DNS Email Authentication

SPF · DKIM · DMARC — One.com + Google Workspace setup guide

0/6 complete
Why this is urgent: Without SPF, DKIM, and DMARC, booking confirmation emails and pilot magic links sent from [email protected] are likely landing in spam for clients using Gmail, Outlook, or corporate email filters. These records prove to receiving mail servers that your emails are legitimate.

What you need to do

One.com DNS panel
Add 3 TXT records for SPF and DMARC on both domains
Google Workspace Admin
Generate and publish your DKIM key for Gmail sending
Verify with MXToolbox
Confirm all records are live and correct
1

SPF Record — airaviationacademy.com

Action required

SPF tells receiving mail servers which services are authorised to send email from your domain. You send via Google Workspace, so you need both Google's and One.com's SPF includes.

Log in to one.com Control Panel → Advanced settings → DNS settings → DNS records → Create new record → TXT
Name / Host
@

The @ symbol means the record applies to the root domain (airaviationacademy.com)

Value
v=spf1 include:_spf.google.com include:_custspf.one.com ~all

This authorises both Google Workspace (Gmail SMTP) and One.com to send on behalf of your domain. The ~all at the end means 'soft fail' — emails from other sources are marked suspicious but not rejected.

TTL
3600

1 hour — standard for DNS records

2

SPF Record — tvmbreathwork.com

Action required

Repeat the same process for your second domain. This protects [email protected] and all aliases from being spoofed.

Same process: One.com DNS panel → DNS records → Create new record → TXT — but this time for tvmbreathwork.com
Name / Host
@
Value
v=spf1 include:_spf.google.com include:_custspf.one.com ~all
TTL
3600
3

DKIM — Google Workspace Admin Console

Action required

DKIM adds a cryptographic signature to every email you send, proving it genuinely came from your Google Workspace account. This is the most important record for inbox placement.

DKIM must be generated from inside Google Workspace Admin — One.com cannot generate this for you. Follow these steps exactly.
  1. Go to admin.google.com and sign in as [email protected]
  2. Navigate to Apps → Google Workspace → Gmail
  3. Click Authenticate email
  4. Select domain: airaviationacademy.com
  5. Click Generate new record — leave the prefix selector as google and key length as 2048
  6. Copy the TXT record name (looks like: google._domainkey) and the TXT record value (a long string starting with v=DKIM1; k=rsa; p=...)
  7. Go to One.com DNS panel for airaviationacademy.com → Create new record → TXT → paste the name and value exactly as shown
  8. Return to Google Workspace Admin → Gmail → Authenticate email → click Start authentication
  9. Repeat for tvmbreathwork.com if you want DKIM on that domain too
DKIM propagation can take up to 4 hours. Google Workspace will show a green checkmark once it detects the record.
4

DMARC Record — airaviationacademy.com

Action required

DMARC tells receiving servers what to do when an email fails SPF or DKIM checks. Start with p=none (monitoring only) — this gives you reports without risking any legitimate emails being blocked. You can tighten to p=quarantine or p=reject later once you've verified everything is working.

One.com DNS panel for airaviationacademy.com → Create new record → TXT
Name / Host
_dmarc

This must be exactly _dmarc (with the underscore) — do not add the domain name after it

Value
v=DMARC1; p=none; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=1

p=none = monitoring mode (no emails blocked). rua = aggregate reports sent to your Proton admin inbox. ruf = forensic reports. fo=1 = report on any failure. Upgrade to p=quarantine after 2 weeks of clean reports.

TTL
3600
5

DMARC Record — tvmbreathwork.com

Action required

Same record for your second domain.

One.com DNS panel for tvmbreathwork.com → Create new record → TXT
Name / Host
_dmarc
Value
v=DMARC1; p=none; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=1
TTL
3600
6

Verify — MXToolbox

Pending

After DNS propagation (allow 1–4 hours), verify all records are live and correct using MXToolbox's free tools.

All three checks should show green. If SPF shows "Too many DNS lookups" — that means you have duplicate or conflicting SPF records. Delete any old ones and keep only the one from Step 1.

After 2 weeks — tighten your policy

Once you've been running with p=none for 2 weeks and your DMARC reports (sent to [email protected]) show no unexpected sources, upgrade to:

Upgraded DMARC value
v=DMARC1; p=quarantine; pct=100; rua=mailto:[email protected]; fo=1

p=quarantine sends suspicious emails to spam instead of the inbox. Once you're confident, upgrade to p=reject for maximum protection.