# 4 Email authentication (SPF/DKIM/DMARC)

> v0.1.1 · role: Prevent · edition: All (DNS-side) · [policy: #6 · #27](https://docs.google.com/spreadsheets/d/1nOztaPd1Y7eNeRSR_hdovYy-ncpx-bAx/edit?usp=sharing&ouid=115159875779023172526&rtpof=true&sd=true)

SPF, DKIM and DMARC let a receiving server verify that mail claiming to come from your domain actually did, which is what stops an attacker spoofing your domain to your own staff and to your partners. Only DKIM is an Admin Console setting: the key is generated there and published as a TXT record, while SPF and DMARC exist only in DNS — so the real dependency of this control is custody of the DNS zone (see the air-gapped recovery kit, [№55](air-gapped-recovery.md)). None of the three needs a recurring console workflow — though SPF must be edited whenever a sending service is added and DMARC is deliberately ratcheted from p=none to p=reject (see the steps); MTA-STS, which carries a genuinely ongoing maintenance burden, is [28 MTA-STS + TLS reporting](mta-sts.md).

Documentation: [About authentication methods](https://knowledge.workspace.google.com/admin/security/about-authentication-methods)

## Caveats

- DMARC at p=none authenticates nothing — it only reports, and the control is not complete until p=quarantine or p=reject.
- Every third-party sender (CRM, mailer, ticketing) must be in SPF/DKIM before you enforce — otherwise enforcement drops legitimate mail.
- Starting DKIM authentication before the TXT record has propagated fails with 'DNS record not found' — re-check propagation rather than regenerating the key.

## Setup steps

1. Select the sending domain and generate the DKIM key. — `Apps › Google Workspace › Gmail › Authenticate email`

   - **Selector prefix** = google
   - **Key length** = 2048-bit

   docs: [Set up DKIM](https://knowledge.workspace.google.com/admin/security/set-up-dkim)

2. Publish the printed TXT record at your DNS provider, wait for propagation, then return and start authentication. — `Apps › Google Workspace › Gmail › Authenticate email`

   google._domainkey TXT = <value from console>; then click Start authentication

   docs: [Set up DKIM](https://knowledge.workspace.google.com/admin/security/set-up-dkim)

3. DNS step (outside the Admin Console): publish SPF for Google's senders.

   ```
   TXT @ = v=spf1 include:_spf.google.com ~all
   ```

   docs: [Set up SPF](https://knowledge.workspace.google.com/admin/security/set-up-spf)

4. DNS step: publish DMARC, starting at p=none with rua reporting, then ratchet to quarantine and reject once reports are clean.

   ```
   TXT _dmarc = v=DMARC1; p=none; rua=mailto:dmarc@<domain>; adkim=s; aspf=s
   ```

   docs: [Set up DMARC](https://knowledge.workspace.google.com/admin/security/set-up-dmarc)

## Ongoing maintenance

- **[automatable: AI agent]** Monthly: review DMARC aggregate (rua) reports for unexpected senders before tightening or after adding a SaaS mailer.
- **[requires a human]** When adding any sending service: update SPF without exceeding the 10-lookup limit.

## How to verify

1. Check all three records from any machine — no tenant access needed, and it tests what receivers actually see.

   dig +short TXT <domain> | grep spf1; dig +short TXT google._domainkey.<domain>; dig +short TXT _dmarc.<domain>

2. SPF must end in ~all or -all, the DKIM key must be 2048-bit, and DMARC must carry p=quarantine or p=reject with a rua= address that is monitored.

## Settings screens

- Apps > Google Workspace > Gmail > Authenticate email (DKIM)
  - console: https://admin.google.com/ac/apps/gmail/authenticateemail
  - screenshot: ../screenshots/admin.google.com/ac/apps/gmail/authenticateemail.png
- Apps > Google Workspace > Gmail (settings landing — fallback if the DKIM deep link moves)
  - console: https://admin.google.com/ac/managedsettings/740348119625
  - screenshot: ../screenshots/admin.google.com/ac/managedsettings/740348119625.png
