Google: Securing Your Domain: A Step-by-Step Guide to DKIM, SPF, and DMARC

When it comes to email security, setting up DKIM, SPF, and DMARC records is essential to protect your domain from unauthorized use and ensure reliable email delivery. In this guide, we’ll walk you through the step-by-step process of configuring these records. To make things practical and relatable, we’ll use the email address mojomailbox@metadot.com as an example. By the end of this guide, you’ll have a clear understanding of how to secure your domain and authenticate your emails effectively. Let’s get started!

1. Set Up a Proper DKIM Record

Log in to Your DNS Provider's Management Console:

  • This is where you manage DNS settings for your domain (e.g., AWS Route 53, GoDaddy, Cloudflare).

Generate a DKIM Key in Google Admin Console:

  • Go to Google Admin Console > Apps > Google Workspace > Gmail > Authenticate Email.
  • Select your domain (metadot.com) if you have multiple domains.
  • Click Generate New Record (if a record doesn’t already exist).
  • Google will provide the DKIM record information, typically formatted like this:
    • Record Name: google._domainkey (this goes in the name field of your DNS).
    • Record Type: TXT.
    • Record Value: v=DKIM1; k=rsa; p=LONG_PUBLIC_KEY (replace LONG_PUBLIC_KEY with the key provided by Google).

Add the DKIM Record to Your DNS Settings:

  • Navigate to your DNS provider.
  • Create a new TXT record with the following details:
    • Name: google._domainkey (or google._domainkey.metadot.com, depending on your provider's input requirements).
    • Type: TXT.
    • Value: v=DKIM1; k=rsa; p=LONG_PUBLIC_KEY (provided by Google).

Enable DKIM Signing:

  • After saving the record in your DNS and waiting for propagation, return to the Admin Console.
  • Click Start Authentication or Turn On to enable DKIM signing for your domain.

2. Check SPF Record

Verify Your SPF Record:

  • SPF ensures authorized servers can send emails on behalf of your domain.
  • Check your existing DNS records for an SPF TXT record. It might look like:

v=spf1 include:_spf.google.com ~all

Update the SPF Record if Missing or Incorrect:

If no SPF record exists, create a new TXT record with the following:

  • Name: @ (or leave it blank, depending on your DNS provider).
  • Type: TXT.
  • Value: v=spf1 include:_spf.google.com ~all.

If an SPF record exists but doesn't include Google's servers, update the value to ensure it contains include:_spf.google.com.

Verify Propagation:

  • Use a tool like dig or MXToolbox SPF Checker to confirm the SPF record is correctly configured.

3. Ensure DMARC Is Properly Configured

Add a DMARC Record:

  • DMARC ensures that SPF and DKIM align and specifies how to handle unauthorized emails.
  • Add a TXT record with the following:
    • Name: _dmarc (or _dmarc.metadot.com if your provider requires the full domain).
    • Type: TXT.
    • Value:

v=DMARC1; p=quarantine; rua=mailto:postmaster@metadot.com

Customize Policy and Reporting:

  • Replace postmaster@metadot.com with your desired email address for DMARC reports.
  • You can adjust the p= policy:
    • none: Monitor emails without enforcement.
    • quarantine: Flag unauthorized emails as spam.
    • reject: Block unauthorized emails.

Test the DMARC Record:

  • Use a tool like DMARC Analyzer to confirm correct setup.

Verification

Check DKIM, SPF, and DMARC:

  • Use tools like:
    • Google Admin Toolbox
    • Mail Tester

These tools will confirm if DKIM, SPF, and DMARC are working correctly.