Gmail Spam Issue - How to properly setup DKIM & DMARC

Question

I've created an automated script that generates a custom HTML email using PHPMailer within PHP and sends it, from my custom domain email account, to whatever recipient.

The emails are all litmus tested and render perfectly in all clients, hold no comments whatsoever, no strings that seem to be spammy, all good. My domain is also not on any blacklist, etc.

The e-mails first pretty much dropped into the spam for every recipient.

I went back to my hosting service then, and they recommended me to create an SPF - record in the DNS zone of the domain of my e-mail.

This drastically improved the non-spam delivery rate of my emails.

Still, some clients still receive the emails of our company in their junk folder. I ran a spam-test using email on ACID, and all tests were passed, including SPF - record verifications, etc. The only warnings that showed up were, guess what, that for outlook.com and gmail.com, the emails eventually drop into the spam folder (without telling why) which is obviously a big problem.

And indeed, the only clients still complaining about the spam troubles are indeed gmail users, mainly.

I then came across this very interesting post, and learned that google recommends the setup of all, SPF, DKIM and DMARC.

I first of all included the include:_spf.google.com part in my SPF record, but when it comes to DKIM, I'm stuck.

I'm confused if, to have a working DKIM - register within the DNS of your domain, you actually need to have a Google Workspace account? Because apparently you can only create a DKIM Key within that Workspace account, and I'm worried that this will may expire after my 14-trial period of the Workspace account, and rather further damage my email domain reputation instead of actually improving it.

Or am I misunderstanding things, and there's a different solution to setup a DKIM (and then also DMARC) for a given mail client like gmail for a domain? I'm asking because I have no experience whatsoever in setting up DKIM.

Answer 1

In order to set up DKIM from the Admin console you definitely need to have a Google Workspace account. Using a Cloud Identity free subscription would not work as you are not going to have access to services like Gmail.

To simply generate the key from the Admin console you need the right subscription with access to Gmail, which is only available in Google Workspace subscriptions.

It will most likely stop working after your subscription expires since it is linked to the Admin console from the Google Workspace account where it was generated and once the subscription gets suspended everything stops working.

Answer 2

The principle of DKIM is that you publish (via DNS) one half of a cryptograpjic key and you use another (secret, private) half to create and provide a signature in the headers of the mail you send out. This is not a static string; it is a hash of some of the other headers of that message.

Receiving mail servers do a cryptographic check to see if the two halves match. (note: this is a greatly simplified view of the process).

Setting up DKIM with Google Workspace means that you place a specific key in your DNS and Workspace knows how to create the corresponding signatures.

Therefore, even having a Workspace account and setting up DKIM will not solve your problem, because your PHPMailer script will not generate DKIM signatures and even if it did, it would not use the secret private key.

You should have PHPMailer do the DKIM bit.

Google and Microsoft have been getting a lot more strict on compliance; first SPF and now DKIM to sort the spam from the legitimate mail.

An alternative route might be to set up a mail server (not Google's), implement DKIM and use that as an SMTP gateway.

A note on SPF: if you have mail properly set up and you have scripts send email from another domain and/or IP address, you will still get failures. You need to include (either as IP address or domain name) all the sources of your outgoing mail. SPF records can hold multiple sources for this reason.

Last pointer: set up DMARC to have mail servers send you reports of succes and failure of delivery at their doorstep.