Google: Securing Your Domain: A Step-by-Step Guide to DKIM, SPF, and DMARC
When it comes to email security, setting up DKIM, SPF, and DMARC records is essential to protect your domain from unauthorized use and ensure reliable email delivery. In this guide, we’ll walk you through the step-by-step process of configuring these records. To make things practical and relatable, we’ll use the email address mojomailbox@metadot.com
as an example. By the end of this guide, you’ll have a clear understanding of how to secure your domain and authenticate your emails effectively. Let’s get started!
1. Set Up a Proper DKIM Record
Log in to Your DNS Provider's Management Console:
- This is where you manage DNS settings for your domain (e.g., AWS Route 53, GoDaddy, Cloudflare).
Generate a DKIM Key in Google Admin Console:
- Go to Google Admin Console > Apps > Google Workspace > Gmail > Authenticate Email.
- Select your domain (
metadot.com
) if you have multiple domains. - Click Generate New Record (if a record doesn’t already exist).
- Google will provide the DKIM record information, typically formatted like this:
- Record Name:
google._domainkey
(this goes in the name field of your DNS). - Record Type:
TXT
. - Record Value:
v=DKIM1; k=rsa; p=LONG_PUBLIC_KEY
(replaceLONG_PUBLIC_KEY
with the key provided by Google).
- Record Name:
Add the DKIM Record to Your DNS Settings:
- Navigate to your DNS provider.
- Create a new
TXT
record with the following details:- Name:
google._domainkey
(orgoogle._domainkey.metadot.com
, depending on your provider's input requirements). - Type:
TXT
. - Value:
v=DKIM1; k=rsa; p=LONG_PUBLIC_KEY
(provided by Google).
- Name:
Enable DKIM Signing:
- After saving the record in your DNS and waiting for propagation, return to the Admin Console.
- Click Start Authentication or Turn On to enable DKIM signing for your domain.
2. Check SPF Record
Verify Your SPF Record:
- SPF ensures authorized servers can send emails on behalf of your domain.
- Check your existing DNS records for an SPF
TXT
record. It might look like:
v=spf1 include:_spf.google.com ~all
Update the SPF Record if Missing or Incorrect:
If no SPF record exists, create a new TXT
record with the following:
- Name:
@
(or leave it blank, depending on your DNS provider). - Type:
TXT
. - Value:
v=spf1 include:_spf.google.com ~all
.
If an SPF record exists but doesn't include Google's servers, update the value to ensure it contains include:_spf.google.com
.
Verify Propagation:
- Use a tool like
dig
or MXToolbox SPF Checker to confirm the SPF record is correctly configured.
3. Ensure DMARC Is Properly Configured
Add a DMARC Record:
- DMARC ensures that SPF and DKIM align and specifies how to handle unauthorized emails.
- Add a
TXT
record with the following:- Name:
_dmarc
(or_dmarc.metadot.com
if your provider requires the full domain). - Type:
TXT
. - Value:
- Name:
v=DMARC1; p=quarantine; rua=mailto:postmaster@metadot.com
Customize Policy and Reporting:
- Replace
postmaster@metadot.com
with your desired email address for DMARC reports. - You can adjust the
p=
policy:-
none
: Monitor emails without enforcement. -
quarantine
: Flag unauthorized emails as spam. -
reject
: Block unauthorized emails.
-
Test the DMARC Record:
- Use a tool like DMARC Analyzer to confirm correct setup.
Verification
Check DKIM, SPF, and DMARC:
- Use tools like:
- Google Admin Toolbox
- Mail Tester
These tools will confirm if DKIM, SPF, and DMARC are working correctly.