G Suite Security Records

G suite provides you with THREE (3) security records that can secure your domain from spamming and spoofing. It provides you the digital signature to authenticate your domain and helps to filter the spam as well as spoof emails from other domains.

Let’s discuss about the three records and their utility.

1. Sender Policy Framework (SPF)-

You can set up an SPF record to prevent spammers to use your domain for sending unauthorized emails. An SPF record lists the email servers that you are allowed to send emails to, on behalf of your domain.

Some mail recipients require SPF and if your domain does not have an SPF, then your emails may be marked as spam.

SPF record-  v=spf1 include:_spf.google.com ~all

You can also update your domain’s existing SPF record to authorize a new or additional mail server. Your SPF record will include the G Suite server address and the outbound gateway SMTP server address.

To add a mail server to an existing SPF record, enter the server's IP address before the ~all argument using the format ip4:address or ip6:address. For example:

v=spf1 ip4:172.16.254.1 include:_spf.google.com ~all

To add a mail server’s domain, use additional include statements for each domain. For example:

v=spf1 include:serverdomain.com include:_spf.google.com ~all

2. DomainKeys Identified Mail (DKIM)-

DKIM permits a person, role, or organization that owns the signing domain to claim some responsibility for a message by associating the domain with the message. This can be an author’s organization, an operational relay, or one of their agents. DKIM separates the question of the identity of the Signatory of the message from the purported author of the message. Assertion of responsibility is validated through a cryptographic signature and by querying the Signatory’s domain directly to retrieve the appropriate public key. Message transit from author to recipient is through relays that typically make no substantive change to the message content and thus preserve the DKIM signature.

3. Domain-based Message Authentication, Reporting, and Conformance (DMARC)

Spammers can sometimes forge the "From" address on email messages, so the spam appears to come from a user in your domain. To help prevent this sort of abuse, Google is participating in DMARC.org, which gives domain owners more control over what Gmail does with spam email messages from their domain.

G Suite follows the DMARC.org standard and allows you to decide how Gmail treats unauthenticated emails coming from your domain. Domain owners can publish a policy telling Gmail and other participating email providers how to handle unauthenticated messages sent from their domain. By defining a policy, you can help combat phishing to protect users and your reputation.

You'll receive a daily report from each participating email provider so you can see how often your messages are authenticated, how often invalid messages are identified, and policy actions requested and taken by IP address.

You can adjust your policy as you learn from the data in these reports. You can adjust your actionable policies from “monitor” to “quarantine” to “reject”.

Recipients don't have to do anything, because Google is conducting the DMARC check for you.