Setup | G Suite + Sendgrid for transactional email

Question

I'm currently trying to get my head around an issue with our Shop's email setup. So far we were using G Suite for all our emails related to our domain abc.com.

# The History: #

Our WooCommerce Shop was utilising the wp_mail() PHP-Mail functionality to send transactional emails (e.g. Order received, Account created, ..) by our Webhoster. As we were facing more and more emails being send to our customers SPAM folders, we decided to move to a SMTP provider.

# The new Setup: #

We installed the WP SMTP Mail Plugin for Wordpress and chose Sendgrid as SMTP provider. We followed the instructions and were able to connect all three: Our WooCommerce Shop, WP Mail SMTP and Sendgrid.

# The problem: #

Now that we have the new setup running, things seem to be somehow messed up. I read that it is not allowed / not good practice to mix the MX-record setting for abc.com. But this is exactly what I did - what I had to do - to make both, Sendgrid and G Suite function.

Despite the fact that Sendgrid lists outbound emails from [email protected] in its activity dashboard, the actual email is signed by Gmail's default DKIM domain key: d=*.gappssmtp.com, which shouldn't be the case, right?

# The objective: #

• Use Sendgrid to send outbound emails from [email protected]
• Use G Suite to receive inbound emails to [email protected]
• Use G Suite to send outbound emails from [email protected], ...

# Open Questions: #

• Which MX-record shall I set for my top-level domain "abc.com" to make the setup work?
• How should the SPF/DKIM/DMARC setup look like for this use case?
• Should [email protected] still be an active G Suite group / Mailing list or must this be removed?
• Bonus: Is it possible to send outbound emails from "[email protected]" from both Sendgrid and G Suite?
• Bonus: Is it correct to perform a Single Sender Verification with Sendgrid for [email protected]?

# Additional information: #

DNS/MX-records required by G Suite:

Answer 1

Which DNS-record shall I set for my top-level domain "abc.com" to make the setup work?

I assume you are talking about MX records here. MX records tell the outside world which server incoming email should be delivered to, so you probably want the G-Suite settings here. Note that if you have more than one server listed (in the screenshot you have 5) delivery will be attempted first to the server with the lowest priority value and will stop whenever a delivery is successful. If 2 records have the same priority, which one gets tried first is up to the sender.

How should the SPF/DKIM/DMARC setup look like for this use case?

• DMARC: This one is the simplest. This is an address where you will get reports of failed email deliveries. You can ask for reports to be sent to multiple addresses, but the spec says the people you are emailing don't have to send responses to anyone beyond the first 2, and many don't, so try to limit yourself to 2 addresses. One thing to keep in mind is that both addresses will get notifications for all failed deliveries (G-Suite will get notifications about Sendgrid and Sendgrid will get notifications about G-Suite). G-Suite can use these failed-email-delivery notifications to generate reports, but since you probably don't really need that feature of G-Suite, I would just use the record provided by Sendgrid.
• SPF: This is a anti-spam tool that tells email recipients which email servers are the real email servers for your domain. You can only have one SPF record, but you can merge them. Understanding the syntax will make merging SPF records a lot easier, but essentially do this:
  • Remove v=spf1 from the beginning of both records
  • Remove -all or ~all from both records
  • Put both records together (separated by a space)
  • Remove duplicate entries (for example both records are likely to contain a and mx)
    • consider +foo and foo to be duplicates
  • Put v=spf1 on the beginning of your new combined record (there should be a space between it and the rest of the record)
  • Put ~all on the end of your new combined record (there should be a space between it and the rest of the record) (you can use -all if you want to be more aggressive in not allowing emails through from servers impersonating your domain rather than just sending them to spam)
• DKIM: This is an anti-spam tool that tells email recipients that they can expect some or all emails from your domain to be signed with a particular cryptographic key. It consists of 2 types of records. (If you want to learn more, I recommend this)
  • The first one just tells the recipient weather all, some, or none of the outgoing emails should be signed, and optionally who to tell if some part of this process fails. For the domain example.com, this would be a TXT record at _domainkey.example.com. In your case I would just use the one from Sendgrid, since both the one from Sendgrid and the one from G-Suite probably specify that all emails should be signed, and Sendgrid is the only one that really needs to get notifications for failures.
  • The other type of record is a cryptographic key. You can have more than one of these, and each one has a unique name. When G-suite sends an email it includes a signature using it's key and also specifies that the signature should be checked against the key named google. If your domain is example.com this key should be at google._domainkey.example.com. Sendgrid's key will be named something else. Include both keys as separate records.

Should [email protected] still be an active G Suite group / Mailing list or must this be removed?

I would keep it. You will still be able to send mail from it if you want, but more importantly it will catch any replies customers send to your automated emails.

Is it possible to send outbound emails from "[email protected]" from both Sendgrid and G Suite?

Yes

Is it correct to perform a Single Sender Verification with Sendgrid for [email protected]?

Sorry, I can't help you there. Everything up to this point has been generic advice about using 2 email providers, but that seems to be a Sendgrid specific thing.