LoginPricingClient casesGet started
LoginPricingClient casesGet started

Email Security Settings Guide for Google Workspace

This guide will help you configure the correct security settings for your domain when using Google Workspace. Setting up these configurations correctly protects your organization from email fraud, spoofing, and other security threats.

Important Notice

Email security configurations are critical to your organization's data protection. Improper setup can lead to email delivery issues, security vulnerabilities, or even data breaches.

While this guide provides detailed instructions, we strongly recommend consulting with your IT department or a qualified DNS professional before making any changes to your domain's DNS records. Incorrect configurations may result in email service disruptions.

These settings should be implemented by someone familiar with DNS management and email authentication protocols. If you're unsure about any step, seek professional assistance rather than proceeding on your own.

Remember that DNS changes can take 24-48 hours to fully propagate across the internet. Plan accordingly and monitor your email services closely after making changes.

Table of Contents

  1. SPF Settings
  2. DKIM Settings
  3. DMARC Settings
  4. MX Records
  5. Common Issues and Troubleshooting

SPF Settings

What is SPF?

SPF (Sender Policy Framework) is an email authentication method that helps prevent spoofing by verifying that servers sending email from your domain are authorized to do so.

How to Configure SPF for Google Workspace

  1. Log in to your DNS provider's control panel (e.g., GoDaddy, Cloudflare, Namecheap)
  2. Locate the TXT record management in the DNS settings
  3. Create or update a TXT record with the following values:
    • Host/Name: @ or blank (representing your root domain)
    • Type: TXT
    • TTL: 3600 (or your DNS provider's default)
    • Value/Data: v=spf1 include:_spf.google.com ~all
    Note: If you already have an SPF record (starts with v=spf1), you must not create another one. Instead, update the existing record by adding include:_spf.google.com.
  4. Save the changes
  5. Verify your SPF record after 24-48 hours (the time it takes for DNS changes to propagate) by using an online tool like MXToolbox

Example of a Correct SPF Record

v=spf1 include:_spf.google.com ~all

If you use multiple services to send email, combine them with additional include: directives:

v=spf1 include:_spf.google.com include:amazonses.com ~all

SPF Mechanism Explanation:

  • ~all: Soft fail for all email that doesn't match (recommended)
  • -all: Hard fail (stricter, can cause issues if not configured correctly)
  • ?all: Neutral (too weak for production environments)
  • +all: Allow all (strongly discouraged from a security perspective)

DKIM Settings

What is DKIM?

DKIM (DomainKeys Identified Mail) adds a digital signature to your outgoing email messages so that receiving servers can verify that the messages actually come from your domain and haven't been tampered with.

How to Configure DKIM for Google Workspace

  1. Generate DKIM keys in the Google Admin Console:
    • Log in to the Google Admin Console
    • Go to Apps > Google Workspace > Gmail > Authentication
    • Click on the Email Authentication tab
    • In the DKIM section, click Generate new record
    • Select your domain and click Generate
  2. Copy the DNS hostname and TXT record value that is displayed
  3. Create a TXT record in your DNS configuration:
    • Host/Name: The DNS hostname from Google (e.g., google._domainkey)
    • Type: TXT
    • TTL: 3600 (or your DNS provider's default)
    • Value/Data: The TXT record value from Google (the long value beginning with v=DKIM1; k=rsa; p=)
  4. Save the changes
  5. Enable DKIM signing in the Google Admin Console:
    • After the DNS changes have propagated (24-48 hours), go back to the DKIM settings in the Admin Console
    • Click Start next to your domain to enable DKIM signing
  6. Verify your DKIM configuration with a tool like MXToolbox DKIM Checker

Tips for DKIM Implementation

  • Google Workspace uses a 2048-bit key size, which provides strong security
  • The TXT record Google asks you to add can be very long; ensure you copy the entire value
  • Some DNS providers may require you to split long TXT records - follow their specific instructions if this is the case

DMARC Settings

What is DMARC?

DMARC (Domain-based Message Authentication, Reporting & Conformance) builds upon SPF and DKIM to give domain owners control over what happens to email that fails authentication, as well as receive reports about failed attempts.

How to Configure DMARC

  1. Create a new TXT record in your DNS configuration:
    • Host/Name: _dmarc
    • Type: TXT
    • TTL: 3600 (or your DNS provider's default)
    • Value/Data: Start with a simple DMARC record, e.g.:v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com
  2. Save the changes
  3. Verify DMARC configuration with a tool like MXToolbox DMARC Checker

Phased DMARC Policy Implementation

It is recommended to implement DMARC in phases:

  1. Monitoring Mode (p=none):v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com
    • This sends reports without affecting email delivery
    • Use this setting for at least 2 weeks to gather data
  2. Quarantine Mode (p=quarantine):v=DMARC1; p=quarantine; pct=25; rua=mailto:dmarc-reports@yourdomain.com
    • Suspicious messages go to the spam folder
    • pct=25 applies the policy to only 25% of messages
    • Gradually increase the percentage: 25%, 50%, 75%, 100%
  3. Rejection Mode (p=reject):v=DMARC1; p=reject; rua=mailto:dmarc-reports@yourdomain.com
    • Authorized servers reject email that fails authentication
    • Implement only when you are sure all legitimate email flows are correctly configured

DMARC Tag Explanation

  • v=DMARC1: Protocol version (always DMARC1)
  • p=none/quarantine/reject: Policy for handling failed authentication
  • pct=: Percentage of traffic the policy applies to (1-100)
  • rua=mailto:: Email address for aggregate reports
  • ruf=mailto:: Email address for detailed forensic reports
  • sp=: Subdomain policy (if different from the main domain)

MX Records

What are MX Records?

MX records (Mail Exchange) specify which email servers should receive email for your domain.

How to Configure MX Records for Google Workspace

  1. Log in to your DNS provider's control panel
  2. Locate the MX record management in the DNS settings
  3. Remove any existing MX records that don't relate to Google Workspace
  4. Add the following MX records:
  5. PriorityHost/NamePoints to/Value1@ or blankaspmx.l.google.com5@ or blankalt1.aspmx.l.google.com5@ or blankalt2.aspmx.l.google.com10@ or blankalt3.aspmx.l.google.com10@ or blankalt4.aspmx.l.google.com

Note: Lower priority value indicates higher priority. The server with priority 1 will be used first.

  1. Save the changes
  2. Verify your MX records after 24-48 hours with a tool like MXToolbox MX Lookup

Common MX Record Issues

  • Duplicate MX records: Remove all non-Google MX records if you exclusively use Google Workspace
  • Missing priorities: Ensure all records have the correct priority values
  • Incorrect format: Check that domain names are correctly specified and end with periods when required

Common Issues and Troubleshooting

SPF Errors

  • Error 1: Too many DNS lookups (max 10 are allowed)
    • Solution: Simplify your SPF record by using "include" instead of multiple "a:" or "mx:" mechanisms
  • Error 2: Multiple SPF records (only one is allowed)
    • Solution: Combine all directives into a single SPF record

DKIM Errors

  • Error 1: TXT record created with the wrong hostname
    • Solution: Double-check the exact hostname from the Google Admin Console
  • Error 2: TXT record value is incomplete
    • Solution: Ensure the entire long key is copied correctly

DMARC Errors

  • Error 1: Syntax error in the DMARC record
    • Solution: Verify the syntax with a DMARC validator
  • Error 2: Reporting address uses the same domain as the DMARC record
    • Solution: Configure an additional DMARC record for the reporting domain or use an external reporting address

MX Errors

  • Error 1: Conflict between different email services
    • Solution: Remove all non-Google MX records if you exclusively use Google Workspace
  • Error 2: Incorrect priority order
    • Solution: Check that priority values are correctly specified (lower value = higher priority)

Testing Tools

To verify your settings, use the following tools:

Conclusion

Correctly configuring these four security components (SPF, DKIM, DMARC, and MX) is crucial to ensure your email security. By following this guide, you can create a robust email security profile that protects your organization against spoofing, phishing, and other email-related threats.

Remember that DNS changes can take 24-48 hours to propagate globally, so be patient when testing after making changes.

© 2025 Selma AI. All rights reserved.

Terms of servicePrivacy policyConsent PreferencesGuides