title | description | tags | |
---|---|---|---|
The Google Workspace Email Security Checklist: SPF, DKIM, and DMARC |
A list of all DNS records to set on new Google Workspace email subdomains, and why. |
|
Setting DNS records improperly can cause unauthorized parties to masquerade as your email domain. In this post, I show all of the DNS records that must be added.
- SPF
- TXT
@
:v=spf1 include:_spf.google.com -all
- TXT
*
:v=spf1 -all
- TXT
- DMARC
- TXT
@
:v=DMARC1; p=quarantine; sp=reject; rua=mailto:youremail@yourdomain.com
- TXT
- DKIM
- For Google Workspace, follow this guide.
- TXT
@
:v=spf1 include:_spf.google.com -all
This record ensures that all email being sent from your root domain comes from Google Workspace.
- TXT
*
:v=spf1 -all
If a subdomain does not exist, this rule ensures that all email being sent from the subdomain is flagged and/or rejected.
- TXT
@
:v=DMARC1; p=quarantine; sp=reject; rua=mailto:youremail@yourdomain.com
This rule marks all unauthenticated email from your root domain as spam (quarantine
)
and instructs recipients of unauthenticated email to reject all email from your subdomains (reject
).
- For Google Workspace, follow this guide.
DKIM ensures that Google is cryptographically signing the contents of your emails. This ensures that your email contents aren't being tampered with.