Learning to Setup SPF, DKIM, and DMARC in Google Workspace

In November 2022, the Google Workspace team saw a spike in phishing and spoofing emails targeted toward Gmail users. As a result, Google blocked almost 231 billion emails in just two weeks.

That’s why experts suggest configuring SPF, DKIM, and DMARC records in Google Workspace, and this guide explains the steps for that. 

Setting Up SPF For Google Workspace

An SPF record contains a list of allowlisted IP addresses and mail servers that send emails on your behalf. Here are steps to add SPF for your domain in Google Workspace:

  • Create an SPF record and incorporate the ‘include:_spf.google.com’ mechanism.
  • Copy your newly generated SPF record.
  • Add the newly generated SPF record to your DNS provider.

That’s it, and you are done. 

Please ensure you don’t have multiple SPF records corresponding to a single domain. This will trigger the ‘Multiple SPF Records’ SPF Permerror

Also, if multiple IP ranges, ESPs, or third parties are involved in your email infrastructure, include them in the same record to avoid errors. 

Setting Up DKIM For Google Workspace

Visit the Google Admin Console and follow these steps:

  • Select ‘Apps.’
  • Select ‘G Suite.’
  • Select ‘Gmail.’
  • Go to ‘Authenticate email (set up email authentication (DKIM)).
  • Select the domain for which you want to set up DKIM
  • Next, select ‘Generate New Record,’ and you will get the GSuite DKIM Public key. Copy the key value. Please ensure that you choose a DKIM key length of 1024-bit or higher. Shorter keys are more prone to exploitation.
  • Publish the provided TXT Record into your DNS
  • Lastly, navigate to the administrator console and select ‘Start Authentication.’

Setting Up DMARC For Google Workspace

After successfully integrating SPF and DKIM into your Google Workspace, the next step in enhancing your email security involves setting up Gmail DMARC. Configuring the Gmail DMARC record is a crucial procedure in this process.

To begin with, use an online DMARC record generator to produce a DMARC record and publish it in your DNS. You can start with the ‘none’ or ‘quarantine’ policy and aim to move to the ‘reject’ policy to receive the maximum benefits of email security through SPF, DKIM, and DMARC.

Image sourced from spamresource.com

A domain protected with a ‘DMARC reject policy’ is safe from email spoofing and has a good email deliverability rate, which means legitimate emails from your domain are more likely to reach the inbox instead of getting marked as rejected or spam. 

Final Thoughts

Visit the Google Admin Toolbox Check MX to see a report confirming the existence of your SPF record and setups of DKIM and DMARC.

Although using ‘ruf’ and ‘rua’ tags in your DMARC record to receive forensic and aggregate reports isn’t mandatory, we highly encourage this practice. DMARC reports tell you if an illegitimate entity is exploiting your domain or if some of your legitimate emails are experiencing false positives. 

We at DMARCReport offer reporting solutions for MSPs, service providers, and businesses to support their fight against phishing and spoofing.

Book a demo with us and get started. One of our security consultants will get in touch with you via email in one business day. Till then, feel free to read our reviews.

Similar Posts