Software

Send better email: Configure SPF and DKIM for Google Apps

Andy Wolber shows you how you can reduce spam with just two records added to your domain name system settings.

Google, like most major email providers, actively works to combat forged email, spam, and scam email. For the most part, their defenses work. Open your Gmail spam folder to see the Google spam fighting team's work. The vast majority of email there will be spam.

If a legitimate email somehow ends up in spam, select the email, then mark it as "Not Spam". (This is what's known as a false positive.) Conversely, if a spam email somehow ends up in your Inbox, select the email, and then mark it as "Spam". Your changes help improve Gmail's spam filters.

Improve email deliverability with SPF and DKIM

You can help reduce spam even further with just two records in your domain name system (DNS) settings: an SPF record and a DKIM record. These records improve email deliverability and reduce spam in slightly different ways.

A Sender Policy Framework (SPF) record indicates which mail servers are authorized to send mail for a domain. Email recipient servers perform a check: "Is this email coming from an authorized mail server?" If not, then the email in question is more likely to be spam. Your SPF DNS record lets the recipient server perform this verification. The SPF check verifies that an email comes from authorized servers.

A DomainKeys Identified Mail (DKIM) record adds a digital signature to emails your organization sends. Email recipient servers perform a check: "Does the signature match?" If so, then the email hasn't been modified and is from a legitimate sender. Your DKIM DNS record lets the recipient server perform this verification. The DKIM check verifies that the message is signed and associated with the correct domain.

You'll reduce the potential for spam email appearing to be sent from your account if you have both an SPF and DKIM record in place. Many of the major email providers use these technologies to help reduce spam.

Here's how to set up SPF and DKIM records for Google Apps.

Configure SPF for Google Apps

If you use Google Apps for email, you'll need access to your DNS provider to add an SPF record. In most cases, you simply login and create a new TXT record with the value of:

v=spf1 include:_spf.google.com ~all

Google provides detailed instructions, as well. Be sure to save your changes.

Configure DKIM for Google Apps

You'll need access to your Google Apps control panel and your DNS records to set DKIM. This is a three step process:

1. Create the DKIM key

a. Login to your Google Apps Control Panel (e.g., http://www.google.com/a/cpanel/yourdomain.com)

b. Go to the "Advanced tools" tab, then scroll down to "Authenticate email" and click on "Set up email authentication (DKIM)". This will open a new screen.

c. Your domain name should be displayed. Click on "Generate new record". Leave the default selector prefix as "google". Click "Generate".

d. Leave this browser window open, and then create a new tab or browser window.

2. Create the DKIM DNS record

a. Login to your DNS provider. Get to a place where you can add a TXT record.

b. Create a new TXT record. The name of the TXT record should be:

google._domainkey

This creates a domain that, fully resolved, looks like: google._domainkey.yourdomain.com.

c. The value for the DNS record will be a very long string of characters, something like:

 v=DKIM1; k=rsa; t=y; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCG5in7gQIDAQAB

The actual length of the string will be much longer than that above. I find it simplest to copy-and-paste the information from the Control Panel page displaying the information. Save the DNS record.

3. Start Authenticating

a. Wait 24-hours for your changes to propagate, and for Google's servers to detect the changes.

b. Login to your Google Apps Control Panel (e.g., http://www.google.com/a/cpanel/yourdomain.com)

c. Go to the "Advanced tools" tab, then scroll down to "Authenticate email" and click on "Set up email authentication (DKIM)". This will open a new screen.

d. Click "Start authentication".

As always, check Google's detailed instructions if your setup is more complex.

Figure A

Verify your SPF and DKIM settings via email

Verify that SPF and DKIM are configured

Send an email from your Gmail account to check-auth@verifier.port25.com after you've completed the SPF and DKIM setup. You'll receive an email response in a few minutes. If everything is properly configured, you'll receive a "PASS" for both the SPF and DKIM settings. This means your email is now more likely to be delivered than email lacking these records.

My inbox, and everyone's spam folders, are grateful for your efforts!

Also read:

About

Andy Wolber helps people understand and leverage technology for social impact. He resides in Ann Arbor, MI with his wife, Liz, and daughter, Katie.

3 comments
Mark W. Kaelin
Mark W. Kaelin

Have you already configured SPF and DKIM for Google Apps? If so, have you taken the next step and enabled a DMARC record for your domain?