Spam and Spoofing vs DNS (SPF-DKIM-DMARC)

• Note:
  – Below given description is based on the Google Apps customers.
  – Wrong settings may affect your email flow.
  – Refer all links and available documents before taking further action.

=====================================================

Fight against SPAM and Spoofing with just 3 stage DNS changes described as below.

Stage 1: Define proper SPF record

Sender Policy Framework (SPF) is an attempt to control forged e-mail. SPF is not directly about stopping spam – junk email. It is about giving domain owners a way to say which mail sources are legitimate for their domain and which ones aren’t.

• For Google Apps user its just simple TXT record can be updated in the DOMAIN DNS.
  – Record type: TXT
  – Host: @ or Empty
  – Value: v=spf1 include:_spf.google.com ~all

If the same domain is used with other email servers like website query forms or bulk/mass mailing can be refer this help article: https://support.google.com/a/answer/4568483

Kindly visit this link to access FAQ: http://www.openspf.org/FAQ

Stage 2: Integrate DKIM to the your outgoing email.
You can help prevent spoofing by adding a digital signature to outgoing message headers using the DKIM standard.
Recipient servers can retrieve the Digital key to verify that the message really comes from your domain and hasn’t been changed along the way.

• For Google Apps customer can add one TXT records to the domain and after authentication process Google will start adding a digital signature to the each outgoing email from Google Apps.
  – Record type: TXT
  – Host: google._domainkey or google._domainkey.domainname.com
  – Value: v=DKIM1; k=rsa; p=MIGfMA0GCS++++++++++++++++++++++++/+++++++++++++++++++/+++++++++++++++/+/3NIQIDAQAB

To generate the key and configure for your Google Apps, kindly refer this help article: https://support.google.com/a/answer/174126?hl=en&ref_topic=2752442

Kindly visit this link to access FAQ: http://www.dkim.org/info/dkim-faq.html

Stage 3: Secure your domain from Spoofing with DMARC
DMARC is an email authentication protocol. It builds on the widely deployed SPF and DKIM protocols, adding a reporting function that allows senders and receivers to improve and monitor protection of the domain from fraudulent email.

• Once you complete above 2 stages you can deploy the DMARC to your domain to get best out of it.
• If you are “single domain” company and using a single server can simply update the DNS records to avoid getting Spoofed
  – Record type: TXT
  – Host: _dmarc or _dmarc.domainname.com
  – Value: v=DMARC1; p=reject; sp=reject

To configure DMARC for your domain you can refer this help article: https://support.google.com/a/answer/2466563?hl=en&ref_topic=2759254

Kindly visit this link to access FAQ: https://dmarc.org/wiki/FAQ

=====================================================

As Google Apps as the Google Group and SPF, DKIM and DMARC also affect the behavior of the email addressed to the Group Email address.

Kindly refer this help guide for better understanding.

• https://support.google.com/groups/answer/6066511?hl=en
• https://support.google.com/mail/answer/22370?hl=en

=====================================================

• Additionally, here are some useful link:
  – http://mxtoolbox.com/SuperTool.aspx?
  – https://www.whatsmydns.net
  – https://dmarcian.com/dmarc-inspector/fsround.org