email

Securing Google G Suite email by setting up SPF, DKIM and DMARC with Cloudflare

April 14, 2018 by Simon

This post will show you how you can setup Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM) Signatures and Domain-based Message Authentication, Reporting, and Conformance (DMARC) on your GMail (G Suite) email to limit spam and increase security.

I have a number of guides on moving away form CPanel, Setting up VM’s on AWS, Vultr or Digital Ocean along with installing and managing WordPress from the command line. I use Google G Suite to send and receive emails that are linked to my domain (even via the command line) using multiple domains (with aliases).

For the best performing VM host (UpCloud) read my guide on the awesome UpCloud VM hosts (get $25 free credit by signing up here).

Buy a domain name from Namecheap here.

Buy how can you extend your email security and limit spam?

Enter..

Sender Policy Framework (SPF) for Authorizing Use of Domains in Email

Background: SPF summary from the RFC document from the Internet Engineering Task Force (IETF).

“Email on the Internet can be forged in a number of ways. In particular, existing protocols place no restriction on what a sending host can use as the “MAIL FROM” of a message or the domain given on the SMTP HELO/EHLO commands. This document describes version 1 of the Sender Policy Framework (SPF) protocol, whereby ADministrative Management Domains (ADMDs) can explicitly authorize the hosts that are allowed to use their domain names, and a receiving host can check such authorization.”

Google has a guide in setting up SPF records for your G Suite account.

Scan your site for SPF, DKIM and DMARC configuration(s).

Gmail has a test site where you can check your site SPF, DKIM and DMARC etc: https://toolbox.googleapps.com/apps/checkmx/

How to set up an SPF Record

I followed this guide to set up an SPF record on my G Suite account. I use Cloudflare for my DNS provider so I’ll make my DNS changes there.

Update: Google instructions were wrong, use a TXT record and not a SPF record.

Read more on DKIM at Wikipedia here.

Background: The DKIM RFC form the Internet Engineering Task Force (IETF) states…

“DomainKeys Identified Mail (DKIM) permits a person, role, or organization that owns the signing domain to claim some responsibility for a message by associating the domain with the message. This can be an author’s organization, an operational relay, or one of their agents. DKIM separates the question of the identity of the Signer of the message from the purported author of the message. Assertion of responsibility is validated through a cryptographic signature and by querying the Signer’s domain directly to retrieve the appropriate public key. Message transit from author to recipient is through relays that typically make no substantive change to the message content and thus preserve the DKIM signature.”

Google has a DKIM FAQ: https://support.google.com/a/answer/174124

The FAQ page states..

“You can help prevent spoofing by adding a digital signature to outgoing message headers using the DKIM standard. This involves using a private domain key to encrypt your domain’s outgoing mail headers, and adding a public version of the key to the domain’s DNS records. Recipient servers can then retrieve the public key to decrypt incoming headers and verify that the message really comes from your domain and hasn’t been changed along the way.”

Click Generate the Domain Key

Follow the steps and generate a key

Generate a new record

Add the DKIM key to your DNS record

DNS will take a while to replicate so do wait a few hours before checking again with the checkmx tool.

Domain-based Message Authentication, Reporting, and Conformance (DMARC)

Read more on DMARC at Wikipedia here. Read the official page here https://dmarc.org/.

Background: The DMARC RFC form the Internet Engineering Task Force (IETF) states…

DMARC Flow

“Domain-based Message Authentication, Reporting, and Conformance (DMARC) is a scalable mechanism by which a mail-originating organization can express domain-level policies and preferences for message validation, disposition, and reporting, that a mail-receiving organization can use to improve mail handling.

Originators of Internet Mail need to be able to associate reliable and authenticated domain identifiers with messages, communicate policies about messages that use those identifiers, and report about mail using those identifiers. These abilities have several benefits: Receivers can provide feedback to Domain Owners about the use of their domains; this feedback can provide valuable insight about the management of internal operations and the presence of external domain name abuse.

DMARC does not produce or encourage elevated delivery privilege of authenticated email. DMARC is a mechanism for policy distribution that enables increasingly strict handling of messages that fail authentication checks, ranging from no action, through altered delivery, up to message rejection.”

Google G Suite has a guide to setting up a DMARC record here

Snip from the Google guide here..

“Spammers can sometimes forge the “From” address on email messages so the spam appears to come from a user in your domain. To help prevent this sort of abuse, Google is participating in DMARC.org, which gives domain owners more control over what Gmail does with spam email messages from their domain.

G Suite follows the DMARC.org standard and allows you to decide how Gmail treats unauthenticated emails coming from your domain. Domain owners can publish a policy telling Gmail and other participating email providers how to handle unauthenticated messages sent from their domain. By defining a policy, you can help combat phishing to protect users and your reputation.“

Click Add A DMARC Record

You will then need to set up a DKIM Domain Key (if you have not done so yet)

When you are done you need to choose your DMARC rules, I would suggest you go to https://mxtoolbox.com/DMARCRecordGenerator.aspx to generate a record

I generated these rules

Warning: Setting a DMARC policy that is too strict may block mail from being delivered. Tighten rules over time.

You should now have an SPF, DKIM and DMARC record in DNS.

Update: The SPD record above should be a TXT (Google led me astray)

DNS will take a while to replicate so do wait a few hours before checking again with the checkmx tool.

Now go to bed and wait for DNS to replicate.

Troubleshooting SPF

My TXT record would not validate with https://toolbox.googleapps.com/apps/checkmx/check

The MX Toolbox SPF checker reports that SPF records are deprecated and to use TXT records instead.

Fix (remove the SPF record and add a TXT record with the same contents). Don’t forget to delete the old SPF record.

Results

Reports

SPF/DKIM reports will let me know when unauthorized people send email from my domain.

This is a spf/dkim authentication-failure report for an email message received from IP 125.105.176.155 on Sat, 14 Apr 2018 13:14:09 +0800.
Below is some detail information about this message:
 1. SPF-authenticated Identifiers: none;
 2. DKIM-authenticated Identifiers: none;
 3. DMARC Mechanism Check Result: Identifier non-aligned, DMARC mechanism check failures;

For more information please check Aggregate Reports or mail to abuse@163.com.



Feedback-Type: auth-failure
User-Agent: NtesDmarcReporter/1.0
Version: 1
Original-Mail-From: <gibwcm@fearby.com>
Arrival-Date: Sat, 14 Apr 2018 13:14:09 +0800
Source-IP: 125.105.176.155
Reported-Domain: fearby.com
Original-Envelope-Id: VcCowECJ7EIejtFanCHFLg--.51187S2
Authentication-Results: 163.com; dkim=none; spf=softfail smtp.mailfrom=gibwcm@fearby.com
Delivery-Result: delivered
Identity-Alignment: none



Received: from mitai (unknown [208.136.26.72])
	by fearby.com with SMTP id LyDKBHx6xsr7XZkf.1
	for <pjy315@163.com>; Sat, 14 Apr 2018 13:14:03 +0800
Message-ID: <20180414131403067652@fearby.com>
From: =?utf-8?B?5rip5a6D?= <gibwcm@fearby.com>
To: <pjy315@163.com>
Subject: =?utf-8?B?UmXvvJrlm57lpI3vvJrovazlj5HvvJrml7bpl7Q05pyIMjAtMjHml6XkuIo=?=
	=?utf-8?B?5rW3IOWcsOeCuSDnvo7oh6PljJblpoblk4Hlhazlj7jln7norq3ln7rlnLA=?=
Date: Sat, 14 Apr 2018 13:13:56 +0800
MIME-Version: 1.0
Content-Type: multipart/mixed;
	boundary="----=_NextPart_000_08FE_016CD6FE.1A359D20"
X-mailer: Bagf 2

This is a spf/dkim authentication-failure report for an email message received from IP 125.105.176.155 on Sat, 14 Apr 2018 13:14:09 +0800.

Below is some detail information about this message:

1. SPF-authenticated Identifiers: none;

2. DKIM-authenticated Identifiers: none;

3. DMARC Mechanism Check Result: Identifier non-aligned, DMARC mechanism check failures;

For more information please check Aggregate Reports or mail to abuse@163.com.

Feedback-Type: auth-failure

User-Agent: NtesDmarcReporter/1.0

Version: 1

Original-Mail-From: <gibwcm@fearby.com>

Arrival-Date: Sat, 14 Apr 2018 13:14:09 +0800

Source-IP: 125.105.176.155

Reported-Domain: fearby.com

Original-Envelope-Id: VcCowECJ7EIejtFanCHFLg--.51187S2

Authentication-Results: 163.com; dkim=none; spf=softfail smtp.mailfrom=gibwcm@fearby.com

Delivery-Result: delivered

Identity-Alignment: none

Received: from mitai (unknown [208.136.26.72])

by fearby.com with SMTP id LyDKBHx6xsr7XZkf.1

for <pjy315@163.com>; Sat, 14 Apr 2018 13:14:03 +0800

Message-ID: <20180414131403067652@fearby.com>

From: =?utf-8?B?5rip5a6D?= <gibwcm@fearby.com>

To: <pjy315@163.com>

Subject: =?utf-8?B?UmXvvJrlm57lpI3vvJrovazlj5HvvJrml7bpl7Q05pyIMjAtMjHml6XkuIo=?=

=?utf-8?B?5rW3IOWcsOeCuSDnvo7oh6PljJblpoblk4Hlhazlj7jln7norq3ln7rlnLA=?=

Date: Sat, 14 Apr 2018 13:13:56 +0800

MIME-Version: 1.0

Content-Type: multipart/mixed;

boundary="----=_NextPart_000_08FE_016CD6FE.1A359D20"

X-mailer: Bagf 2

Also, DMARC will alert me to unauthorized activity

<?xml version="1.0" encoding="UTF-8" ?>
<feedback>
  <report_metadata>
    <org_name>google.com</org_name>
    <email>noreply-dmarc-support@google.com</email>
    <extra_contact_info>https://support.google.com/a/answer/2466580</extra_contact_info>
    <report_id>4329490063964523747</report_id>
    <date_range>
      <begin>1523750400</begin>
      <end>1523836799</end>
    </date_range>
  </report_metadata>
  <policy_published>
    <domain>fearby.com</domain>
    <adkim>r</adkim>
    <aspf>r</aspf>
    <p>quarantine</p>
    <sp>none</sp>
    <pct>5</pct>
  </policy_published>
  <record>
    <row>
      <source_ip>2001:19f0:5801:5fa:5400:ff:fe80:ec7a</source_ip>
      <count>2</count>
      <policy_evaluated>
        <disposition>none</disposition>
        <dkim>fail</dkim>
        <spf>fail</spf>
        <reason>
          <type>sampled_out</type>
          <comment></comment>
        </reason>
      </policy_evaluated>
    </row>
    <identifiers>
      <header_from>fearby.com</header_from>
    </identifiers>
    <auth_results>
      <spf>
        <domain>unknown</domain>
        <result>none</result>
      </spf>
    </auth_results>
  </record>
</feedback>

<?xml version="1.0" encoding="UTF-8" ?>

<report_metadata>

<org_name>google.com</org_name>

<email>noreply-dmarc-support@google.com</email>

<extra_contact_info>https://support.google.com/a/answer/2466580</extra_contact_info>

<report_id>4329490063964523747</report_id>

<date_range>

</date_range>

</report_metadata>

<policy_published>

<domain>fearby.com</domain>

quarantine

</policy_published>

<row>

<source_ip>2001:19f0:5801:5fa:5400:ff:fe80:ec7a</source_ip>

<policy_evaluated>

<type>sampled_out</type>

</reason>

</policy_evaluated>

</row>

<header_from>fearby.com</header_from>

</identifiers>

<auth_results>

<spf>

<domain>unknown</domain>

</spf>

</auth_results>

</record>

</feedback>

I hope this guide helps someone.

Ask a question or recommend an article

Revision History

v1.4 Reports

v1.3 DMARC Flow image

V1.2 Updated wording

V1.1 Fixed typos (they were free)

v1.0 Initial post

Securing Google G Suite email by setting up SPF, DKIM and DMARC with Cloudflare

April 14, 2018 by

Read the full article here: https://fearby.com/article/securing-google-g-suite-email-by-setting-up-spf-dkim-and-dmarc-with-cloudflare/

Add email alias to an existing GSuite email account

January 14, 2018 by Simon

This short post will show you how (and why) you should add email aliases to email accounts for previously added domains.

Here are my two posts related to setting up a new suite account and adding a second domain to an existing GSuite account. I used to have my own C Panel domain but moved all servers to self-managed servers first on Digital Ocean then AWS then Vultr. Vultr is now my preferred hosts as they are affordable and have server locations in Australia.

Click Users

I tried to add an email alias to existing 2x domains in Google Suite (the help did not align with the screens I was seeing in my admin consoles), there was no email alias section)??

Official Google Help: https://support.google.com/domains/answer/6304345?hl=en-AU

Snip:

Every user in a G Suite account has a <em>primary address</em> for signing in to their account and receiving mail. If a user wants another email address, you can create an <strong>email alias</strong> for them.

<strong>Why use an alias? </strong> If ann@solarmora.com wants a sales address to post to the company website, you can create the alias <strong>sales@solarmora.com</strong>. Mail sent to either address then appears in Ann's Gmail inbox.

You can add up to 30 email aliases for each user. Users continue to sign in to their G Suite account with their primary address, not an email alias.

Every user in a G Suite account has a primary address for signing in to their account and receiving mail. If a user wants another email address, you can create an email alias for them.

Why use an alias? If ann@solarmora.com wants a sales address to post to the company website, you can create the alias sales@solarmora.com. Mail sent to either address then appears in Ann's Gmail inbox.

You can add up to 30 email aliases for each user. Users continue to sign in to their G Suite account with their primary address, not an email alias.

I fired up the G Suite support

I wanted to add the following email aliases of “security@..”, “admin@..” and “root@..” to an existing email on 2 domains to support security disclosures (post soon (nope Troy Hunt beat me, read his post on security disclosure here)).

While I was waiting for the support chat I figured out the email alias thing, it turned out I needed to click the “Account” header on the user screen (I did not realise “account word was clickable).

Solution: How to add Aliases

You need to click the account heading (It’s a link apparently).

When the Ajax content loads you can scroll down to alias section.

Tip: There is no “Apply” or “OK” button when adding aliases so just press enter.

Now if you want to be able to send as the new alias you need to add the aliases in Gmail.

Now you can send via this email alias in GMail or via CLI via the primary account 🙂

sendemail -f root@yourdomain.com -t to@email.com -u "Test email via alias" -s smtp.gmail.com:587 -o tls=yes -xu simon@yourdomain.com -xp YourPa$$w0rdH3r3 -m "Test email via alias"

1	sendemail -f root@yourdomain.com -t to@email.com -u "Test email via alias" -s smtp.gmail.com:587 -o tls=yes -xu simon@yourdomain.com -xp YourPa$$w0rdH3r3 -m "Test email via alias"

Read my blog post on sending email from the command line via G Suite.

Donate and make this blog better

Ask a question or recommend an article

Revision History
v1.1 Added Troy Hunt “Data Breach Disclosures” link

v1.0 Working Copy.

Hope this helps someone.

Adding a second domain to an existing GSuite account and creating an email address

December 14, 2017 by Simon

Below is my post (personal view, not paid view) on how to add a second domain to an existing gsuite account and creating an email address and sending emails from a client tor CLI.

Jan 2018 Update

Post on adding email aliases to G Suite

Main

Read my post here if you have never created or managed a GSuite account to take control of mail for a domain. This guide will build on this previous guide and show you how to add a second domain to an existing GSuite account. Read this guide if you need a Namecheap domain and or an Ubuntu VM to host a website. I really like deploying WordPress via Command Line (CLI), read my guide here.

Buy a domain name from Namecheap here.

Before you get started login to your G Suite account and ensure your first domain is set up and working. If you don’t have a GSuite account click here to set one up (first 14 days are free).

Also, I highly recommend the G Suite support, this has to be the best and most experienced support I have used of any company (my views only).

In the Google G Suite admin bar type “add domain” and select “Add new Domain” (not “Add new domain Alias”).

Select “Add another domain” and click “CONTINUE AND VERIFY DOMAIN OWNERSHIP”

Now copy the domain verify code (I use Namecheap for my domains so you may see different advice)

I logged into Namecheap and added the TXT record to my domain.

While I was here I added G Suite MX records.

I went back to GSuite and clicked Verify

I could now add an email user to the second domain I just added to G Suite. 🙂

I set a strong password so I won’t force the reset of a password at next login. I plan on using the email account for manual and semi-automated alerts in code (read my guide here on how to send GSuite/gmails via code).

Once the user is created you can send them a welcome email.

Sample welcome email.

The email is now ready to use. I can send and revive email using this account with an email client.

I can even send emails via the command line (read how here)

cat testemail.sh
#!/bin/bash

echo "Sending Email";
sendemail -f from@domain.com -t to@email.com -u "Subject" -s smtp.gmail.com:587 -o tls=yes -xu from@domain.com -xp 'passwordhere' -m 'Message Body Here'

cat testemail.sh

#!/bin/bash

echo "Sending Email";

sendemail -f from@domain.com -t to@email.com -u "Subject" -s smtp.gmail.com:587 -o tls=yes -xu from@domain.com -xp 'passwordhere' -m 'Message Body Here'

Send via running

sudo bash testemail.sh

1	sudo bash testemail.sh

Output

Sending Email
Dec 13 23:16:15 thedomain sendemail[8397]: Email was sent successfully!

1 2	Sending Email Dec 13 23:16:15 thedomain sendemail[8397]: Email was sent successfully!

More

Post on adding email aliases to G Suite

Hope this helps someone.

Donate and make this blog better

Ask a question or recommend an article

Revision History

1.3 added more links.

v1.2 Fixed.

How to be alerted after system boot on Ubuntu 16.04 with an email via Gmail

September 5, 2017 by Simon

This will allow you to sent an email at startup on Ubuntu boot. You will need to ensure sendmail is setup and working (read my guide on How to send email via G Suite from Ubuntu in the cloud, setup an Ubuntu server in the cloud here (guide here)).

Create a scripts folder

mkdir /scripts/

1	mkdir /scripts/

Create a file called /scripts/emailstartup.sh and add..

#!/bin/bash

echo "Dumping startup log";
journalctl -b0 --system _COMM=systemd --no-pager >/scripts/boot.log

#echo "Deleting old log file";
#rm -R /scripts/boot.zip

#echo "Zipping up Startup Log File.";
#zip -r -9 /scripts/boot.zip /scripts/boot.log

echo "Sending Email With Attachment";
# Ensure you have gmail or gsuite setup on your domain, guide here https://fearby.com/article/moving-a-cpanel-domain-with-email-to-a-self-managed-vps-and-gmail/
sendemail -f email@yourserver.com -t email@yourserver.com -u "Startup: $HOSTNAME server" -m "Attached are the startup logs for $HOSTNAME server" -s smtp.gmail.com:587 -o tls=yes -xu email@domain.com -xp password -a /scripts/boot.log

#!/bin/bash

echo "Dumping startup log";

journalctl -b0 --system _COMM=systemd --no-pager >/scripts/boot.log

#echo "Deleting old log file";

#rm -R /scripts/boot.zip

#echo "Zipping up Startup Log File.";

#zip -r -9 /scripts/boot.zip /scripts/boot.log

echo "Sending Email With Attachment";

# Ensure you have gmail or gsuite setup on your domain, guide here https://fearby.com/article/moving-a-cpanel-domain-with-email-to-a-self-managed-vps-and-gmail/

sendemail -f email@yourserver.com -t email@yourserver.com -u "Startup: $HOSTNAME server" -m "Attached are the startup logs for $HOSTNAME server" -s smtp.gmail.com:587 -o tls=yes -xu email@domain.com -xp password -a /scripts/boot.log

optional: Uncomment lines above to attach a zip file instead of a log file (don’t forget to attach the zip instead of the log file in sendmail.)

Make the script file executable

sudo chmod +X /scripts/emailstartup.sh

1	sudo chmod +X /scripts/emailstartup.sh

Test the script

sudo /bin/bash /scripts/emailstartup.sh
Dumping startup log
Deleting old log file
Zipping up Startup Log File.
  adding: scripts/boot.log (deflated 91%)
Sending Email With Attachment
Sep 05 18:49:27 yourservernamehere sendemail[2606]: Email was sent successfully!

sudo /bin/bash /scripts/emailstartup.sh

Dumping startup log

Deleting old log file

Zipping up Startup Log File.

adding: scripts/boot.log (deflated 91%)

Sending Email With Attachment

Sep 05 18:49:27 yourservernamehere sendemail[2606]: Email was sent successfully!

Add the following to crontab -e to ensure the script is executed 5 minutes after startup.

@reboot sleep 300 && /bin/bash /scripts/emailstartup.sh >> /dev/null 2>&1

1	@reboot sleep 300 && /bin/bash /scripts/emailstartup.sh >> /dev/null 2>&1

On reboot, you will be emailed desired start-up information.

Donate and make this blog better

Ask a question or recommend an article

v1.0 initial post

How to send email via G Suite from Ubuntu in the cloud

August 20, 2017 by Zach Meissner

Here is how I send emails from the command line in Ubuntu servers in the cloud via G SUote connect emails

Jan 2018 Update

Post on adding a second domain to G Suite

Post on adding email aliases to G Suite

Main

If you use ufw for your Ubuntu firewall then allow port 587 out traffic (read more in securing Ubuntu in the cloud here).

sudo ufw allow out 587

1	sudo ufw allow out 587

Ensure your port is open on IPV4 and IPV6.

sudo ufw status

1	sudo ufw status

If you have a GUI managed firewall with your server host then configure it to allow port 587 (out).

Read more on useful terminal commands here or setting up a Digital Ocean Ubuntu server here for as low as $5 a month here, Vultr server for as low as $2.5 here ($10 free credit). Read more about setting up an AWS Ubuntu server here.

Install sendmail and other pre requisites

apt-get install libio-socket-ssl-perl libnet-ssleay-perl sendemail

1	apt-get install libio-socket-ssl-perl libnet-ssleay-perl sendemail

Now you are ready to send an email with 1 line in the terminal (use your Gmail email unless you have diverted your email to G Suite (then use that email, guide here). Create a G Suite account here.

FYI: I have setup my email for my domain to redirect via G Suite (see my guide here and older guide here)

Send an email from the command line

sendemail -f your@email.com -t your@email.com -u "test email" -m "test message" -s smtp.gmail.com:587 -o tls=yes -xu your@email.com -xp y@ursecurepa$$wordg@eshere123

1	sendemail -f your@email.com -t your@email.com -u "test email" -m "test message" -s smtp.gmail.com:587 -o tls=yes -xu your@email.com -xp y@ursecurepa$$wordg@eshere123

This is not a drop-in replacement for Outlook or Thunderbird email clients but it is perfect for command line alerts to con-jobs or start-up notifications.

Sending an email with an attachment

sendemail -f your@email.com -t your@email.com -u "test email" -m "test message" -s smtp.gmail.com:587 -o tls=yes -xu your@email.com -xp Y@urSecu&rpa$$w@rd123 -a /folder/file.zip

1	sendemail -f your@email.com -t your@email.com -u "test email" -m "test message" -s smtp.gmail.com:587 -o tls=yes -xu your@email.com -xp Y@urSecu&rpa$$w@rd123 -a /folder/file.zip

Coming soon: A guide on backing up Ubuntu with Rsync etc.

More

Post on adding a second domain to G Suite

Post on adding email aliases to G Suite

Donate and make this blog better

Ask a question or recommend an article

v1.2 added other links

v1.1 added links to two G Suite guides.

Personal Development Blog...

Coding for fun since 1996, Learn by doing and sharing.

Buy a domain name, then create your own server (get $25 free credit)

"If you're not still learning, you're already dying."
- Ryan Holiday - Ego is the Enemy

Follow me on Twitter: @FearbySoftware

View All Posts.

email

Securing Google G Suite email by setting up SPF, DKIM and DMARC with Cloudflare

Securing Google G Suite email by setting up SPF, DKIM and DMARC with Cloudflare

Add email alias to an existing GSuite email account

Adding a second domain to an existing GSuite account and creating an email address

How to be alerted after system boot on Ubuntu 16.04 with an email via Gmail

How to send email via G Suite from Ubuntu in the cloud

Popular

Security

Code

Tech

Wordpress

General

email

Footer

Popular

Security

Code

Tech

Wordpress

General

This website uses cookies