The Google Workspace Email Security Checklist: SPF, DKIM, and DMARC

by Ian Macalinao on February 15, 2022

Setting DNS records improperly can cause unauthorized parties to masquerade as your email domain. In this post, I show all of the DNS records that must be added.

Overview

  • SPF
    • TXT @: v=spf1 include:_spf.google.com -all
    • TXT *: v=spf1 -all
  • DMARC
  • DKIM

Breakdown

SPF HARDFAIL for unauthenticated email being sent from your root domain

  • TXT @: v=spf1 include:_spf.google.com -all

This record ensures that all email being sent from your root domain comes from Google Workspace.

SPF HARDFAIL for all email being sent from your subdomains

  • TXT *: v=spf1 -all

If a subdomain does not exist, this rule ensures that all email being sent from the subdomain is flagged and/or rejected.

DMARC

This rule marks all unauthenticated email from your root domain as spam (quarantine) and instructs recipients of unauthenticated email to reject all email from your subdomains (reject).

DKIM

DKIM ensures that Google is cryptographically signing the contents of your emails. This ensures that your email contents aren't being tampered with.

Thanks for reading! Have any questions, comments, or suggestions? Feel free to use the comment section below or email me at [email protected] and I'll do my best to respond.

Alternatively, you can view the source of the post here and send a pull request.