Setting Up SPF, DKIM, and DMARC

I’ll introduce the procedure for setting up SPF, DKIM, and DMARC.

Background: Responding to Gmail's Strengthened Email Authentication Requirements

The background is that, as described in the following articles, if you don’t set up SPF, DKIM, and DMARC, emails won’t reach Gmail addresses, which would be problematic.

Have You Finished Responding to Gmail's Strengthened Email Authentication Requirements? - M3 Tech Blog
Don't Underestimate DMARC - Bengo4.com Corporation Creators' blog

This article only covers sending emails from Google Workspace.

Procedure to Confirm DMARC is Set Up

List owned domains
Confirm if emails are being sent from the domain
Send an email to a Gmail address
Check Gmail email headers to confirm DMARC: | 'PASS'

Setting Up SPF

Follow the procedure in Prevent spoofing and spam with SPF - Google Workspace Admin Help.

SPF Record: Google Workspace Only If you use only Google Workspace to send all emails from your organization, copy and paste the following text line into your SPF record.

v=spf1 include:_spf.google.com ~all

Add SPF Record at Domain Provider - Google Workspace Admin Help

After adding an SPF record to your domain, SPF configuration for your domain is complete. It may take up to 48 hours for SPF authentication to start working.

Since there’s also DKIM record addition work to follow, it might be good to shorten the TTL initially.

Before Adding SPF Record

dig TXT +short codenote.net
"google-site-verification=AxIZcYrrkuuOJUvOBuBspIMw1kZGxG9lq0CBdUIkpO4"

When checking message headers in Gmail, I could confirm SPF: NEUTRAL.

SPF:  NEUTRAL (IP: 209.85.220.41) Details
DKIM:  'PASS' (domain: codenote-net.20230601.gappssmtp.com) Details

After Adding SPF Record

dig TXT +short codenote.net
"google-site-verification=AxIZcYrrkuuOJUvOBuBspIMw1kZGxG9lq0CBdUIkpO4"
"v=spf1 include:_spf.google.com ~all"

When checking message headers in Gmail, it successfully became SPF: PASS.


SPF:  PASS (IP: 209.85.220.41) Details
DKIM:  'PASS' (domain: codenote-net.20230601.gappssmtp.com) Details

Setting Up DKIM

Prevent spoofing and spam with DKIM - Google Workspace Admin Help

Generate DKIM settings from https://admin.google.com/ac/apps/gmail/authenticateemail.

DNS Host Name (TXT Record Name):

google._domainkey

TXT Record Value:

v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAkft0fimPwqAiZTdeGKmqy3ftJ62xi558HmH299aTSkQuw/qLroYmtyC4XK++8UW5EEyhNRh2fM6iWmKOvq+zOOqheur0LRvZ7GI0J3ubLfa5oDzm/IVwQP+7gVaYTFpKNdZOIk2nXLMukSL4Y7sJwSU4oOqGRG2gGGFinaqhbfE9MAZgL4eQiNKqxJg5DGCVD0AciFQZEyriomfxh5I07XvwOw6SVFEdoGCOCICiEztZOhzcDT4MrjMQwcCXRBHkrE3aKVEGDHjCp2I0Pc9Bnh5CjJEfmY5VFj5pNpsiHBLdzcv1M2QBFA5MsVIMJbWWu+7sV7DKuO9GyMmazk5Q4QIDAQAB

dig TXT +short google._domainkey.codenote.net
"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAkft0fimPwqAiZTdeGKmqy3ftJ62xi558HmH299aTSkQuw/qLroYmtyC4XK++8UW5EEyhNRh2fM6iWmKOvq+zOOqheur0LRvZ7GI0J3ubLfa5oDzm/IVwQP+7gVaYTFpKNdZOIk2nXLMukSL4Y7sJwSU4oOqGRG2gGGFinaqhbfE9MAZgL4eQiNKqxJg5DGCVD" "0AciFQZEyriomfxh5I07XvwOw6SVFEdoGCOCICiEztZOhzcDT4MrjMQwcCXRBHkrE3aKVEGDHjCp2I0Pc9Bnh5CjJEfmY5VFj5pNpsiHBLdzcv1M2QBFA5MsVIMJbWWu+7sV7DKuO9GyMmazk5Q4QIDAQAB"

You can also check from Dig (DNS Lookup).

If you test send to Gmail and it shows DKIM: 'PASS' (domain: codenote.net), it’s OK.

SPF:  PASS (IP: 209.85.220.41) Details
DKIM:  'PASS' (domain: codenote.net) Details

Setting Up DMARC

(Will be added later)

That’s all from the Gemba, where I set up SPF, DKIM, and DMARC.