Set up email authentication

The links below go to Google’s help site.
These pages are not managed by me, but provided here as quick links to find what you need!

DMARC Policy

DMARC stands for “Domain-based Message Authentication, Reporting, and Conformance.” It is an email authentication protocol that helps protect email senders and recipients from phishing and email fraud. DMARC builds on the existing email authentication technologies, namely SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail).

Here’s a brief overview of the components of DMARC:

Authentication Protocols

SPF (Sender Policy Framework)

Specifies which IP addresses are allowed to send emails on behalf of a domain.

DKIM (DomainKeys Identified Mail)

Uses digital signatures to verify that the content of an email has not been altered in transit and that it genuinely comes from the stated sender.

DMARC Policy

DMARC allows the domain owner to publish a policy on how their emails should be handled if they fail authentication checks.

The policy can be set to “none” (monitoring mode), “quarantine” (mark as spam), or “reject” (do not deliver).

Reporting Mechanism

DMARC provides detailed reports to the domain owner about email authentication results.

These reports include information on which emails passed or failed authentication and may include data on sources attempting to send emails on behalf of the domain.

A DMARC policy helps prevent email spoofing and phishing attacks by ensuring that only authorized servers send emails on behalf of a domain. It allows domain owners to have better visibility into email authentication status through reporting.

DMARC Policy Setup

How do I set up a DMARC policy?

Generate

If you don’t it will generate one for you at the link in the first step when you click “Check DMARC Record”

Add TXT Record

Once you have finished creating your record, go to your DNS hosting provider and create a new TXT record with the output from MxToolbox.

DKIM Record

DKIM stands for “DomainKeys Identified Mail.” It is an email authentication method that allows the sender to digitally sign an email message, providing a way for the recipient to verify that the message was indeed sent by the claimed sender and that its content has not been altered during transit.

Here’s how DKIM works:

Key Generation

The sender generates a pair of cryptographic keys – a private key and a public key.

The private key is kept secure on the sender’s mail server, while the public key is published in the DNS (Domain Name System) records associated with the sender’s domain.

Message Signing

When the sender sends an email, the email server signs the email with the private key, creating a unique digital signature.

The digital signature is typically added to the email header.

DNS Record

The public key used for signing is made available to recipients by publishing a DKIM DNS record in the sender’s domain.

The DKIM DNS record contains information about the public key and the selector, which helps the recipient locate the correct public key.

Recipient Verification

When the recipient’s email server receives the email, it retrieves the DKIM signature from the header.

The recipient’s server then uses the public key retrieved from the DKIM DNS record to verify the signature.

If the signature is valid, it indicates that the email was signed by the private key corresponding to the public key in the DNS record and that the email content has not been tampered with.

DKIM helps in verifying the authenticity of an email and ensures that it has not been altered during transmission. It is one of the components of DMARC (Domain-based Message Authentication, Reporting, and Conformance), working alongside SPF (Sender Policy Framework) to enhance email security by preventing email spoofing and phishing attacks.

DKIM Record Setup

Check

Enter your info like this:
email._domainkey.yourdomainhere.com

Generate

If you don’t it will generate one for you at the link in the first step when you click “Check DMARC Record”

Add TXT Record

Once you have finished creating your record, go to your DNS hosting provider and create a new TXT record with the output from MxToolbox.

SPF Record

An SPF (Sender Policy Framework) record is a DNS (Domain Name System) record that helps prevent email spoofing and phishing. It specifies which mail servers are authorized to send emails on behalf of a particular domain. SPF records are used to authenticate emails and verify that they originate from legitimate sources.

Here’s how SPF works:

Record in DNS

The domain owner publishes an SPF record in the DNS settings for their domain.

Authorized Mail Servers

The SPF record contains a list of authorized mail servers (IP addresses or hostnames) that are allowed to send emails on behalf of the domain.

Email Authentication

When an email is received, the recipient’s mail server checks the SPF record of the sending domain.

If the sending mail server’s IP address matches one of the authorized addresses in the SPF record, the email is considered authenticated.

Preventing Spoofing

SPF helps prevent email spoofing by ensuring that only authorized servers send emails using the domain’s identity.

If an email is sent from an unauthorized server, the recipient’s mail server may mark it as suspicious or reject it based on the SPF policy.

SPF records play a crucial role in email authentication and contribute to the overall security of email communication. They are part of a broader set of email authentication mechanisms, including DKIM (DomainKeys Identified Mail) and DMARC (Domain-based Message Authentication, Reporting, and Conformance), which work together to enhance the trustworthiness of email messages.

SPF Record Setup

Generate

  1. Gather IP addresses used to send email
  2. Make a list of your sending domains
  3. Create a SPF record

Add TXT Record

Once you have finished creating your record, go to your DNS hosting provider and create a new TXT record. Then, go back to the first step and check that it’s all set!

Disclaimer

This page is for informational purposes only and is meant to be a starting point of reference. I have information on this page compiled from other sources and links to third-party tools that I do not control. Make sure to contact your IT person or domain provider for assistance!