Google workspace mail security configuration (spf,dkim,dmarc,postmaster)
Mail security setup.
Assumes access to Google Workspace admin & godaddy for DNS configuration
For each new domain, configure the following:
- Configure postmaster tools at postmaster.google.com - including verify domain ownership via dns entry (godaddy) for each domain that is mail enabled, not just primary.
- Confirm spf record is correct
- Configure DKIM if not already enabled (do not start authenticating yet)
- Create a dmarc mail enabled group (dmarc@domainname) - must be private and only allow invited members
- publish dmarc policy in DNS with the following options:
- TXT
- _dmarc
- v=DMARC1; p=none; rua=mailto:postmaster@domainname, mailto:dmarc@domainname; pct=100; adkim=s; aspf=s
- *note that these settings will not prompt mail servers to quarantine or reject emails, but simply report results back to postmaster/dmarc mail groups for inspection (should we encounter any issues)
- Check spf,dkim,dmarc records are correct using a 3rd party tool like https://dmarcly.com/tools/ or MXtoolbox
- Ensure at least 2 IT admins are members of the dmarc/postmaster groups in each domain
Once correct configuration is confirmed in google postmaster tools AND 3rd party tool - DKIM authentication can be enabled (suggest waiting at least 24 hours after configuration before enabling) check logs for errors after enabling
Recheck DKIM record is correct for domainvia mxtoolbox.
Enable DKIM authenticaiton for each domain