DMARC standards.
We understand that achieving full DMARC compliance using both SPF and DKIM. However, due to the way Google sends Calendar invites and emails from other apps, this isn't possible. At this point, DKIM is the only solution.