Blog Details

How to secure your Google Workspace email environment with SPF, DKIM and DMARC

Spammers, hackers and general bad guys can forge the “From” address on email messages to make messages appear to come from someone within your email domain. Google Workspace supports several technologies such as SPF, DKIM and DMARC that can help, however, you need to make sure that they are correctly configured.

Check SPF, DKIM and DMARC settings.

First, let’s check the status of your SPF, DKIM and DMARC settings. Google has created a set of online tool to help with this at https://toolbox.googleapps.com/apps/checkmx/

Sender Policy Framework (SPF)

Documented under RFC-7208 from the Internet Engineering Task Force (IETF).

“Email on the Internet can be forged in a number of ways. In particular, existing protocols place no restriction on what a sending host can use as the “MAIL FROM” of a message or the domain is given on the SMTP HELO/EHLO commands. This document describes version 1 of the Sender Policy Framework (SPF) protocol, whereby Administrative Management Domains (ADMDs) can explicitly authorize the hosts that are allowed to use their domain names, and a receiving host can check such authorization.”

Basically, SPF prevents those bad guys from sending unauthorized emails from your domain. Also, if you don’t have SPF configured for your domain, messages could bounce or be marked as spam.

Setting up SPF

An SPF record is a TXT record in your DNS that lists the mail servers that are allowed to send email from your domain.

For Google Workspace create a TXT record with the following values:

  • Name/Host/Alias: Enter @ or leave it blank. Your other DNS records might indicate which entry is correct.
  • Time to Live (TTL): Enter 3600 or leave the default.
  • Value/Answer/Destination: Enter v=spf1 include:_spf.google.com ~all

We’re using GoDaddy for our DNS. This is what we’ve entered to configure SPF on the patronum.io domain.

Google workspace

If you have other services sending email on your behalf, such as SalesForce, Hubspot, Mailchimp etc you’ll also need to include them in the SPF record.

For further information on setting up SPF please see the Google support article Authorize email senders with SPF.

DomainKeys Identified Mail (DKIM)

RFC-6376  states…

“DomainKeys Identified Mail (DKIM) permits a person, role, or organization that owns the signing domain to claim some responsibility for a message by associating the domain with the message. This can be an author’s organization, an operational relay, or one of their agents. DKIM separates the question of the identity of the Signer of the message from the purported author of the message. The assertion of responsibility is validated through a cryptographic signature and by querying the Signer’s domain directly to retrieve the appropriate public key. Message transit from author to recipient is through relays that typically make no substantive change to the message content and thus preserve the DKIM signature.”

DKIM verifies message content is authentic and has not been changed. This is done by adds an encrypted signature to the header of your outgoing emails in order for them to be verified as being sent from your domain unchanged. DKIM increases email security and helps prevent email spoofing, a common method of phishing.

Setting up DKIM

This is a much more complex set up to the SPF record, so we’ll include a few screenshots in order to assist you.

In your Google Admin console (at admin.google.com). Go to Apps > Google Workspace > Gmail. From Gmail, go to Authenticate email.

From the Authenticate email section, select “Generate new record“.

Copy the TXT record value and paste it into your DNS settings, again using GoDaddy DNS management, the entry should look like this.dkim godaddy

Let the DNS update propagate, which can take up to 48hr, ours only took a few mins. Once updated go back to the Google Admin console and select START AUTHENTICATION, hopefully, if everything has updated and propagated correctly you’ll see the status change in the Authenticate email section to Authenticating email.

Further information on configuring DKIM on Google Workspace can be found in the Google support articles About DKIM.

Domain-based Message Authentication, Reporting, and Conformance (DMARC)

RFC-7489 states…

“Domain-based Message Authentication, Reporting, and Conformance (DMARC) is a scalable mechanism by which a mail-originating organization can express domain-level policies and preferences for message validation, disposition, and reporting, that a mail-receiving organization can use to improve mail handling.

Originators of Internet Mail need to be able to associate reliable and authenticated domain identifiers with messages, communicate policies about messages that use those identifiers, and report about mail using those identifiers. These abilities have several benefits: Receivers can provide feedback to Domain Owners about the use of their domains; this feedback can provide valuable insight about the management of internal operations and the presence of external domain name abuse.

DMARC does not produce or encourage elevated delivery privilege of authenticated email. DMARC is a mechanism for policy distribution that enables increasingly strict handling of messages that fail authentication checks, ranging from no action, through altered delivery, up to message rejection.”

DMARC verify messages and defines the action to take on suspicious incoming messages. This prevents email spoofing and compliments SPF and DKIM.

Setting up DMARC

A DMARC record is a TXT record in your DNS that defines the policies you want to use for your domain. It’s a good idea to start slowly with DMARC and configure the system in “monitoring” or “No action taken” mode. A stricter setting may prevent email from your domain being delivered.

For your Google Workspace system create a DNS TXT record with the following values:

  • Name/Host/Alias: Enter _dmarc
  • Time to Live (TTL): Enter 3600 or leave the default.
  • Value/Answer/Destination: Enter v=DMARC1; p=none; rua=mailto:postmaster@your_domain.com

Again, the above settings are for monitoring only. Once configured you’ll start receiving daily emails with XML files attached. You can use these reports to check what systems are sending emails on behalf of your domain and make sure they are legitimate. After a while, however, I’m sure you’ll be looking to subscribe to a DMARC service in order to get a better insight into your reports. There are plenty of choices available, for this tutorial we’re going to use the free service from http://dmarc.postmarkapp.com/. The set up is simple, just provide your email address and the domain you want to monitor. Postmark will provide you with the Value you need to add to your DNS server.

This is what we’ve entered to configure DMARC on the patronum.io domain.

dmarc godaddy

Social Share

Ready to become the master of your domain?