MX Check is Green

I have been busy trying to get the MX Check tool from the GSuite toolbox to all green for my domains. This was not so easy.

I am using GSuite and Google Cloud DNS.

Most things were green to start with but the following topics needed some attention.

Sender Policy Framework (SPF)

In order to setup SPF a TXT DNS-record needed to be added with a specific value.

This was easy to do and is well documented on the support page.

As I am using GSuite I needed to add a TXT-record for the domain root. For my rigel.dev domain this became.

Name

rigel.dev.

Value

"v=spf1 include:_spf.google.com ~all"

DomainKeys Identified Mail (DKIM)

In order to setup DKIM an other TXT DNS-record needed to be added with a specific value. The name of the record

This was rather hard as the documentation lacked some crucial information.

The problem was mainly due to the fact that the value for the TXT-record is really long and that a single value entry for a TXT-record can only be 255 characters.

Adding to this there can't be any white space in the value otherwise it gets quoted. Which causes the value to be wrong for DKIM.

After some trial and error I found the correct way to enter the value in the Google console.

The actual value that you need to use can be retrieved from your GSuite admin console in Apps > G Suite > Settings for Gmail > Email verification. You can generate a value for each domain you control.

For my rigel.dev domain this generated the following value.

v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuOKucKIUk8OJLe99/ug4pJQM0/sMGDLet9qBo/Ok18aWVHGdzX1SmXyuCZGG+t/MYxc0TXsLTH5yREiJUPofbXSalcNP5sydl4rUOM9/BRwbCoSmUJ0OtQ1FxwdJ+0KuPv95QA9w45H1VPCidw5UiMHCSIBsPc9J6KVTsps+eGVUYnJZtmQ1CMz2g8ropty3RYdM8o8Pz+Q4uGXZh1czZzeAplnMI+9dGWAUwXVLHNHwYdAWSZ0NZke8zfj7wXw/Pu+FSCIqZZ6cudcixF1jn+k8XvDUwLVaZFy//EF8vM21HpCGM4uSsplw5HAwaW4jHDdEwswkILJfQqPDR83EowIDAQAB

The trick is to only put double quotes around the first 255 characters that contains spaces.

So the full TXT-record needs to be

Name

google._domainkey.rigel.dev.

Value 1

"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuOKucKIUk8OJLe99/ug4pJQM0/sMGDLet9qBo/Ok18aWVHGdzX1SmXyuCZGG+t/MYxc0TXsLTH5yREiJUPofbXSalcNP5sydl4rUOM9/BRwbCoSmUJ0OtQ1FxwdJ+0KuPv95QA9w45H1VPCidw5UiMHCSIBsPc9J6KVTsps+eGVUYnJZtmQ1CMz2g8ropt"

Value 2

y3RYdM8o8Pz+Q4uGXZh1czZzeAplnMI+9dGWAUwXVLHNHwYdAWSZ0NZke8zfj7wXw/Pu+FSCIqZZ6cudcixF1jn+k8XvDUwLVaZFy//EF8vM21HpCGM4uSsplw5HAwaW4jHDdEwswkILJfQqPDR83EowIDAQAB

After using these values the DKIM check passed.

Domain-based Message Authentication, Reporting, and Conformance (DMARC)

Reading up in the documentation I decided to go for a gradual approach and start with reporting only as I really don't have a clue what this will bring to light.

For passing the DMARC check another TXT-record needs to be added.

Name

_dmarc.rigel.dev.

Value

"v=DMARC1; p=none; rua=mailto:dmarc@rigel.dev; pct=100; sp=none"

What can be configured with the value is really well documented here.

Wrap up

Finally the MX check is Green.

Now I need to wait 48-hours before I can finish everything up with a push on the "Start Authentication" button for DKIM in my GSuite admin console. Hope that final step works out. If not there is another post coming your way.