This post will show you how you can setup Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM) Signatures and Domain-based Message Authentication, Reporting, and Conformance (DMARC) on your GMail (G Suite) email to limit spam and increase security.
Advertisement:
I have a number of guides on moving away form CPanel, Setting up VM’s on AWS, Vultr or Digital Ocean along with installing and managing WordPress from the command line. I use Google G Suite to send and receive emails that are linked to my domain (even via the command line) using multiple domains (with aliases).
Buy how can you extend your email security and limit spam?
Enter..
Sender Policy Framework (SPF) for Authorizing Use of Domains in Email
Background: SPF summary from the RFC document from the Internet Engineering Task Force (IETF).
“Email on the Internet can be forged in a number of ways. In particular, existing protocols place no restriction on what a sending host can use as the “MAIL FROM” of a message or the domain given on the SMTP HELO/EHLO commands. This document describes version 1 of the Sender Policy Framework (SPF) protocol, whereby ADministrative Management Domains (ADMDs) can explicitly authorize the hosts that are allowed to use their domain names, and a receiving host can check such authorization.”
Google has a guide in setting up SPF records for your G Suite account.
Scan your site for SPF, DKIM and DMARC configuration(s).
Gmail has a test site where you can check your site SPF, DKIM and DMARC etc: https://toolbox.googleapps.com/apps/checkmx/
How to set up an SPF Record
I followed this guide to set up an SPF record on my G Suite account. I use Cloudflare for my DNS provider so I’ll make my DNS changes there.
Update: Google instructions were wrong, use a TXT record and not a SPF record.
Read more on SPF at Wikipedia here.
DNS will take a while to replicate so do wait a few hours before checking again with the checkmx tool.
Now let’s set up DomainKeys Identified Mail (DKIM) Signatures
Read more on DKIM at Wikipedia here.
Background: The DKIM RFC form the Internet Engineering Task Force (IETF) states…
“DomainKeys Identified Mail (DKIM) permits a person, role, or organization that owns the signing domain to claim some responsibility for a message by associating the domain with the message. This can be an author’s organization, an operational relay, or one of their agents. DKIM separates the question of the identity of the Signer of the message from the purported author of the message. Assertion of responsibility is validated through a cryptographic signature and by querying the Signer’s domain directly to retrieve the appropriate public key. Message transit from author to recipient is through relays that typically make no substantive change to the message content and thus preserve the DKIM signature.”
Google has a DKIM FAQ: https://support.google.com/a/answer/174124
Login to your G Suite account and load this FAQ.
The FAQ page states..
“You can help prevent spoofing by adding a digital signature to outgoing message headers using the DKIM standard. This involves using a private domain key to encrypt your domain’s outgoing mail headers, and adding a public version of the key to the domain’s DNS records. Recipient servers can then retrieve the public key to decrypt incoming headers and verify that the message really comes from your domain and hasn’t been changed along the way.”
Click Generate the Domain Key
Follow the steps and generate a key
Generate a new record
Add the DKIM key to your DNS record
DNS will take a while to replicate so do wait a few hours before checking again with the checkmx tool.
Domain-based Message Authentication, Reporting, and Conformance (DMARC)
Read more on DMARC at Wikipedia here. Read the official page here https://dmarc.org/.
Background: The DMARC RFC form the Internet Engineering Task Force (IETF) states…
DMARC Flow
“Domain-based Message Authentication, Reporting, and Conformance (DMARC) is a scalable mechanism by which a mail-originating organization can express domain-level policies and preferences for message validation, disposition, and reporting, that a mail-receiving organization can use to improve mail handling.
Originators of Internet Mail need to be able to associate reliable and authenticated domain identifiers with messages, communicate policies about messages that use those identifiers, and report about mail using those identifiers. These abilities have several benefits: Receivers can provide feedback to Domain Owners about the use of their domains; this feedback can provide valuable insight about the management of internal operations and the presence of external domain name abuse.
DMARC does not produce or encourage elevated delivery privilege of authenticated email. DMARC is a mechanism for policy distribution that enables increasingly strict handling of messages that fail authentication checks, ranging from no action, through altered delivery, up to message rejection.”
Google G Suite has a guide to setting up a DMARC record here
Snip from the Google guide here..
“Spammers can sometimes forge the “From” address on email messages so the spam appears to come from a user in your domain. To help prevent this sort of abuse, Google is participating in DMARC.org, which gives domain owners more control over what Gmail does with spam email messages from their domain.
G Suite follows the DMARC.org standard and allows you to decide how Gmail treats unauthenticated emails coming from your domain. Domain owners can publish a policy telling Gmail and other participating email providers how to handle unauthenticated messages sent from their domain. By defining a policy, you can help combat phishing to protect users and your reputation.“
Login to your G Suite account and load this FAQ
Click Add A DMARC Record
You will then need to set up a DKIM Domain Key (if you have not done so yet)
When you are done you need to choose your DMARC rules, I would suggest you go to https://mxtoolbox.com/DMARCRecordGenerator.aspx to generate a record
I generated these rules
Warning: Setting a DMARC policy that is too strict may block mail from being delivered. Tighten rules over time.
Login to your DNS provider and add your TXT record.
You should now have an SPF, DKIM and DMARC record in DNS.
Update: The SPD record above should be a TXT (Google led me astray)
DNS will take a while to replicate so do wait a few hours before checking again with the checkmx tool.
Now go to bed and wait for DNS to replicate.
Troubleshooting SPF
My TXT record would not validate with https://toolbox.googleapps.com/apps/checkmx/check
The MX Toolbox SPF checker reports that SPF records are deprecated and to use TXT records instead.
Fix (remove the SPF record and add a TXT record with the same contents). Don’t forget to delete the old SPF record.
Results
Reports
SPF/DKIM reports will let me know when unauthorized people send email from my domain.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 | This is a spf/dkim authentication-failure report for an email message received from IP 125.105.176.155 on Sat, 14 Apr 2018 13:14:09 +0800. Below is some detail information about this message: 1. SPF-authenticated Identifiers: none; 2. DKIM-authenticated Identifiers: none; 3. DMARC Mechanism Check Result: Identifier non-aligned, DMARC mechanism check failures; For more information please check Aggregate Reports or mail to abuse@163.com. Feedback-Type: auth-failure User-Agent: NtesDmarcReporter/1.0 Version: 1 Original-Mail-From: <gibwcm@fearby.com> Arrival-Date: Sat, 14 Apr 2018 13:14:09 +0800 Source-IP: 125.105.176.155 Reported-Domain: fearby.com Original-Envelope-Id: VcCowECJ7EIejtFanCHFLg--.51187S2 Authentication-Results: 163.com; dkim=none; spf=softfail smtp.mailfrom=gibwcm@fearby.com Delivery-Result: delivered Identity-Alignment: none Received: from mitai (unknown [208.136.26.72]) by fearby.com with SMTP id LyDKBHx6xsr7XZkf.1 for <pjy315@163.com>; Sat, 14 Apr 2018 13:14:03 +0800 Message-ID: <20180414131403067652@fearby.com> From: =?utf-8?B?5rip5a6D?= <gibwcm@fearby.com> To: <pjy315@163.com> Subject: =?utf-8?B?UmXvvJrlm57lpI3vvJrovazlj5HvvJrml7bpl7Q05pyIMjAtMjHml6XkuIo=?= =?utf-8?B?5rW3IOWcsOeCuSDnvo7oh6PljJblpoblk4Hlhazlj7jln7norq3ln7rlnLA=?= Date: Sat, 14 Apr 2018 13:13:56 +0800 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_08FE_016CD6FE.1A359D20" X-mailer: Bagf 2 |
Also, DMARC will alert me to unauthorized activity
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 | <?xml version="1.0" encoding="UTF-8" ?> <feedback> <report_metadata> <org_name>google.com</org_name> <email>noreply-dmarc-support@google.com</email> <extra_contact_info>https://support.google.com/a/answer/2466580</extra_contact_info> <report_id>4329490063964523747</report_id> <date_range> <begin>1523750400</begin> <end>1523836799</end> </date_range> </report_metadata> <policy_published> <domain>fearby.com</domain> <adkim>r</adkim> <aspf>r</aspf> <p>quarantine</p> <sp>none</sp> <pct>5</pct> </policy_published> <record> <row> <source_ip>2001:19f0:5801:5fa:5400:ff:fe80:ec7a</source_ip> <count>2</count> <policy_evaluated> <disposition>none</disposition> <dkim>fail</dkim> <spf>fail</spf> <reason> <type>sampled_out</type> <comment></comment> </reason> </policy_evaluated> </row> <identifiers> <header_from>fearby.com</header_from> </identifiers> <auth_results> <spf> <domain>unknown</domain> <result>none</result> </spf> </auth_results> </record> </feedback> |
I hope this guide helps someone.
Ask a question or recommend an article
Revision History
v1.4 Reports
v1.3 DMARC Flow image
V1.2 Updated wording
V1.1 Fixed typos (they were free)
v1.0 Initial post