Is DKIM configuration sufficient for Google Workspace and O365 email authentication?

6Marketer opinions 5Expert opinions 4Technical articles 5Resources

Summary

The consensus from experts, marketers, and documentation suggests that while DKIM configuration is a vital part of email authentication for Google Workspace and O365, it's not entirely sufficient on its own. For non-bulk mail, any DKIM might suffice, but alignment is preferable, while bulk mail necessitates alignment. Custom DKIM records specific to your domain are crucial for improved deliverability and proper authentication, overcoming limitations of default configurations. Integration with SPF and DMARC is essential for a robust defense against spoofing and phishing, with DMARC providing the policy framework for handling authentication failures. Proper DKIM setup involves generating keys, adding DNS records, and enabling signing, with Microsoft recommending two keys for redundancy. Failing to configure DKIM correctly can lead to emails being marked as spam.

Key findings

DKIM Necessity: DKIM is a critical component of email authentication, verifying that the email was sent and authorized by the domain owner.
Alignment Matters: For bulk mail, DKIM alignment is crucial; for non-bulk, it is a good idea. DMARC alignment is also important, and a default Microsoft setup may cause issues.
Custom Records: Creating custom DKIM records specific to your domain is essential for improved deliverability in Google Workspace and O365.
Combined Approach: DKIM is most effective when combined with SPF and DMARC for comprehensive protection against spoofing and phishing.
Configuration Steps: Setting up DKIM involves generating keys, adding DNS records, and enabling signing.
The importance of DMARC: DMARC is very important as this tells the recieving mail server what to do with messages that fail authentication checks.

Key considerations

Google Workspace Configuration: Generate a DKIM record specifically for Google Workspace and add it to DNS, even if other DKIM records exist.
O365 Configuration: Enable DKIM for O365 and ensure alignment with your domain, avoiding default Microsoft setups that may cause DMARC issues. Use PowerShell for key creation, and consider two keys for redundancy.
SPF and DMARC Integration: Implement SPF and DMARC in addition to DKIM for a complete email authentication strategy.
Failure Consequences: Failure to implement or incorrectly configure DKIM may result in emails being marked as spam.
Holistic Security: Understand that DKIM alone is not sufficient to fully protect against spoofing and phishing; SPF and DMARC are needed.
Bulk Email Considerations: Be particularly attentive to DKIM and SPF configuration when sending bulk email.

What email marketers say
6Marketer opinions

The responses indicate that while DKIM configuration is crucial for email authentication in both Google Workspace and O365, it may not be sufficient on its own. Proper DKIM setup, especially with custom records specific to your domain, improves deliverability and sender reputation. It's also essential to align DKIM with SPF and DMARC for comprehensive email security. Default configurations provided by Microsoft may not be sufficient and can cause DMARC alignment issues. Failing to implement or incorrectly configure DKIM might result in emails being marked as spam by some providers.

Key opinions

DKIM Importance: DKIM is a critical component of email authentication that helps to prove the email was sent and authorized by the owner of the domain.
Custom DKIM records: Creating custom DKIM records specific to your domain is essential for improving deliverability in Google Workspace and O365.
DMARC alignment: It’s crucial to ensure DKIM aligns with your domain, particularly for O365, where default DKIM setups may cause issues with DMARC.
SPF integration: DKIM and SPF are essential email authentication methods and should be used in conjunction.
Deliverability Improvement: Properly configured DKIM improves email deliverability and sender reputation.

Key considerations

Google Workspace Setup: Generate a DKIM record specifically for Google Workspace and add it to the DNS records.
O365 Configuration: Enable DKIM for O365 and ensure it aligns with your domain; avoid using the default Microsoft domain for DKIM.
Comprehensive Authentication: Integrate DKIM with SPF and DMARC for comprehensive email security and to tell the receiving mail server what to do with messages that fail authentication.
Potential Spam Marking: Failure to implement or incorrectly configure DKIM may result in emails being marked as spam.
High Deliverability: DKIM is very important for a high deliverability rate and is highly recommended for all customers and domains.

Marketer view

Email marketer from Mailjet shares that DKIM and SPF are two essential email authentication methods and the two should be used in conjunction. They add digital signatures to emails, which recipients can then verify, and prevent malicious actors from sending emails as someone else.

November 2022 - Mailjet

Marketer view

Email marketer from StackExchange answers that for O365, it’s crucial to enable DKIM and ensure it aligns with your domain. Microsoft’s default DKIM setup might use a Microsoft domain, which can cause issues with DMARC alignment. Custom DKIM configuration is highly recommended.

August 2021 - StackExchange

Marketer view

Email marketer from MXToolbox explains that while Google Workspace provides a default DKIM signature, creating a custom DKIM record specific to your domain is important. This helps to improve deliverability and ensures that your emails are properly authenticated.

December 2023 - MXToolbox

Marketer view

Email marketer from SendGrid Blog explains that DKIM is a critical component of email authentication. It helps to prove that an email was sent and authorized by the owner of the domain. Properly configured DKIM improves email deliverability and sender reputation.

June 2024 - SendGrid Blog

Marketer view

Email marketer from AuthSMTP explains that DKIM is very important for a high deliverability rate and is highly recommended for all customers and domains. It also highlights that some providers mark all messages as spam without correct configuration.

September 2024 - AuthSMTP

Marketer view

Email marketer from Reddit shares that they had issues with Google Workspace until they properly configured DKIM. They recommend generating a DKIM record specifically for Google Workspace and adding it to the DNS records, even if other DKIM records are already in place.

February 2024 - Reddit

What the experts say
5Expert opinions

The provided answers suggest that while DKIM configuration is an important aspect of email authentication for Google Workspace and O365, it is not entirely sufficient on its own. For non-bulk mail, any DKIM might be enough, but alignment is recommended. When sending bulk mail, alignment becomes necessary. Real-world scenarios highlight uncertainties about the adequacy of generic Microsoft DKIM signatures. Experts recommend combining DKIM with SPF and DMARC for a robust email authentication strategy, with DMARC providing the policy layer that dictates how receiving mail servers should handle messages failing authentication checks.

Key opinions

DKIM Sufficiency: DKIM alone might be sufficient for non-bulk email, but alignment is preferable.
Bulk Mail: For bulk mail, DKIM alignment is crucial.
Generic Signatures: The adequacy of generic Microsoft DKIM signatures in O365 for SMBs is uncertain.
Authentication Pillars: DKIM is one of the essential pillars of modern email authentication, alongside SPF and DMARC.
DMARC's Role: DMARC provides the policy layer for handling messages that fail DKIM and SPF checks.

Key considerations

Alignment Importance: Ensure DKIM alignment, especially when sending bulk email.
Signature Assessment: Assess the adequacy of generic DKIM signatures, especially in SMB environments using O365.
Holistic Approach: Implement DKIM in conjunction with SPF and DMARC for comprehensive email authentication.
Policy Implementation: Understand and implement DMARC policies to instruct receiving mail servers on handling authentication failures.
Real-World Testing: Monitor and test DKIM, SPF and DMARC setups in the real world to ensure effectiveness.

Expert view

Expert from Word to the Wise explains that while DKIM is important, it's DMARC that tells the receiving mail server what to do with messages that fail authentication checks. It's a crucial policy layer on top of DKIM and SPF.

September 2022 - Word to the Wise

Expert view

Expert from Email Geeks explains that for non bulk mail any DKIM is sufficient, but alignment is a good idea.

May 2023 - Email Geeks

Expert view

Expert from SpamResource shares that DKIM is one of the pillars of modern email authentication along with SPF and DMARC. They are complementary technologies and not just one should be used, they should all be used together.

June 2023 - SpamResource

Expert view

Expert from Email Geeks shares that if sending any bulk mail then all mail needs to align.

March 2025 - Email Geeks

Expert view

Expert from Email Geeks shares they are dealing with a similar situation on O365, where DKIM is configured for Constant Contact but not O365, resulting in a generic Microsoft DKIM signature and uncertainty about its adequacy for an SMB.

March 2022 - Email Geeks

What the documentation says
4Technical articles

The provided documentation outlines the steps to configure DKIM for Google Workspace and O365, highlighting its role in verifying email authenticity through digital signatures. Google Workspace requires generating a DKIM key, adding it to DNS, and enabling DKIM signing. O365 involves PowerShell commands to create and publish DKIM keys, emphasizing the use of two keys for redundancy. While DKIM is essential, it is most effective when combined with SPF and DMARC to protect against spoofing and phishing attacks. DKIM alone establishes a domain-level authentication framework by associating a domain name with an email message.

Key findings

DKIM Setup Steps: Setting up DKIM involves generating keys, adding DNS records, and enabling signing.
Redundancy: Microsoft recommends using two DKIM keys for redundancy and rotation.
Comprehensive Security: DKIM is most effective when used with SPF and DMARC for comprehensive protection.
Authentication Framework: DKIM defines a domain-level authentication framework using digital signatures.

Key considerations

Google Workspace Configuration: Follow the steps in the Google Workspace admin console to generate the DKIM key and enable signing.
O365 PowerShell: Use PowerShell to create and publish DKIM keys in O365, and ensure two keys are configured.
SPF and DMARC Integration: Plan to implement SPF and DMARC in addition to DKIM for a complete email authentication strategy.
Protect Against Attacks: Understand that DKIM alone is not sufficient to fully protect against spoofing and phishing; SPF and DMARC are needed to complete this objective.

Technical article

Documentation from Microsoft Support details that to configure DKIM for O365, you need to use PowerShell to create DKIM signing keys, publish them to DNS, and then enable DKIM signing. It emphasizes the importance of using two DKIM keys for redundancy and rotation purposes.

April 2024 - Microsoft Support

Technical article

Documentation from RFC explains that DKIM defines a domain-level authentication framework for email using digital signatures. DKIM permits signing email senders to associate a domain name with an email message, thereby attesting to its authenticity.

September 2022 - RFC

Technical article

Documentation from dmarcian explains that while DKIM is essential for email authentication, it's most effective when combined with SPF and DMARC. DKIM alone might not be sufficient to fully protect your domain from spoofing and phishing attacks.

November 2021 - dmarcian

Technical article

Documentation from Google Workspace Admin Help explains that DKIM setup involves generating a DKIM key in the Google Workspace admin console, adding the DKIM record to your domain's DNS settings, and then enabling DKIM signing for your domain. This helps verify that messages sent from your domain are authenticated.

May 2023 - Google Workspace Admin Help

DKIM, DMARC, SPF Setup for Google Workspace and Squarespace ...

A step-by-step guide to have you compliant for the 2024 email changes.

Squarespace Designer | Helen Olivia

[SOLVED] Why Is Contact Form 7 Not Sending Emails

Contact Form 7 not sending emails or going to spam? This is a common problem if your site isn't using SMTP. Follow these steps to fix Contact Form 7 email issues.

WP Mail SMTP

Join GoDMARC As a Knowledge Partner

Discover DMARC, SPF, DKIM, BIMI, TLS-RPT, & MTA STS on our concise knowledge page. Contact us for more information!

GoDMARC Reporting

How to Fix Google Workspace Emails Going to Spam — Hello Inbox ...

Tired of Google Workspace emails going to spam? Follow these steps to fix Google Workspace deliverability problems and avoid going to spam.

Hello Inbox Blog

Mail relay for ancient Ricoh MFU - Collaboration - Spiceworks ...

I recently moved an old Ricoh MFU from an internal network with an on prem mail server to a stand alone small office. I’m trying to figure out how to relay mail to somewhere else to be able to scan. Tried using Gmail but I don’t think it supports the cypher version to allow me to connect to smtp even with legacy connections enabled. I tried using relay.appriver.com, that sort of works, but spam filtering has proven difficult. Wondering if there is something local I could setup to take the unauth...

Spiceworks Community

How do SPF, DKIM, and DMARC email authentication standards work?

How do I troubleshoot and fix SPF and DMARC settings for email deliverability issues?

How can I ensure email compliance with Yahoo/Google rules including DMARC, SPF, and FcrDNS?

How do I properly set up SPF and DKIM records for email marketing, including handling multiple SPF records, IP ranges, bounce capturing, and Google Postmaster Tools verification?

Do SPF and DKIM records need to be aligned for all email service providers?

What are SPF, DKIM, and DMARC, and when are they needed?