Certify'em and Google Workspace (G Suite)
Read this entire article if you are using, or plan to use, Certify'em in a Google Workspace (formerly G Suite) environment. And if you are having issues with email quota, or bounced certificates, be especially sure to carefully review the last two topics.
Topics Covered Below:
Common questions and answers about using Certify'em with Google Workspace.
Important setup information, especially for brand new Google Workspace domains.
Important things to know about obtaining a higher email quota (1500 / day) with Google Workspace.
Why certificate emails may initially bounce with Workspace, and what to do about it.
What is Google Workspace (formerly G Suite)?
Google Workspace is Google's cloud-based productivity suite, comparable to Microsoft's O365. If you're accustomed to using Gmail, Google Calendar, or Google Drive, think of Workspace as the paid equivalents that offer additional controls and capabilities to business, schools and other organizations. Most importantly, you can create and manage a set of users (i.e. employees, teachers, club members) and manage how they share their data. And that data is under the control of your Workspace domain, rather than a disparate set of Gmail accounts owned by different people.
Do I need Google Workspace to use Certify'em?
No. Certify'em can be used with a simple, free Gmail account. However, Google Workspace users have a much higher limit of 1,500 email recipients / day when combined with Certify'em Platinum.
How do I know if I already have Workspace?
You may already be using Google Workspace if:
Your school, business, or organization already routinely uses tools like Gmail, Calendar, and/or Google Drive & Docs to conduct business.
You and your fellow colleagues have email addresses that end in the same domain name (i.e. email@example.com and firstname.lastname@example.org).
If you're still not sure, ask the I.T. Admin or Help Desk at your organization if your user account is a Google Workspace account.
How do I get Google Workspace?
You can sign-up for Google Workspace online at workspace.google.com. As part of this process you will also need to purchase a domain name (i.e. mycoolclub.com), or specify one you already own. A domain name is necessary so that Certify'em can send emails.
There are many online videos and guides for setting up a new account you can follow. Be prepared to spend several hours or more obtaining and setting up your Google Workspace account.
My organization uses Workspace, but why am I unable to install/use Certify'em?
It's possible your organization's Google Workspace admin has blocked access to Add-ons, or blocked access to certain APIs (like the Google Drive APIs). Inquire with your I.T. admin if they can help enable Certify'em for you. See "Grant Access" below.
Will Workspace's higher email limits apply right away?
No. According to Google, the higher quota of 1500 emails / day won't take effect until (1) your new Workspace domain has cumulatively paid Google at least USD $100 (or equivalent), and (2) at least 60 days have passed since reaching that payment threshold. They also don't apply while your Workspace domain is in its free trial. So plan ahead to purchase and setup your Workspace domain at least two months before you need it. Also note that you can pay the $100 USD (or equivalent) early, to minimize the time until your quota raises. See this article for more on paying early.
Does Workspace require any special setup to work with Certify'em?
While Certify'em should work with any Google Workspace domain without additional configuration, it's highly recommended that you read and follow the instructions outlined below to ensure proper behavior (i.e. avoid rejected/bounced emails), especially for a recently created Google Workspace domain.
Account in Good Standing
Ensure your account is no longer in its trial period and is fully paid-up by accessing the Billing section of your Google Workspace Admin console. Once in the Billing section, next to Google Workspace, click the "Actions" drop-down menu, and select "Access billing account". Under Your balance, click Pay Early or Make a Payment. Make sure that the payment details are correct, then click Confirm.
Note: If you are interested in obtaining your higher email quota as soon as possible, you may wish to pay $100 USD (or equivalent) when you pay early. See prior section on this page entitled "Will Workspace's higher email limits apply right away?" for more details.
Setup SPF Records (avoid bounced/rejected emails)
Next, setup a common DNS mail record called an "SPF" record to avoid your domain being confused for delivering email spam when sending automated certificate emails. If your domain is thought to be sending spam (vs just large numbers of certificates), it can result in many emails sent by Certify'em getting bounced/rejected.
To see if you already have an SPF record setup for Google Workspace, visit https://mxtoolbox.com/spf.aspx, type in your domain name (i.e. mycoolclub.com) and click "SPF Record Lookup".
If you see the message "SPF Record Found", and includes something like "v=spf1 include:_spf.google.com ~all", then you're all set!
If you see the message "No SPF Record Found", or the record listed doesn't include something like "v=spf1 include:_spf.google.com ~all", then you'll need to setup an SPF record for Workspace. See below.
To setup an SPF record for Google Workspace, you will need the ability to modify your domain's DNS records. This requires a login/password to the registry from which you purchased your domain name (i.e. GoDaddy, Google Domains, etc). If you're not the one who purchased the domain, you'll need to ask that person to do this for you (i.e. your organization's I.T. admin). See this documentation from Google to learn more about SPF records and how to configure them for your domain: https://support.google.com/a/answer/33786.
Passage of Time
Note that even once the above setup steps are met, it may take some time before automated emails (such as those sent by Certify'em) can be delivered outside of your domain. Google does this to discourage bad actors who would otherwise sign-up for Google Workspace for the purpose of sending out large quantities SPAM emails via automated methods. This period of time can vary, but is typically several weeks or more.
In the interim, you may still be able to share certificates using the "Share via: Google Drive" option in the "Advanced Settings" of Certify'em. Note that recipients will need a Google account (i.e. Google Workspace or @gmail.com) to be able to print or download the certificate. Else they will only be able to view the file and will have to take a screenshot of it.
Google Workspace gives your organization the option to restrict the access of 3rd-party applications (i.e. Certify'em) to its services (i.e. Google Drive). Follow the steps below if you are having trouble getting Certify'em to install or run, and think that your organization's Workspace administrator may have restricted access to it:
Step 1: Ask your Workspace admin if they have blocked users from installing apps from the Google Workspace Marketplace, or restricted installs to only selected "allowed" apps. This setting can be found in the "Settings for Google Workspace Marketplace apps" section of the Workspace Admin Console.
If so, ask if they could change this to the "allowed applications" setting (if not already selected), and add Certify'em to the allowlist.
Step 2: Ask your Workspace admin if they have restricted access to the Google Drive service under the "API Controls" in the "Security" section of the Workspace Admin Console. If they have, ask if they can add or configure Certify'em as a 3rd-party app with "Trusted" or "Limited" access.
Note: This step may require entering Certifyem's "OAuth 2 Client ID", which is: 295230426839-v1os3n9ffmt8diinjnb81u7adpd24ud6.apps.googleusercontent.com.
Step 3: Ask your Workspace admin to ensure they haven't turned OFF access to the Drive SDK, or the ability to install Add-ons, for the user account(s) that Certify'em will be installed and run with. These settings can be found in the "Settings for Drive and Docs" section of the Workspace Admin Console.
Note: Even if your Workspace admin doesn't want to turn ON these settings for all users in your organization, they can still enable it for a subset of users (via a group or OU) such that you can have access.