Source Configuration (SPF & DKIM)
      Back to home
      1. Help Center
      2. Source Configuration (SPF & DKIM)

      SPF alignment for Secondary and Alias domains in Google Workspace

      To ensure DMARC compliance, a full pass is required for either SPF, DKIM, or both protocols. Achieving a final pass involves verifying both Authentication and Alignment.

      For domains used with Google Workspace, meeting these requirements is straightforward. By adding or modifying the domain’s SPF record to include Google’s sending sources, compliance can be achieved with the following mechanism:

      include:_spf.google.com

      *Refer to Google Workspace’s detailed configuration instructions for more guidance.

      Google Workspace also allows additional domains to be added as either "alias" domains or "secondary" domains. Here’s what each option entails:

      Understanding Secondary vs. User Alias Domains


      1. User Alias Domain: To provide all users with an alternative email address at another domain, you can add it as a user alias domain. For example, if you add solarmora.com as an alias to example.com, then bob@example.com would automatically have an additional email address, bob@solarmora.com.
      2. Secondary Domain: If the new domain requires its own set of users and accounts, add it as a secondary domain. This allows users to have unique email addresses and accounts under that domain.

      Regardless of the domain’s role (alias or secondary), each domain needs its own SPF record that includes all authorized sending sources. It’s important to note here that SPF alignment can only be achieved when the domain is added as a secondary domain. If the domain is added as an alias, the SPF authentication domain (return-path address) will differ from the "From" domain, leading to misalignment and potential DMARC compliance issues. It is worth noting that DKIM will come to the rescue in the DMARC compliance process if properly configured.

       

      We can compare the results of an alias (above screenshot) and primary domain results:

       

       

      As you can see, the “From” domain and SPF Authentication domain are the same, resulting in SPF alignment.

      Properly configuring DMARC, SPF, and DKIM is essential for email security and deliverability. By understanding the role of user aliases and secondary domains in Google Workspace, and ensuring each domain has a valid SPF record, organizations can achieve DMARC compliance and improve email authenticity. Remember, secondary domains are crucial for SPF alignment, while alias domains may lead to alignment issues. Following these best practices helps protect your domain’s reputation, reduces the risk of phishing, and ensures trusted communication with recipients.