How to Setup SPF, DKIM, and DMARC with GoDaddy & Google Workspace

What are SPF, DKIM, and DMARC?

This guide is designed for those who want to ensure their email communications are safe and trustworthy. We'll be diving into three key security measures:

• SPF (Sender Policy Framework)
• DKIM (Domain Keys Identified Mail)
• DMARC (Domain-based Message Authentication, Reporting,and Conformance

Each of these serves a unique role in safeguarding your emails, like different pieces of a puzzle working together to secure your email identity. Think of them as your email’s personal security team, each member specializing in a different aspect of protection. We'll explain these in simple terms and guide you step-by-step on how to set them up.

‍

How to setup SPF with GoDaddy and Google Workspace

SPF stands for Sender Policy Framework. It's a security measure for email that helps to verify if an email sent from a domain (likeyourcompany.com) is legitimate. Think of it as a list of approved email senders for your digital mail. When an email is sent, SPF checks if it's from a mail server that's allowed to send emails for that domain. It's like a bouncer checking if an email sender is on the guest list. This helps prevent spammers from pretending to be you (like forging your return address on an envelope), which can protect your reputation and prevent your emails from being mistakenly marked as spam. Without SPF, there's a higher risk that spammers can send emails pretending to be from your domain, which can lead to phishing attacks (where scammers trick people into giving away personal information) or damage to your domain's reputation.

‍

SPF Setup Instructions for GoDaddy

1. Sign in to your GoDaddy Domain Portfolio (https://dcc.godaddy.com/control/portfolio)
2. Select your domain to access the Domain Settings page
3. Select the DNS tab and view your DNS records
4. Here you can either edit an existing record but we want to create a new TXT record by clicking on Add More Records
5. Name: The hostname or prefix of the record, without the domain name. Enter @ to put the record on your root domain, or enter a prefix, such as mail.
6. Value: The SPF rule to indicate emails are only allowed from your mail server. Enter the following SPF record: v=spf1 include:spf.google.com -all    This record specifies that only servers listed in the spf.google.com mechanism are authorized to send email on behalf of your domain, and all other servers will be considered unauthorized.
7. Set the TTL (Time to Live) to an appropriate value, such as 1 hour (3600 seconds). TTL determines how long the record is cached by DNS servers.
8. Select Save to add your new record. If you added multiple records at the same time, select Save All Records.
9. If your domain has Domain Protection, you'll need to verify your identity. If you've had 2-step verification (2SV) turned on for at least 24 hours, enter the code GoDaddy sent via SMS, or enter the code from your authenticator app. Otherwise, enter the one-time password GoDaddy sent to your registrant email address.
10. That's it! Mission accomplished 🚀 Most DNS updates take effect within an hour but could take up to 48 hours to update globally.

‍

‍

‍

How to setup DKIM with GoDaddy and Google Workspace

DKIM, which stands for Domain Keys Identified Mail, is like a digital signature for your emails. Imagine sending a sealed letter with a unique stamp that proves it's really from you. When you send an email, DKIM adds a hidden digital signature to it. This signature is created based on a private key that only you have. The receiving mail server then checks this signature against a public key that's listed in your DNS records. It's like verifying the stamp on your letter matches the one you've shown to the world as yours. This process helps to ensure that the email hasn't been tampered with and really comes from your domain. It's important for security because it helps prevent someone from altering your emails or sending fake emails that look like they're from you. Without DKIM, your emails could be more easily spoofed, leading to increased phishing risks and potential harm to your domain's trustworthiness.
‍

DKIM Setup Instructions for Google Workspace

1. Sign into the Google Workspace console (https://admin.google.com/) using your administrator credentials
2. On the console, navigate to Apps > Google Workspace > Gmail > Authenticate Email
3. Select the domain for which you want to set up DKIM and click on “Generate new record”. You can choose the default key length (1024 or 2048 bits; 2048 is recommended for better security)
4. Copy the generated TXT record. It will resemble the following: a. DNS Host Name (TXT record name): google._domainkey and b. TXT Record Value: v=DKIM1; k-rsa; p=MKLL21086C0w0vn0...
5. Keep this table open because we need to copy and paste those values into GoDaddy
6. Sign in to your GoDaddy Domain Portfolio (https://dcc.godaddy.com/control/portfolio)
7. Select your domain to access the Domain Settings page. Check out the screenshot from Step 2 in the SPF instructions above.
8. Select the DNS tab and view your DNS records. Check out the screenshot from Step 3 in the SPF instructions above.
9. Here you can either edit an existing record, or select Add More Records. Create a new record with the type TXT. Fill out the Name and Value fields according to the records you generated. Ensure that you add both of your generated records.
10. Select Save All Records to add your changes.
11. That's it! Mission accomplished 🚀 Most DNS updates take effect within an hour but could take up to 48 hours to update globally.

‍

How to setup DMARC with GoDaddy and Google Workspace

DMARC stands for Domain-based Message Authentication, Reporting, and Conformance. Think of DMARC as a set of rules for your email's security guards: SPF and DKIM. It tells these guards how to handle emails that fail SPF and DKIM checks. Imagine you have two security checks at the entrance of a building. SPF checks if the visitor (email) is coming from a trusted location, and DKIM verifies their ID (digital signature). If a visitor fails either check, DMARC decides what to do with them—like turning them away or putting them in a waiting area (spam folder).

DMARC also sends reports back to you, informing you about who's trying to send emails using your name and how these emails are being dealt with. This helps in identifying and stopping email impersonation and phishing attacks. Without DMARC, even if you have SPF and DKIM, you don't have control over what happens to emails that fail these checks, potentially leaving your domain more vulnerable to misuse and your recipients at risk of receiving fraudulent emails.

Before setting up DMARC, you need to have SPF and DKIM properly configured for your domain. Then you can decide on your DMARC policy which determine how receiving mail servers to handle emails that fail SPF and/or DKIM checks. You can choose from three policies:

• None: Do nothing (used mainly for monitoring purposes). ⛔ Don't use this setting. It leaves you totally unprotected.
• Quarantine: Mark the email as suspicious and move it to the spam or junk folder. 👎 This setting is still risky because people will still receive your forged emails.
• Reject: Reject the email outright and do not deliver it. 👈 This is the one you should use ✅

An example DMARC record that follows our recommended security settings would look like this:

v=DMARC1; p=reject; rua=mailto:youremail@yourdomain.com

You can use a DMARC record generator tool, such as Global Cyber Alliance’s DMARC tool (https://dmarcguide.globalcyberalliance.org), to create your DMARC record, if needed.

DMARC Setup Instructions for GoDaddy

1. Sign in to your GoDaddy Domain Portfolio (https://dcc.godaddy.com/control/portfolio)
2. Select your domain to access the Domain Settings page. Check out the screenshot from Step 2 in the SPF instructions above.
3. Select the DNS tab and view your DNS records. Check out the screenshot from Step 3 in the SPF instructions above.
4. Here you can either edit an existing record, or select Add More Records to create a new one. We want to create a TXT record.
5. Name: The hostname or prefix of the record, without the domain name. Set this to _dmarc
6. Value: The record value you generated earlier. For example: v=DMARC1; p=reject; rua=mailto:youremail@yourdomain.com
7. Save the changes.
8. That's it! Mission accomplished 🚀 Most DNS updates take effect within an hour but could take up to 48 hours to update globally.

‍

Conclusion

That’s it – you're all done! By implementing these three pillars of email security, you're not just protecting your domain from being misused by spammers and phishers, but you're also safeguarding your reputation and building trust with your recipients. SPF ensures that only authorized servers can send emails on behalf of your domain, DKIM provides a unique signature that verifies your emails are genuine and untampered, and DMARC ties it all together by dictating how to handle emails that fail SPF and DKIM checks,while keeping you informed about your email traffic. Together, these measures form a robust defence system against email-based threats. Remember, in the digital world, being proactive about security is not just a best practice; it’s a necessity. By taking these steps, you’re not only securing your email communications but also contributing to a safer, more trustworthy internet for everyone.

‍