How does Google Workspace manage outbound authentication with multiple domains?
Summary
What email marketers say12Marketer opinions
Marketer from Email Geeks says if the client is on the ancient legacy "free" edition of Google for Work then authentication is wobbly in general.
Email marketer from StackExchange shares that each domain needs to have DKIM configured independently in the Google Workspace admin panel.
Email marketer from Mailhardener Blog suggests using online tools to verify SPF, DKIM, and DMARC records for each domain to ensure proper setup and function.
Email marketer from Superuser notes that domain aliases inherit the primary domain's authentication settings unless specifically configured otherwise.
Email marketer from EmailDiscussions.com stresses that ensuring DNS records are correctly and consistently set up across all domains within the Google Workspace organization is crucial for proper outbound authentication.
Marketer from Email Geeks shares his knowledge that if two domains are set up independently in Google Workspace, DKIM signing domain mismatch occurs when a user at Domain A configures their address at Domain B as an alias/send-as within their Gmail on Domain A.
Email marketer from EmailGeeks Forum explains setting up DMARC policies for each domain independently and monitoring DMARC reports to identify and address any authentication issues.
Marketer from Email Geeks explains that if a second domain is set up as an alias, it can have its own DKIM signing domain, but the 5321.From domain is that of the main domain. Also that key generation is not automatic for a second domain, it has to be setup in the admin panel.
Email marketer from Reddit advises including all sending domains and IPs in your SPF record or using include:_spf.google.com, and ensuring there are no more than 10 DNS lookups.
Email marketer from MXToolbox Forum points out that common issues include misconfigured DKIM keys, incorrect SPF records, and failing to align the From address with DKIM and SPF.
Email marketer from Email Security Blog highlights the need for regularly analyzing DMARC reports to identify any discrepancies or failures in outbound email authentication across the managed domains.
Marketer from Email Geeks guesses that if the authentication issue isn't universal, then one or more users have configured their Gmails to send on behalf of the other domain.
What the experts say3Expert opinions
Expert from Word to the Wise shared that, for them, a huge problem was that GSuite was authenticating using one domain, when there were multiple domains set up. She got around this by creating multiple user accounts instead of aliases and sending as separate accounts.
Expert from Spam Resource explains that when using multiple domains in Google Workspace, it's important to rotate DKIM keys regularly for each domain to maintain security. Dave recommends rotating every 3-6 months.
Expert from Email Geeks has the same issue with one domain where Google refuses to sign with the proper key even after trying to reset it multiple times and has not found any solutions after searching for some time.
What the documentation says5Technical articles
Documentation from Google Workspace Admin Help explains how DMARC works with Google Workspace, how to create DMARC policy to tell recipient servers what to do with messages from your domain that don’t pass SPF or DKIM. Also how to set up DMARC reporting to help you monitor the email sent from your domain.
Documentation from Google Workspace Admin Help details the steps for setting up DKIM for each domain, including generating DKIM keys and adding the TXT record to each domain's DNS settings.
Documentation from Google Workspace Admin Help explains that you can add multiple domains to your Google Workspace account. This allows you to add user aliases and more domains that your company owns. These can be separate domains, domain aliases, or subdomain aliases.
Documentation from Google Workspace Admin Help recommends using `include:_spf.google.com` in your SPF record to authorize Google Workspace to send emails on behalf of your domain. They also recommend including all your sending sources in the SPF.
Documentation from Google Workspace Admin Help provides steps for troubleshooting common email authentication issues, including verifying DNS records, checking DKIM key configuration, and reviewing DMARC settings for each domain.