Login/Register
Setup | G Suite + Sendgrid for transactional email
Asked Answered
emailsmtpsendgridgoogle-workspacemx-record
S

1

15

I'm currently trying to get my head around an issue with our Shop's email setup. So far we were using G Suite for all our emails related to our domain abc.com.

# The History: #

Our WooCommerce Shop was utilising the wp_mail() PHP-Mail functionality to send transactional emails (e.g. Order received, Account created, ..) by our Webhoster. As we were facing more and more emails being send to our customers SPAM folders, we decided to move to a SMTP provider.

# The new Setup: #

We installed the WP SMTP Mail Plugin for Wordpress and chose Sendgrid as SMTP provider. We followed the instructions and were able to connect all three: Our WooCommerce Shop, WP Mail SMTP and Sendgrid.

# The problem: #

Now that we have the new setup running, things seem to be somehow messed up. I read that it is not allowed / not good practice to mix the MX-record setting for abc.com. But this is exactly what I did - what I had to do - to make both, Sendgrid and G Suite function.

Despite the fact that Sendgrid lists outbound emails from [email protected] in its activity dashboard, the actual email is signed by Gmail's default DKIM domain key: d=*.gappssmtp.com, which shouldn't be the case, right?

# The objective: #

enter image description here

# Open Questions: #

  • Which MX-record shall I set for my top-level domain "abc.com" to make the setup work?
  • How should the SPF/DKIM/DMARC setup look like for this use case?
  • Should [email protected] still be an active G Suite group / Mailing list or must this be removed?
  • Bonus: Is it possible to send outbound emails from "[email protected]" from both Sendgrid and G Suite?
  • Bonus: Is it correct to perform a Single Sender Verification with Sendgrid for [email protected]?

# Additional information: #

DNS/MX-records required by G Suite:

enter image description here

Spheroid answered 12/6, 2020 at 19:18 Comment(0)
A
18

Which DNS-record shall I set for my top-level domain "abc.com" to make the setup work?

I assume you are talking about MX records here. MX records tell the outside world which server incoming email should be delivered to, so you probably want the G-Suite settings here. Note that if you have more than one server listed (in the screenshot you have 5) delivery will be attempted first to the server with the lowest priority value and will stop whenever a delivery is successful. If 2 records have the same priority, which one gets tried first is up to the sender.

How should the SPF/DKIM/DMARC setup look like for this use case?

  • DMARC: This is a TXT record at _dmarc.yourdomain.com. It tells the recipient weather all, some, or none of the outgoing emails should be SPF/DKIM authenticated, what should happen to unauthenticated email (p=reject or p=quarantine), and optionally who to tell about authentication failures. In your case I would just use the one from Sendgrid, since both the one from Sendgrid and the one from G-Suite probably specify that all emails should be authenticated, and Sendgrid is the only one that really needs to get notifications for failures.
    • You can ask for reports to be sent to multiple addresses, but everyone on that list will get reports about all failed deliveries (G-Suite will get notifications about Sendgrid and Sendgrid will get notifications about G-Suite) and the spec says the people you are emailing don't have to send responses to anyone beyond the first 2.
  • SPF: This is a anti-spam tool that tells email recipients which email servers are the real email servers for your domain. You can only have one SPF record, but you can merge them. Understanding the syntax will make merging SPF records a lot easier, but essentially do this:
    • Remove v=spf1 from the beginning of both records
    • Remove -all or ~all from both records
    • Put both records together (separated by a space)
    • Remove duplicate entries (for example both records are likely to contain a and mx)
      • consider +foo and foo to be duplicates
    • Put v=spf1 on the beginning of your new combined record (there should be a space between it and the rest of the record)
    • Put ~all on the end of your new combined record (there should be a space between it and the rest of the record) (you can use -all if you want to be more aggressive in not allowing emails through from servers impersonating your domain rather than just sending them to spam)
  • DKIM: These records are cryptographic keys that can be used to sign emails. You can have more than one of these, and each one has a unique name. When G-suite sends an email it includes a signature using it's key and also specifies that the signature should be checked against the key named google. If your domain is example.com this key should be at google._domainkey.example.com. Sendgrid's key will be named something else. Include both keys as separate records.

Should [email protected] still be an active G Suite group / Mailing list or must this be removed?

I would keep it. You will still be able to send mail from it if you want, but more importantly it will catch any replies customers send to your automated emails.

Is it possible to send outbound emails from "[email protected]" from both Sendgrid and G Suite?

Yes

Is it correct to perform a Single Sender Verification with Sendgrid for [email protected]?

Sorry, I can't help you there. Everything up to this point has been generic advice about using 2 email providers, but that seems to be a Sendgrid specific thing.

Armstrong answered 12/6, 2020 at 20:28 Comment(6)
This is a great answer (to a great question). I'm going through a similar scenario and it clarifies the steps to set it up. Still confused about Sendgrid's "Automated Security" flow and how a bunch of CNAMEs it suggests adding plays with existing SPF and DKIM TXT records. Deserves its own SO post though.Nel
@MaxIvanov Seriously, I wonder the same. How does their auto security actually works?Balmung
@Balmung I got some understanding since then. For DKIM, Sendgrid will provide 2 CNAMEs with unique keys, ex. s1._domainkey.example.com and s2._domainkey.example.com so they do not conflict with existing records. For SPF, there will be a CNAME for a subdomain, ex. sg-generated-rnd.example.com which resolves to Sendgrid servers. SPF TXT record will be hosted under that subdomain, by Sendgrid. Again doesn't conflict with your root domain's SPF record.Nel
@MaxIvanov I see. I've already made a SO question #66281066Balmung
@Armstrong You said it's possible to send outbound from both G Suite and Sendgrid for [email protected] ... but is it a reasonable/safe decision? I'm having some difficulty in finding a concrete answer on if it impacts deliverability negatively. What do you think?Photomural
@Photomural From a technical perspective there should be no issues. Generally you should not send different types of email from the same address though. Ex: marketing, transactional, and support email should come from separate addresses. You don't want an email provider gray-listing your password reset email because of a marketing newsletter.Armstrong

© 2022 - 2024 — McMap. All rights reserved.