← All controls

4 Email authentication (SPF/DKIM/DMARC)

SPF, DKIM and DMARC let a receiving server verify that mail claiming to come from your domain actually did, which is what stops an attacker spoofing your domain to your own staff and to your partners. Only DKIM is an Admin Console setting: the key is generated there and published as a TXT record, while SPF and DMARC exist only in DNS — so the real dependency of this control is custody of the DNS zone (see the air-gapped recovery kit, №55). None of the three needs a recurring console workflow — though SPF must be edited whenever a sending service is added and DMARC is deliberately ratcheted from p=none to p=reject (see the steps); MTA-STS, which carries a genuinely ongoing maintenance burden, is 28 MTA-STS + TLS reporting.

Caveats

Setup steps

  1. open ↗ Apps › Google Workspace › Gmail › Authenticate email
    Selector prefix
    google
    Key length
    2048-bit

    Set up DKIM ↗

  2. open ↗ Apps › Google Workspace › Gmail › Authenticate email

    google._domainkey TXT = <value from console>; then click Start authentication

    Set up DKIM ↗

  3. TXT @ = v=spf1 include:_spf.google.com ~all

    Set up SPF ↗

  4. TXT _dmarc = v=DMARC1; p=none; rua=mailto:dmarc@<domain>; adkim=s; aspf=s

    Set up DMARC ↗

Ongoing maintenance

How to verify

  1. Check all three records from any machine — no tenant access needed, and it tests what receivers actually see.

    dig +short TXT <domain> | grep spf1; dig +short TXT google._domainkey.<domain>; dig +short TXT _dmarc.<domain>

  2. SPF must end in ~all or -all, the DKIM key must be 2048-bit, and DMARC must carry p=quarantine or p=reject with a rua= address that is monitored.

v0.1.1Preventedition All (DNS-side) policy #6 · #27 ↗