Back to Help Center

How to Setup SPF, DKIM, and DMARC with Domain.com & Google Workspace

How to Setup SPF, DKIM, and DMARC with Domain.com & Google Workspace

How to Setup SPF, DKIM, and DMARC with Domain.com & Google Workspace
Mike from Iceberg
Jan 26, 2024

What are SPF, DKIM, and DMARC?

This guide is designed for those who want to ensure their email communications are safe and trustworthy. We'll be diving into three key security measures:

  • SPF (Sender Policy Framework)
  • DKIM (Domain Keys Identified Mail)
  • DMARC (Domain-based Message Authentication, Reporting,and Conformance

Each of these serves a unique role in safeguarding your emails, like different pieces of a puzzle working together to secure your email identity. Think of them as your email’s personal security team, each member specializing in a different aspect of protection. We'll explain these in simple terms and guide you step-by-step on how to set them up.

How to setup SPF with Domain.com and Google Workspace

SPF stands for Sender Policy Framework. It's a security measure for email that helps to verify if an email sent from a domain (likeyourcompany.com) is legitimate. Think of it as a list of approved email senders for your digital mail. When an email is sent, SPF checks if it's from a mail server that's allowed to send emails for that domain. It's like a bouncer checking if an email sender is on the guest list. This helps prevent spammers from pretending to be you (like forging your return address on an envelope), which can protect your reputation and prevent your emails from being mistakenly marked as spam. Without SPF, there's a higher risk that spammers can send emails pretending to be from your domain, which can lead to phishing attacks (where scammers trick people into giving away personal information) or damage to your domain's reputation.

SPF Setup Instructions for Domain.com

  1. Log in to your Domains Dashboard (https://www.domain.com/controlpanel/foundation)
  2. On the dashboard, select the domain where you're updating the SPF record. There are two views in the Domains dashboard - the Card and List views. Click on the view icons to switch to your preferred view
  3. Choose the domain you wish to modify. In the Card view, click the domain’s Manage button. In List view, click the domain or its gear icon on the right-hand side
  4. Click on DNS & Nameservers in the left-hand menu
  5. On the DNS & Nameservers page, select the DNS Records tab
  6. Add a new TXT Record by clicking the blue + button. Or, scroll to the bottom for TXT records and click on the 3 dots to “edit” an existing record
  7. Here you can either edit an existing record but we want to create a new TXT record by clicking on Add More Records
  8. Name: The hostname or prefix of the record, without the domain name. Enter @ to put the record on your root domain, or enter a prefix, such as mail.
  9. Value: The SPF rule to indicate emails are only allowed from your mail server. Enter the following SPF record: v=spf1 include:spf.google.com -all    This record specifies that only servers listed in the spf.google.com mechanism are authorized to send email on behalf of your domain, and all other servers will be considered unauthorized.
  10. Set the TTL (Time to Live) to an appropriate value, such as 1 hour (3600 seconds). TTL determines how long the record is cached by DNS servers.
  11. Select Save to add your new record. If you added multiple records at the same time, select Save All Records.
  12. That's it! Mission accomplished 🚀 Most DNS updates take effect within an hour but could take up to 48 hours to update globally.
Step 3: In the Card View, click on the domain's Manage button
Step 5: Click on DNS & Nameservers in the left-hand menu
Step 6: On the DNS & Nameservers page, select the DNS Records tab then add a new TXT Record by clicking the blue + button
Step 7: This is where you enter your SPF records then press Update DNS to commit the changes

How to setup DKIM with Domain.com and Google Workspace

DKIM, which stands for Domain Keys Identified Mail, is like a digital signature for your emails. Imagine sending a sealed letter with a unique stamp that proves it's really from you. When you send an email, DKIM adds a hidden digital signature to it. This signature is created based on a private key that only you have. The receiving mail server then checks this signature against a public key that's listed in your DNS records. It's like verifying the stamp on your letter matches the one you've shown to the world as yours. This process helps to ensure that the email hasn't been tampered with and really comes from your domain. It's important for security because it helps prevent someone from altering your emails or sending fake emails that look like they're from you. Without DKIM, your emails could be more easily spoofed, leading to increased phishing risks and potential harm to your domain's trustworthiness.

DKIM Setup Instructions for Google Workspace

  1. Sign into the Google Workspace console (https://admin.google.com/) using your administrator credentials
  2. On the console, navigate to Apps > Google Workspace > Gmail > Authenticate Email
  3. Select the domain for which you want to set up DKIM and click on “Generate new record”. You can choose the default key length (1024 or 2048 bits; 2048 is recommended for better security)
  4. Copy the generated TXT record. It will resemble the following: a. DNS Host Name (TXT record name): google._domainkey and b. TXT Record Value: v=DKIM1; k-rsa; p=MKLL21086C0w0vn0...
  5. Keep this table open because we need to copy and paste those values into Domain.com
  6. Log in to your Domains Dashboard (https://www.domain.com/controlpanel/foundation)
  7. On the dashboard, select the domain where you're updating the DKIM record. There are two views in the Domains dashboard - the Card and List views. Click on the view icons to switch to your preferred view
  8. Choose the domain you wish to modify. In the Card view, click the domain’s Manage button. In List view, click the domain or its gear icon on the right-hand side. Check out the screenshot from the SPF instructions above
  9. Click on DNS & Nameservers in the left-hand menu
  10. On the DNS & Nameservers page, select the DNS Records tab
  11. Add a new TXT Record by clicking the blue + button. Or, scroll to the bottom for TXT records and click on the 3 dots to “edit” an existing record. Check out the screenshot from the SPF instructions above
  12. Here you can either edit an existing record but we want to create a new TXT record by clicking on Add More Records
  13. Name: The value that you got from Step 4
  14. Value: The value that you got from Step 4
  15. Set the TTL (Time to Live) to an appropriate value, such as 1 hour (3600 seconds). TTL determines how long the record is cached by DNS servers
  16. Select Update DNS to add your new record
  17. That's it! Mission accomplished 🚀 Most DNS updates take effect within an hour but could take up to 48 hours to update globally
Step 2: From your Google Workspace Admin console, select Apps, Google Workspace, Gmail, then Authenticate email to find the DKIM settings.

How to setup DMARC with Domain.com and Google Workspace

DMARC stands for Domain-based Message Authentication, Reporting, and Conformance. Think of DMARC as a set of rules for your email's security guards: SPF and DKIM. It tells these guards how to handle emails that fail SPF and DKIM checks. Imagine you have two security checks at the entrance of a building. SPF checks if the visitor (email) is coming from a trusted location, and DKIM verifies their ID (digital signature). If a visitor fails either check, DMARC decides what to do with them—like turning them away or putting them in a waiting area (spam folder).

DMARC also sends reports back to you, informing you about who's trying to send emails using your name and how these emails are being dealt with. This helps in identifying and stopping email impersonation and phishing attacks. Without DMARC, even if you have SPF and DKIM, you don't have control over what happens to emails that fail these checks, potentially leaving your domain more vulnerable to misuse and your recipients at risk of receiving fraudulent emails.

Before setting up DMARC, you need to have SPF and DKIM properly configured for your domain. Then you can decide on your DMARC policy which determine how receiving mail servers to handle emails that fail SPF and/or DKIM checks. You can choose from three policies:

  • None: Do nothing (used mainly for monitoring purposes). ⛔ Don't use this setting. It leaves you totally unprotected.
  • Quarantine: Mark the email as suspicious and move it to the spam or junk folder. 👎 This setting is still risky because people will still receive your forged emails.
  • Reject: Reject the email outright and do not deliver it. 👈 This is the one you should use ✅

An example DMARC record that follows our recommended security settings would look like this:

v=DMARC1; p=reject; rua=mailto:youremail@yourdomain.com

You can use a DMARC record generator tool, such as Global Cyber Alliance’s DMARC tool (https://dmarcguide.globalcyberalliance.org), to create your DMARC record, if needed.

DMARC Setup Instructions for Domain.com

  1. Log in to your Domains Dashboard (https://www.domain.com/controlpanel/foundation)
  2. On the dashboard, select the domain where you're updating the DMARC record. There are two views in the Domains dashboard - the Card and List views. Click on the view icons to switch to your preferred view
  3. Choose the domain you wish to modify. In the Card view, click the domain’s Manage button. In List view, click the domain or its gear icon on the right-hand side. Check out the screenshot from the SPF instructions above
  4. Click on DNS & Nameservers in the left-hand menu
  5. On the DNS & Nameservers page, select the DNS Records tab
  6. Add a new TXT Record by clicking the blue + button. Or, scroll to the bottom for TXT records and click on the 3 dots to “edit” an existing record. Check out the screenshot from the SPF instructions above
  7. Here you can either edit an existing record, or select Add More Records to create a new one. We want to create a TXT record.
  8. Name: The hostname or prefix of the record, without the domain name. Set this to _dmarc
  9. Value: The record value you generated earlier. For example: v=DMARC1; p=reject; rua=mailto:youremail@yourdomain.com
  10. Save the changes.
  11. That's it! Mission accomplished 🚀 Most DNS updates take effect within an hour but could take up to 48 hours to update globally.

Conclusion

That’s it – you're all done! By implementing these three pillars of email security, you're not just protecting your domain from being misused by spammers and phishers, but you're also safeguarding your reputation and building trust with your recipients. SPF ensures that only authorized servers can send emails on behalf of your domain, DKIM provides a unique signature that verifies your emails are genuine and untampered, and DMARC ties it all together by dictating how to handle emails that fail SPF and DKIM checks,while keeping you informed about your email traffic. Together, these measures form a robust defence system against email-based threats. Remember, in the digital world, being proactive about security is not just a best practice; it’s a necessity. By taking these steps, you’re not only securing your email communications but also contributing to a safer, more trustworthy internet for everyone.

Start using Cyber to power your prospecting.

Get started