Setting up SPF
Sender Policy Framework or SPF works as insulation against email spoofing. It prevents spammers from sending emails using your domain.
Whenever you send an email, your recipient wants to know that the mail is coming from you and not someone who is pretending to be you. In order to provide the much-needed assurity to your recipients about the authenticity of your mails, all you have to do is set up an SPF record.
By setting up an SPF record, you list all those mail servers which you are authorizing to send emails using your domain. This lets the receiving mail server differentiate between emails that are actually sent by you and the emails sent by some fraud using your domain.
Exact Steps on How to Setup SPF records for your Gsuite
- The first step involves signing in to your domain account at your domain host (Eg. Namecheap, Godaddy)
- Select the domain for which you want to set up the SPF records (the one you have bought G Suite on).
- Go to that domain’s DNS management page or Advanced DNS Management depending upon which domain host you’re using. This is the page where you will add your SPF record.
- Click on the Add New Record button.
- You will see a drop-down list, select TXT.
- The next field requires you to enter the TXT value. Put v=spf1 include:_spf.google.com ~all in the value field. You can find this SPF value here on the G Suite Resource Blog. To understand what this string of characters means, keep reading further.
- Leave the Time to Live (TTL) as Automatic.
- Click on Save and you are done!
You have now successfully set up your SPF record for G Suite on your domain.
An important point to note here is that a domain can have only one SPF record. However, you can list as many mail servers as you want as authorized mail servers by clubbing them into one SPF record.
Let’s break down the syntax of the SPF record and understand the picture with more clarity.
This is how a typical SPF TXT record looks like:
Structure: “v=spf1 mx a:<additional mail servers> include:<3rd party domain> ip4:<IP address/range>~all”
- v=spf1 is the SPF version that you are using.
- mx is the mail server or mail exchanger for the domain to be allowed as an authorized sender
- a: allows you to list an additional mail server as an authorized sender
- include: allows you to authorize external domains mail servers as authorized senders
- ip4 allows you to list an IP address as an authorized sender
- -all: this means that all those servers which are listed in the record are authorized, others unauthorized
- ~all: this is called soft fail, all servers listed in the record are authorized, the receiving email server may accept the email but it is likely to be sent to the spam folder.
- +all: This means any host can send the email for the domain.
This was all about setting up the SPF record. The process is quite smooth and simple. Now, let’s have a look at the steps to configure DKIM.
Setting up DKIM
DKIM or Domain Keys Identified Mail is another security protocol that enhances the authenticity of your emails.
It works by encrypting and decrypting the digital signature put in the header of your mails. DKIM uses a private key and public key to encrypt and decrypt the digital signature.
When you send an email, the sending mail server generates a digital signature using the private key. When the email reaches the recipient, the receiving mail server decrypts the digital signature using the public key found in the DNS records. If it succeeds, the public keys and private keys are a match.
The receiving mail server now computes the hash of the incoming message, email content of the received message, and compares this newly created hash with the hash generated by decrypting the signature.
If they both match, it means that the email has been unaltered and the message is authenticated. If they don’t match, DKIM fails.
All this happens behind the scene, and you need not worry about the procedure. The only thing you have to consider is setting up the DKIM record so that your mails do not rest in the spam folder of the recipient and reach the inbox without a hitch.
Let’s look at the steps of setting up DKIM on G Suite.
- Log in to your G Suite mailbox.
- Go to settings and click on Manage this domain. This is your G Suite Admin Console.
- In the search box, type DKIM.
- You will see Authenticate Email, click here.
- Scroll down to the bottom and you’ll see ‘Authenticate Email’, click on that.
- Select your domain from the dropdown list.
- Click on Generate New Record.
- In the Select DKIM key bit length box choose the 2048-bit key because longer the length more secure things will be. If your domain host doesn’t support this, go for the 1024-bit key.
- Leave the Prefix selector box with the default value.
- Click generate. This will generate the DNS hostname and the TXT record value.
- Copy these values to your domain’s DNS Management page, in the boxes denoted by host and TXT. Please refer to steps 6 and 7 of setting up SPF records.
- Click on Save.
- After 2-3 hours, go back to the G Suite Admin Console where you generated this new record and click on Start Authentication. Once done, the status would change to Authenticating Email and DKIM is now configured.
The steps to set up both, SPF and DKIM were quite painless. Follow these steps and you are good to go.
You can read about what and How SPF and DKIM work by reading our blog on Email Authentication. If you have any doubts mention them in the comments and we will be there to help.