Setting up email security/authentication can be a bit of a daunting task. Here are some instructions on how to set up SPF, DKIM and DMARC to secure your email against malicious spammers.
Email authentication services are made to stop spammers and other malicious users from sending emails using your email address. So, for instance, they could use the address email@example.com to send email to people and the end-user wouldn’t always know it’s not from you.
By setting up SPF, DKIM and DMARC in your website DNS records you can reduce this kind of problem (known as email spoofing), and also the likelihood of your emails being sent to spam, as they are marked as authenticated and coming from a trusted source.
If you’re using G Suite as your email provider then there are quite clear instructions on how to set up these three things on your domain although you will need to know how to update your domain DNS records through your hosting control panel.
Which Records Do I Need?
The combination of all three is best as each element checks your messages in different ways.
From this article we can see:
SPF specifies which domains can send messages.
DKIM verifies that message content is authentic and not changed.
DMARC specifies how your domain handles suspicious incoming emails.https://support.google.com/a/answer/33786
Basic Email Security
The first thing you need to find out is whether you have any of these records set up already. You can check your domain using Google’s own MX checking tool which can be found here.
The tool will let you know whether you already have email security/authentication installed for your email or not as well as links to instructions on how to fix any problems.
Information on how to add an SPF record to your domain can be found here.
Basically, it involves checking whether you already have an SPF record installed and if so to remove it, so you can add the google SPF record there instead.
You add a TXT record that looks something like this:
v=spf1 include:_spf.google.com ~all
Sometimes you’ll also want to add your web host to this SPF record so that any emails sent from your website won’t be automatically rejected. So for instance on my domains I have the SPF:
v=spf1 include:spf.cloudcity.fi include:_spf.google.com ~all
The next thing to do is install DKIM on the domain.
This is done by generating a DKIM key from your g suite admin control panel admin.google.com and adding it as a TXT record to your domains DNS (same place as where you set up the SPF records).
Then when the records are saved, and you wait a while as the DNS updates, you can authenticate that DKIM is working. Good instructions for installing DKIM can be found here.
DMARC is another TXT record that lets you set up a policy of what to do with these spam messages as well as sends you a daily report on what’s been happening.
There are good instructions on setting it up here. I am still getting to grips with DMARC so I have set my policy as:
v=DMARC1; rua=mailto:firstname.lastname@example.org; p=quarantine; pct=90; sp=none
I will receive reports and any spam emails will be sent to quarantine (Gmail spam folder) if someone receives a spoofed email from me.
Once you have finished setting up your three TXT records and they are all saved, you should check your domain using the MX checking tool from Google which should highlight any issues.
It can take up to 48 hours for DNS records to propagate though so if it’s still showing as a problem, you might have to wait an hour to try again and see if they’ve come into effect.
I hope you find this article useful to set up email security in G Suite. As always feel free to get in touch if you need help getting any of this setup.