Let's begin by explaining these functions.
What are they ?
DMARC, SPF, and DKIM are all security standards followed in GSuite Apps. Google now follows DMARC which allows you to tell how Gmail handles unauthenticated emails coming from within your domain. SPF, or Sender Policy Framework records will allow you to easily identify spam messages for your domain. It is also a type of DNS record that will identify which mail servers are allowed to send an email for your domain. DKIM attaches a new domain name identifier and encrypts the message to validate authorization for the message.
DMARC is an acronym which stands for "Domain-based Authentication, Reporting and Conformance." It is designed to work assist an organization's inbound email authentication process. It helps email receivers determine if the message fits what the receiver knows about the sender.
DMARC's intended use is to follow these standards:
- Minimize any false positives.
- Work at Internet scale.
- Reduce phishing delivery.
- Reinforce sender policy to receivers.
- Reduce complexity.
- Provide authentication reporting.
How to use DMARC
Setting DMARC up is an easy, five step process.
- Before you begin this process, you need to make sure you have DKIM and SPF set up. We will explain the process of setting those up later in the article.
- Make sure your mailers are correctly aligning the proper identifiers!
- Create a DMARC record with the "none" flag set for the policies. It will request data reports.
- Review the information and edit your mail streams as required.
- When you become more accustomed to DMARC settings, you should change your policy flags from "none" to "quarantine" to "reject.
SPF Records for Google Cloud customers.
SPF records help identify spammers that send messages using forged envelope senders from your domain. Your users can refer to an SPF record to tell if a message claiming to be sent from your domain is from an authorized mail server.
Setting SPF Records up for Gmail :
- Sign into your administrative console for your domain. Locate the page where you can update the DNS records and create a TXT containing this text: v=spf1 include:_spf.google.com ~all
- If your registrar requires a host setting, such as "@", you may want to check this link for more information.
- Save your changes when you are finished. Keep in mind that it may take up to 48 hours for your DNS records to properly save.
DKIM in G Suite Apps
DKIM allows you to digitally sign your outgoing message headers to prevent spoofing. This practice uses a private domain key to encrypt outgoing mail headers from your domain and adding a public version of the key to the domain's DNS records. This allows receiving servers to verify and decrypt your incoming headers and will be able to tell if the incoming message is really from you and hasn't been been altered along the way.
Deploying DKIM in GSuite Apps
- Generate the public domain key for your domain.
- When you have finished generating the public domain key, add the key to your domain's DNS records so your reipients can use it for reading the DKIM header.
- When that is finished, turn on email signing to begin adding the DKIM header for all outgoing email messages.If you've purchased your domain from one of Google's host partners while signing up for GSuite Apps, skip the first two steps! The domain key and DNS record is already automatically generated when you turn on authentication.
Keeping your domain and account safe is top priority. When you are finished configuring your DNS settings with SPF, DKIM and DMARC, be sure to monitor your settings on a quarterly basis. If you have any other queries or concerns, feel free to check our blog at Coolhead Tech. We're always available to provide professional help concerning securing Gmail admin settings.