Hi all, I'm going recount a personal experience here. I have my own domain (BaloneyGeek.com) and I use Google Apps for Business for my E-Mail.
A couple of months ago I shifted DNS providers and took the opportunity to properly set up E-Mail verification and signing. Using Google's documentation, I enabled SPF, and then tested. Then I enabled DKIM and tested. So far, everything was fine. Then I enabled DMARC and all hell broke loose. Even though Google's configuration checker gave me a green tick on DMARC configuration, I couldn't send mail to any non Google-handled e-mail ID, without it being sent to spam. I know this because I tested with one Windows Live Mail (or whatever they call it these days) account and one Yahoo account. Both of them had a history of receiving e-mails from me. I would also get an XML file delivered to my inbox from every single e-mail server that handled my mail, with stats of how many mails they handled, how many passed auth, how many failed and how many were sent to spam. Apart from the annoyance of receiving tens of these mails per day, I noted that every single provider (other than Google) was failing auth on all my mails and sending them to spam. I dug around multiple docs (including RFC 7489, Google's docs, etc) and couldn't find any configuration errors I'd made. In they end I had to roll back DMARC (which took two days to propagate across all DNS caches, btw), while keeping SPF and DKIM enabled. Everything has been fine since then. So here's my two cents - SPF **should** always be enabled, that's the bare minimum you can do. DKIM enforces SPF using signing, so if you guys can implement that well, awesome. But be very careful when dealing with DMARC. From what I saw when I tried to set it up, no e-mail provider other than Google knows what to do with it. -- Boudhayan
