Prevent people from sending email as you on Gmail

email security icon

How to set up SPF, DKIM, and DMARC on G-Suite/Google

Is that email really from your CEO? Do your customers, and your bank have a way to tell if an email really came from you?

Email servers normally accept email from anyone regardless of who they claim to be. Anyone can send email that appears to be From [email protected]. The security features shown below let your recipients know if email is genuinely from you.

Create a list of your official email servers

The first step is to set up a list of which servers are authorized to send email on your behalf (from yourcompanydomain.com.) This list is called a Sender Policy Framework (SPF) record and is stored in your company’s Domain Name System (DNS) records as a TXT record:

  1. Check your SPF record—it may already be set up, at least partly.
    1. If you do have an SPF record, confirm it includes all servers you send email from, as shown in step 4 below.
      1. If your list of email servers not complete, and you enforce it (using ‘-all’ or DMARC), some of your legitimate emails could go into Spam/Junk, or get rejected.
  2. Go to your DNS records.
    1. If you don’t recall which company your domain name was registered with, you can look up that up here.
    2. Once you know who your domain registrar is, here are specific instructions creating DNS records on popular domain registrars.
  3. Create a New DNS Record of type TXT
    1. If there is a ‘Host’ or ‘subdomain’ box, type  @  in it.
  4. In the Value or Text box, enter: v=spf1 include:_spf.google.com -all
    1. Having two or more SPF records for the same domain doesn’t work. You must include all servers allowed to send email on your behalf, in your one SPF record.
    2. If you also use MailChimp, Salesforce, or any other external company to send email from yourcompaydomain.com, you need to add their servers to your SPF record, just before ‘-all’.
      1. For MailChimp: include:servers.mcsv.net
      2. For SalesForce: include:_spf.salesforce.com
      3. If you use any other email sending services, look up the SPF ‘include:…’ statement for them, and add that to your SPF record, or else their email will be seen as fake.
    3. You can have a maximum of ten server names in your SPF record.
      1. If you use more than two email services, eg google, and mailchimp, and salesforce, you would exceed this 10 server limit, since when their servers are looked up, they respond with at least four servers.
        1. If you do use multiple email services with more than 10 email server names, you will need to create a subdomain and separate SPF, DKIM, and DMARC records for them, eg marketing.yourcompany.com, sales.yourcompany.com, etc.
    4. If you have scanners, phone systems, etc at your office that can only send email directly and can’t send via Google, you can add your office’s IP address, at the end of the line before the ‘-all’, for example: ip4:123.123.123.123
      1. Where you would replace 123.123.123.123, with your office’s external IP address.
      2. If you have multiple offices, each with devices that send email directly, you would add each of their IP addresses this way, one after the other.
      3. Email servers and sending-devices that you add by IP address like this, don’t count against SPF’s 10-named-email-servers-per-domain limit.

Digitally Sign your email

Having a list of official servers is a good first step but is not foolproof. Someone else using Google email might still be able to pretend to be you because they are using the same mail servers that you are. You can sign your email electronically, so recipients can check if email claiming to be from you, has your company’s signature. This signature is part of the Domain-Keys Internet Mail (DKIM) standard.

 Generate the domain key used to sign mail:

  1. Sign in to admin.google.com.
  2. Click the menu icon in top left corner of the screen, then click Apps > G Suite
  3. On the next page, click Gmail > Authenticate email.
  4. The name of your primary domain appears by default. To generate a domain key for a different domain, select it from the drop-down list.
  5. Click Generate new record then click Generate.
  6. Copy your public key, shown under  ‘TXT Record Value’. It should be similar to the example below, but your’s will be different:
    1. v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA09STHoLKuuIOffcqr1e6sD4ebuAP/zsSObFRjBryvtwSWVr9zF0XdOhuk0ichuXr1Q3bsA7GEfjiLxzeKhe9
      5/cg3M86ctawD62UZxK+gHhSERSWPgKfIyceo6BmcfP9sFWuRGbw8+cFRWoPudbyIIv5MSM5RU3WX6WUH15Iw42frrIncE+0idFm15dndIbaFvl2R5BmwwwHIaUVU4aY
      SQTBtMLMMnoMu/MQ1jyaLiyZu2XlfeIlrlhiknqfuureYAXUiYNptUXniZecjlvF8elyfIGok+tL6NPQhvR7NJilQRD8NdHpP5zZKR/z1mjSo1eI2iytjQn1Kv5jvqWZuwIDAQAB
  7. Open a new browser tab, and Go to your DNS records.
  8. Create a New DNS Record of type TXT
    • If the ‘Host’ or ‘Domain Name’ box, type:
      • google._domainkey
  9. In the Value or text box:
      • Paste in your public key, which you copied from the ‘TXT Record Value’, above, then click Save or Ok.
  10. Go back to the browser tab with Google Admin, where you copied your DKIM public key.
    1. Click Start Authentication.

Add more security and control, and see which emails are blocked

Once you’ve set up SPF and DKIM records – consider configuring Domain-based Message Authentication, Reporting, and Conformance (DMARC). This will let you control how messages flagged as fake are handled. You will also be able to see reports when fakes are detected.

Without DMARC, someone at your company could change their visible email From address to yours, and it would pass SPF and DKIM checks, because it would be from your server and signed with your domain’s key. DMARC also lets you tell people what to do with email that fails those checks—Quarantine it in spam/junk, Reject it completely, or do nothing and accept all email, which wouldn’t be useful.
DMARC settings are also stored in a TXT record:

  1. Open a new browser tab, and Go to your DNS records.
  2. Create a New DNS Record of type TXT
    • If there is a ‘Host’ box, type  @  in it.
  3. In the Value or Text box, enter: v=DMARC1; p=quarantine; pct=5; rua=mailto:postmaster@your_domain.com
    • where:
      • p=quarantine tells recipient’s email servers to put into Spam/Junk, any emails from an unlisted server (SPF), any unsigned emails (DKIM), or any emails with faked From addresses.
        • This can also be: p=reject; if you want any emails that fail checks to be completely rejected by recipient’s email servers, and not even go to their Spam/Junk folder.
          • You should only set this to reject after you’ve confirmed that no legitimate email is going into your recipient’s Spam.
      • pct=5 means to quarantine or reject messages, 5% of the time when they fail the DMARC check.
        • This is a good starting % to block or quarantine when first trying out DMARC, to find out if you may have legitimate email being sent from servers you may not yet have listed in SPF, or which aren’t getting signed by DKIM.
        • Once you confirm no valid messages are being rejected or quarantined, you can edit this TXT record to increase the percentage of failing emails that are rejected/quarantined, up to pct=100 or pct=all.
      • postmaster@your_domain.com must be changed to a real email address of someone at your company who will be sent a report about emails that failed the DMARC check, or else you won’t know if any legitimate emails are getting blocked or quarantined as spam.