Securing your Google G Suite email environment with SPF, DKIM and DMARC

As experts in the field of email, we wanted to share our knowledge and experience on how to secure your Google G Suite (Gmail) service by implementing SPF, DKIM and DMARC.

Wow, one sentence in and I’ve already thrown three acronyms at you, so as we go through this tutorial I’ll try to explain what SPF, DKIM and DMARC are.

Check SPF, DKIM and DMARC settings.

First, let’s check the status of your SPF, DKIM and DMARC settings. Google has created a set of online tool to help with this at https://toolbox.googleapps.com/apps/checkmx/

As we can see our SPF, DKIM and DMARC have not been configured. So let’s begin.

Sender Policy Framework (SPF)

Documented under RFC-7208 from the Internet Engineering Task Force (IETF).

“Email on the Internet can be forged in a number of ways. In particular, existing protocols place no restriction on what a sending host can use as the “MAIL FROM” of a message or the domain given on the SMTP HELO/EHLO commands. This document describes version 1 of the Sender Policy Framework (SPF) protocol, whereby ADministrative Management Domains (ADMDs) can explicitly authorize the hosts that are allowed to use their domain names, and a receiving host can check such authorization.”

Basically, SPF prevents spammers from sending unauthorized emails from your domain. Also, if you don’t have SPF configured for your domain, messages could bounce or be marked as spam.

Setting up SPF

An SPF record is a TXT record in your DNS that lists the mail servers that are allowed to send email from your domain.

For Google G Suite create a TXT record with the following values:

  • Name/Host/Alias: Enter @ or leave it blank. Your other DNS records might indicate which entry is correct.
  • Time to Live (TTL): Enter 3600 or leave the default.
  • Value/Answer/Destination: Enter v=spf1 include:_spf.google.com ~all

We’re using GoDaddy for our DNS. This is what we’ve entered to configure SPF on the emailsigntureguru.com domain.

If you have other services sending email on your behalf, such as Hubspot, Mailchimp etc you’ll also need to include them in the SPF record.

For further information on setting up SPF please see the Google support article Authorize email senders with SPF.

DomainKeys Identified Mail (DKIM)

RFC-6376  states…

“DomainKeys Identified Mail (DKIM) permits a person, role, or organization that owns the signing domain to claim some responsibility for a message by associating the domain with the message. This can be an author’s organization, an operational relay, or one of their agents. DKIM separates the question of the identity of the Signer of the message from the purported author of the message. Assertion of responsibility is validated through a cryptographic signature and by querying the Signer’s domain directly to retrieve the appropriate public key. Message transit from author to recipient is through relays that typically make no substantive change to the message content and thus preserve the DKIM signature.”

DKIM verifies message content is authentic and has not been changed. This is done by adds an encrypted signature to the header of your outgoing emails in order for them to be verified as being sent from your domain unchanged. DKIM increases email security and helps prevent email spoofing, a common method of phishing.

Setting up DKIM

This is a much more complex set up to the SPF record, so we’ll include a few screenshots in order to assist you.

In your Google Admin console (at admin.google.com). Go to Apps > G Suite > Gmail. From Gmail, go to Authenticate email.

From the Authenticate email section, select “Generate new record“.

From the Generate new record box create your key. You should end up with something that looks like the entry below.

Copy the TXT record value and paste it into your DNS settings, again using GoDaddy DNS management, the entry should look like this.

Let the DNS update propagate, which can take up to 48hr, ours only took a few mins. Once updated go back to the Google Admin console and select START AUTHENTICATION, hopefully, if everything has updated and propagated correctly you’ll see the status change in the Authenticate email section to Authenticating email.

Further information on configuring DKIM on Google G Suite can be found in the Google support articles About DKIM.

Domain-based Message Authentication, Reporting, and Conformance (DMARC)

RFC-7489 states…

“Domain-based Message Authentication, Reporting, and Conformance (DMARC) is a scalable mechanism by which a mail-originating organization can express domain-level policies and preferences for message validation, disposition, and reporting, that a mail-receiving organization can use to improve mail handling.

Originators of Internet Mail need to be able to associate reliable and authenticated domain identifiers with messages, communicate policies about messages that use those identifiers, and report about mail using those identifiers. These abilities have several benefits: Receivers can provide feedback to Domain Owners about the use of their domains; this feedback can provide valuable insight about the management of internal operations and the presence of external domain name abuse.

DMARC does not produce or encourage elevated delivery privilege of authenticated email. DMARC is a mechanism for policy distribution that enables increasingly strict handling of messages that fail authentication checks, ranging from no action, through altered delivery, up to message rejection.”

DMARC verify messages and defines the action to take on suspicious incoming messages. This prevents email spoofing and compliments SPF and DKIM.

Setting up DMARC

A DMARC record is a TXT record in your DNS that defines the policies you want to use for your domain. It’s a good idea to start slowly with DMARC and configure the system in “monitoring” or “No action taken” mode. A stricter setting may prevent email from your domain being delivered.

For your Google G Suite system create a DNS TXT record with the following values:

  • Name/Host/Alias: Enter _dmarc
  • Time to Live (TTL): Enter 3600 or leave the default.
  • Value/Answer/Destination: Enter v=DMARC1; p=none; rua=mailto:postmaster@your_domain.com

Again, the above settings are for monitoring only. Once configured you’ll start receiving daily emails with XML files attached. You can use these reports to check what systems are sending emails on behalf of your domain and make sure they are legitimate. After a while, however, I’m sure you’ll be looking to subscribe to a DMARC service in order to get better insight into your reports. There are plenty of choices available, for this tutorial we’re going to use the free service from http://dmarc.postmarkapp.com/. The set up is simple, just provide your email address and the domain you want to monitor. Postmark will provide you with the Value you need to add to your DNS server.

This is what we’ve entered to configure DMARC on the emailsigntureguru.com domain.

We recommend that when you first configure DMARC you use the “No action taken” setting initially as setting the DMARC policy too strict may block email being delivered from some of your services. A good rule of thumb is to review the reports and tighten the settings over time.

Check everything is working

Now that we have configured SPF, DKIM and DMARC for our domain we can go back to the Google G Suite toolbox and verify that everything is working.

Our email system is now much more secure than it was. Hope this tutorial was useful.

Social Share

Optimized for use with