Email authentication using SPF and DKIM, and enforced with a DMARC policy, has been a best practice for years. However, there's been a lot of buzz lately about SPF, DKIM, and DMARC, due to the announcements by Google and Yahoo about stricter requirements for emails.
There are a number of guides to setting up SPF, DKIM, and DMARC (including mine), but no tutorial can cover every nuance. And while most major email services provide their own guides for what is needed for their particular setup, it can get confusing for those who haven't been exposed to the innards of how email works.
I've seen and answered several questions in social media groups, and also run across a few oddities while setting up email authentication for clients. I decided to collect some of these questions and "gotchas" and tips into one place, in case this helps anyone working through their own email authentication setup.
Google Workspace requires an extra step for DKIM authentication
With Google Workspace, you have to actually go in and "enable" DKIM after you set up the DKIM record. Even if you configure DNS with the DKIM record using google._domainkeys.example.com (for example), Google will not use DKIM to sign emails using your domain as the signing domain.
After the DKIM record is added and has propagated, you need to go back in and click “Start Authentication”.
DMARC may still pass using SPF if you don't do this, but DKIM will not pass - and some Google applications don't use your domain as the "envelope-from" or return path. An example - Google Calendar invitations use a return path of calendar-server.bounces.google.com, which will not align with your domain.
One does not simply jump to p=reject
Be careful when setting up DMARC reporting tool - you may not want to use the _dmarc TXT they provide as default.
Some DMARC tools provide an example _dmarc record using p=reject. Yes, that is the most "secure", and you eventually want to get there, but don't start there. Start with p=none and monitor until you're sure you aren't going to be blocking any legitimate emails.
Suggested method is to start with p=none, then move to quarantine, and before moving to a full reject policy, start with a small percentage, e.g. pct=10 and gradually ramp up to pct=100.
I use Mailchimp, and their directions tell me to create a CNAME record for DKIM, not a TXT record. Is this correct?
For Mailchimp, using a CNAME record is correct. You're pointing to Mailchimp's DKIM. A benefit of this is that if/when they rotate keys, you don't have to redo the DKIM record.