Protecting Users With SPF, DMARC, and DKIM


Gmail has long been a cornerstone of Google Workspace, providing essential communication channels for staff notifications, Classroom updates, and student interactions. However, as Email has evolved, so have the methods used by malicious actors to exploit its openness. This article will guide you through the essential security protocols—SPF, DKIM, and DMARC that protect your users' Emails from spoofing, phishing, and other threats.

What You Will Learn

In this article, you will learn how to configure and implement four key Email security protocols to safeguard your organization’s communications:

These protocols work together to authenticate Emails, protect against spoofing, and ensure encrypted transmission, keeping your organization’s Emails secure.

Gmail Security Support Stack

If you need help securing Email , we have a support stack for Gmail Security.

If you currently have hours on a support subscription, you are one step closer to Support Stacks and you can connect with the support team by Emailing support@amplifiedit.cdw.com. To purchase a support contract, please complete this form, and an account manager will contact you.

SPF: The First Line of Defense

Sender Policy Framework (SPF) is an essential Email authentication protocol that helps prevent unauthorized sources from sending Emails on behalf of your domain. By configuring SPF, you can specify which IP addresses are allowed to send Emails from your domain, thus reducing the risk of phishing attacks and Email spoofing.

To configure SPF:

  1. Add a DNS TXT record that includes the external IPs authorized to send Emails on behalf of your organization. This may include your SIS, bulk mail systems, or other third-party services.
  2. The SPF record should ideally end in -all, which instructs receiving servers to reject any Emails not from an authorized source. Alternatively, ~all can be used to allow delivery but mark unverified Emails as potential spam.

Remember, SPF is just the first step and should be part of a comprehensive Email security strategy.

DKIM: Adding a Signature to Your Emails

DomainKeys Identified Mail (DKIM) adds a digital signature to your Emails, providing a second layer of authentication. DKIM uses a pair of cryptographic keys—one private and one public—to verify that the Email was indeed sent by your domain and has not been altered in transit.

To set up DKIM:

  1. Navigate to the Google Admin console and go to Apps > Google Workspace > Gmail > Authenticate Email.
  2. For each domain, generate a new DKIM record and publish it as a DNS TXT record. This public key will be used by receiving servers to verify the authenticity of your Emails.

    Use the Selected domain drop-down to select a different domain.
    AuthienticateEmailDKIM.png

By implementing DKIM, you ensure your Emails carry a unique signature, making it harder for malicious actors to tamper with or forge Emails from your domain.

DMARC: Governing Email Authentication

Domain-based Message Authentication, Reporting, and Conformance (DMARC) builds on SPF and DKIM by providing a way to define how your organization handles Emails that fail authentication. DMARC policies can instruct receiving servers to quarantine, reject, or allow such messages based on your specified criteria.

To implement DMARC:

  1. Start with a monitor only policy to gather data on how your Emails are being processed. This can help you fine-tune your SPF and DKIM settings.
  2. Publish a DMARC record in your DNS, specifying your policy and the Email address to receive failure reports.

DMARC helps you gain visibility into your Email ecosystem, ensuring that only authenticated Emails are delivered to your users. Google’s done an excellent job documenting setting up DMARC which can be found here.

Reading the DMARC reports can be somewhat confusing, so using a service like dmarcian can provide you with more readable reports, for those wanting something a bit easier on the eyes.

Conclusion

While the array of security protocols might seem complex, implementing SPF, DKIM, and DMARC is crucial for maintaining a secure Email environment within Google Workspace. By configuring these protocols, you can significantly reduce the risk of Email-based attacks, ensuring your organization’s communications remain private and secure. 

Resource:

Email Sender Guidelines - Google Workspace Admin Help

 

Document Version Date Description of Change
1.0 3/18/2024 Removed link to learn more on legacy AIT site
1.1 7/31/2024 Updated Email address
1.2 8/20/2024 Rewrote - blog from 2019, removed MTA per T.Groff,reverify

 

Articles in this section

See more