Reduce the likelihood of Gmail getting into spam

First of all, go and check with the Google MX Toolbox what is the situation with your domain. You will get a report like the below:

The output will help you identify what is needed for an optimal setup.

Setup SPF records

An SPF (Sender Policy Framework) record identifies the mail servers and domains that are allowed to send emails on behalf of your domain.

• Go to your DNS provider and setup a TXT record with the name of your domain followed by a "dot", ie example.com. and the value of:

•     v=spf1 include:_spf.google.com ~all
  

• Your DNS provider should end up being configured like this:

A detailed guide on configuring SPF records is available from Google.

Setup DKIM records

DKIM, or DomainKeys Identified Mail, is an email authentication method that uses a digital signature to let the receiver of an email know that the message was sent and authorized by the owner of a domain.

• Go to https://admin.google.com and click on Apps -> Google Workspace -> Gmail

• On the list of options select Authenticate email

• Click on GENERATE NEW RECORD and you will get the below:

• 

  Now go to your DNS provider and create a new TXT record with the value in the box. Should look something like this:

  

• Click the START AUTHENTICATION button. When DKIM setup is complete and working correctly, the status at the top of the page changes to Authenticating email with DKIM.

• Well done for making your emails safer, remember to check on Google MX Toolbox that everything is OK

A detailed guide on configuring DKIM records is available from Google.

Setup DMARC records

Domain-based Message Authentication Reporting & Conformance (DMARC) is an email security protocol. DMARC verifies email senders by building on the Domain Name System (DNS), DomainKeys Identified Mail (DKIM), and Sender Policy Framework (SPF) protocols.

A recommended value to begin with is:

v=DMARC1; p=none; rua=mailto:dmarc@example.com

This means that when emails fail the DMARC validation, they will still be delivered to the recipient and a report will be sent to dmarc@example.com. This will let you review the reports and decide if you want to send the emails that fail the validation to the spam folder or reject them.

• Go to your DNS provider and setup a TXT record with the name of _dmarc.example.com with the value above. Of course, instead of example.com, you should configure your domain name.

• The configuration of the DMARC TXT record on your DNS provider should be:

  

To improve the handling of rejections follow this tutorial by Google. To see all the possible parameters read this article on Google.

A detailed guide on configuring DMARC records is available from Google.

Setup MTA-STS records

Mail Transport Agent Strict Transport Security (MTA-STS) is a new internet standard that allows you to enable strict force-TLS for email sent between supported email providers. It is similar to HTTP Strict Transport Security (HSTS), where a force-TLS policy is set and then cached for a specified amount of time, reducing the risk of man-in-the-middle or downgrade attacks.

Follow this detailed guide from Google.

Conclusion

If all goes well, Google MX toolbox should do a nice and green report like this:

• Register your domain, ie Google Domains or Gandi.net

• Go to admin.microsoft.com -> Settings -> Domains

• Click Add Domain

• Insert your domain name and click Use this domain

The next page lets you pick how can you confirm that you are the owner of the domain. My favourite way is to add a TXT record to confirm ownership.

Microsoft will give you a step-by-step guide on how to configure it on your DNS hosting provider.

Go ahead and do that and then click verify. Usually, it takes a while before the changes to the records are propagated and you can continue to the next step.

DNS Configuration

Once you can verify the step you need to decide how to configure all the Microsoft services related to the domain. I would advise a small business to just let Microsoft manage the DNS parameters to have less risk of misconfiguring the services.

Click on "Setup my online services for me".

In the next step you need to select which services to enable on the domain, please review and click continue to go ahead with the next step.

Make sure you review the Advanced options and make sure you keep only the services you need on the domain.

In this step, you can manually add DNS records that you want Microsoft to have on file or you can automatically import what is already configured on your existing DNS server. Generally on the initial setup I click "Import DNS records" and I will adjust later as needed.

This is now the critical step, you have to tell the world that we want Microsoft to manage the domain DNS records. If you are transferring the email server to Microsoft, this is the step that will enable you to have them process emails.

You will need to add those new name servers to your domain registry provider.

I went ahead and told my registrar that I want to use a different name server and configured the parameters that Microsoft told me.

This might be disruptive if you had services running on the old domain, like websites, email and so on, especially if the parameters weren't migrated correctly to Microsoft.

Once you specified Microsoft as the new nameserver you will have to click continue. You might get a scary error as above. This is Microsoft telling you that the changes aren't yet propagated across the world and it is still recording the old name server. It might take hours or up to one day or two for this to be completed. You might need to come back to the above screen if your browser session expires in the meantime.

Once a few hours to a day pass, you should be able to click continue and the domain setup should be completed successfully.

The domain's state will go from "Incomplete setup" to "Healthy".

Congratulations, now you can send emails from your new domain!

Create your fist email address on Exchange

Guide coming soon ...

Shared mailbox

This is great if you want to have multiple users able to manage the same email inbox.

Go to https://admin.microsoft.com and click Teams & groups -> Shared mailboxes. Click Add a shared mailbox

Insert a descriptive name for it and add the email username and click Save changes

Click on the shared email address to edit its settings.

To give users permission to read and "send emails as" to that shared email address click Read and manage permissions.

Click on Add permissions to select the users that should be able to have access to the shared mailbox. Once you do that, you want to do the same for Send as permissions and Send on behalf permissions. This will enable users to send a new email as if they were the shared mailbox.

WARNING: Once you do this, you need to wait 30 minutes and tell the users to reboot their laptops and phones otherwise they will not see the shared mailbox in Outlook.

Multiple domain aliases for a user

If you have multiple domain names that you want to be managed by the shared mailbox, you can add them as aliases. To do this click on the shared mailbox to open its settings and click Edit under Aliases.

You will have to pick a username and a domain and click Add.

Next steps

Congratulations on getting set up with Office 365 and a custom domain for your business.

Guide coming soon: Set up SPF and DKIM to reduce the likelihood of outgoing being blocked by spam filters.