Skip to content

Latest commit

 

History

History
47 lines (31 loc) · 1.77 KB

2022-02-15-email-security-checklist.md

File metadata and controls

47 lines (31 loc) · 1.77 KB
Raw
title description tags
The Google Workspace Email Security Checklist: SPF, DKIM, and DMARC
A list of all DNS records to set on new Google Workspace email subdomains, and why.
Security

Setting DNS records improperly can cause unauthorized parties to masquerade as your email domain. In this post, I show all of the DNS records that must be added.

Overview

  • SPF
    • TXT @: v=spf1 include:_spf.google.com -all
    • TXT *: v=spf1 -all
  • DMARC
    • TXT @: v=DMARC1; p=quarantine; sp=reject; rua=mailto:youremail@yourdomain.com
  • DKIM

Breakdown

SPF HARDFAIL for unauthenticated email being sent from your root domain

  • TXT @: v=spf1 include:_spf.google.com -all

This record ensures that all email being sent from your root domain comes from Google Workspace.

SPF HARDFAIL for all email being sent from your subdomains

  • TXT *: v=spf1 -all

If a subdomain does not exist, this rule ensures that all email being sent from the subdomain is flagged and/or rejected.

DMARC

  • TXT @: v=DMARC1; p=quarantine; sp=reject; rua=mailto:youremail@yourdomain.com

This rule marks all unauthenticated email from your root domain as spam (quarantine) and instructs recipients of unauthenticated email to reject all email from your subdomains (reject).

DKIM

DKIM ensures that Google is cryptographically signing the contents of your emails. This ensures that your email contents aren't being tampered with.