Summary
Google Workspace allows adding multiple domains, requiring independent DKIM configuration for each. A domain alias can inherit or have separate DKIM settings, requiring manual key setup. SPF records should include all sending sources or `include:_spf.google.com`. DMARC should be set up and monitored for each domain. Common issues include DKIM misconfiguration, incorrect SPF records, and failing DMARC alignment. Regular DMARC report reviews and DNS record verification are crucial. User configurations like 'send as' can cause DKIM mismatch. Legacy Google for Work editions may have unstable authentication. Domain aliases might default to authenticating with only the main domain.
Key findings
- Individual DKIM Config: Each domain requires independent DKIM configuration in the Google Workspace admin panel.
- SPF Inclusion: SPF records should include all sending domains and IPs, or use 'include:_spf.google.com'.
- DMARC Monitoring: DMARC policies must be set up for each domain, with regular monitoring.
- Common Issues: Misconfigured DKIM keys, incorrect SPF records, and DMARC alignment failures are frequent problems.
- Multiple Domains: You can add multiple domains including aliases and seperate domains.
Key considerations
- User Configuration: User configurations using 'send as' can lead to DKIM mismatches.
- Legacy Accounts: Older Google for Work accounts may have unreliable authentication processes.
- DNS Verification: Verify SPF, DKIM, and DMARC records for each domain using online tools to ensure function.
- Key Rotation: Regular rotation of DKIM keys (every 3-6 months) is recommended to improve authentication practices.
- Alternative Accounts: Rather than aliases use individual accounts.
What email marketers say
12 marketer opinions
Google Workspace handles outbound authentication with multiple domains by requiring individual DKIM configuration for each domain within the admin panel. Domain aliases can inherit settings or be configured separately. Proper SPF records, including all sending domains, and individual DMARC policies per domain are crucial. Common issues involve misconfigured DKIM keys, incorrect SPF records, and alignment failures. Regularly reviewing DMARC reports and using online tools for verification are essential for maintaining authentication.
Key opinions
- DKIM Configuration: Each domain in Google Workspace must have DKIM configured independently.
- Domain Aliases: Domain aliases can either inherit authentication settings from the primary domain or have separate configurations.
- SPF Records: SPF records should include all sending domains and IPs, or use `include:_spf.google.com`, adhering to DNS lookup limits.
- DMARC Policies: DMARC policies should be set up independently for each domain, with regular monitoring of DMARC reports.
- Troubleshooting: Common authentication issues include misconfigured DKIM keys, incorrect SPF records, and failure to align From addresses.
Key considerations
- User Configuration: Incorrect user configurations, such as using aliases and send-as features, can cause authentication issues.
- Legacy Accounts: Legacy 'free' Google for Work accounts may have unreliable authentication.
- DNS Consistency: Ensuring consistent and correct DNS records across all domains is critical.
- DMARC Reporting: Regularly review DMARC reports to identify and address authentication discrepancies.
- Verification Tools: Use online tools to verify the correct setup of SPF, DKIM, and DMARC records.
Marketer view
Marketer from Email Geeks says if the client is on the ancient legacy "free" edition of Google for Work then authentication is wobbly in general.
25 Sep 2024 - Email Geeks
Marketer view
Email marketer from StackExchange shares that each domain needs to have DKIM configured independently in the Google Workspace admin panel.
26 Feb 2023 - StackExchange
What the experts say
3 expert opinions
Managing outbound authentication with multiple domains in Google Workspace can present challenges. One expert encountered an issue where Google refused to sign with the proper DKIM key despite multiple resets. Regular DKIM key rotation (every 3-6 months) is important for security. A workaround for authentication problems involved creating multiple user accounts instead of using domain aliases and 'send as' functionality.
Key opinions
- DKIM Key Issues: Google Workspace may sometimes fail to sign emails with the correct DKIM key, even after resetting.
- DKIM Rotation: Regular DKIM key rotation is essential for maintaining security when using multiple domains.
- Authentication Problems: GSuite might default to authenticating using only one domain, causing issues with multiple domain setups.
Key considerations
- Key Rotation Schedule: Implement a schedule for rotating DKIM keys every 3-6 months.
- User Account Strategy: Consider using multiple user accounts instead of aliases to ensure proper authentication for each domain.
- Troubleshooting Steps: Be prepared to troubleshoot DKIM signing issues and explore alternative configurations.
Expert view
Expert from Word to the Wise shared that, for them, a huge problem was that GSuite was authenticating using one domain, when there were multiple domains set up. She got around this by creating multiple user accounts instead of aliases and sending as separate accounts.
2 Apr 2022 - Word to the Wise
Expert view
Expert from Spam Resource explains that when using multiple domains in Google Workspace, it's important to rotate DKIM keys regularly for each domain to maintain security. Dave recommends rotating every 3-6 months.
26 May 2023 - Spam Resource
What the documentation says
5 technical articles
Google Workspace allows the addition of multiple domains, including separate domains, domain aliases, and subdomain aliases, to a single account. Each domain requires individual DKIM setup, involving key generation and TXT record configuration in DNS. Google recommends including `include:_spf.google.com` in SPF records. DMARC is supported, enabling policy creation and reporting for handling emails failing SPF or DKIM. Troubleshooting steps involve verifying DNS records, DKIM configuration, and DMARC settings for each domain.
Key findings
- Multiple Domains: Google Workspace supports separate domains, domain aliases, and subdomain aliases.
- DKIM Setup: Each domain requires individual DKIM key generation and TXT record addition.
- SPF Recommendation: Use `include:_spf.google.com` in SPF records.
- DMARC Support: DMARC is supported with policy creation and reporting features.
- Troubleshooting: Troubleshooting involves verifying DNS records, DKIM, and DMARC settings.
Key considerations
- Individual Configuration: Remember that each domain needs its own specific authentication configuration.
- Regular Monitoring: Continuously monitor DMARC reports to ensure proper authentication.
- DNS Record Accuracy: Double-check the accuracy of all DNS records, including SPF, DKIM, and DMARC.
Technical article
Documentation from Google Workspace Admin Help explains how DMARC works with Google Workspace, how to create DMARC policy to tell recipient servers what to do with messages from your domain that don’t pass SPF or DKIM. Also how to set up DMARC reporting to help you monitor the email sent from your domain.
22 Jan 2023 - Google Workspace Admin Help
Technical article
Documentation from Google Workspace Admin Help details the steps for setting up DKIM for each domain, including generating DKIM keys and adding the TXT record to each domain's DNS settings.
26 Mar 2024 - Google Workspace Admin Help
Can a domain with poor reputation negatively affect other domains in Google Workspace?
How can I implement a strict DMARC policy without blocking Google Workspace emails?
How do I fix DKIM failing body hash verification?
How do SPF records and DKIM keys work with multiple email services like Klaviyo and Shopify?
How does Google Workspace handle DMARC alignment for multiple domains?
What SPF, DKIM, and DMARC settings are needed for Klaviyo and BigCommerce transactional emails?
