top of page

Email Security and You: A Love Story

  • Writer: Josh Hunt
    Josh Hunt
  • Feb 6, 2024
  • 4 min read

Happy emails being happily delivered


What’s the deal with my emails getting dropped?

If you own a business, you may be noticing some weird stuff with your email list starting this month. Maybe your emails aren’t getting delivered or opened as much as usual since last week. What gives?


Google and Yahoo pull out the big guns

Google and Yahoo both have billions of users of their email services. The scale is pretty incredible. Both of them are technically free for users too, which really helps when you want to get a bunch of users really fast.


Although a Gmail or Yahoo account might be free, it certainly isn’t free for those companies to operate those accounts. They primarily make money off of target advertising and ad profiles of users. However, they also see and process a mountain of “malicious” emails, and bad stuff getting delivered to their users can cost those users real money.


As of February 1st, 2024 Google and Yahoo are jointly turning some security best practices into requirements for users by requiring DKIM, SPF, and DMARC for email marketing campaigns. Here’s a rundown on the changes and what you can do to make sure your emails continue to be delivered to customers.


How do I fix this?


This is a lot less scary than it sounds, and will take less than 15 minutes to complete. 


In a nutshell, DMARC is an entry in your DNS record that validates that email communications are coming from a legitimate source. It cuts down on the chances that your email address is spoofed and allows you to pass, quarantine, or outright reject sketchy emails sent by unauthorized sources.


Using Google Workspace as an example, you’ll need a few things to knock this out:


  • The login credentials for your DNS provider (GoDaddy, Wix, AWS, etc)

  • Super Administrator access to your Google Workspace account.


Just a note, the word “domain” in this context is an email coming from an address ending in your website address. For example, the domain in “josh@valarsecurity.com” is valarsecurity.com. Another important note is that emails can come from other sources, like Salesforce or a marketing CRM like Hubspot. This article is going to focus on email authentication basics, but the same concept applies if you want to add DKIM keys from those secondary services as well.

Also, this article will focus on Google Workspace as our email environment just to keep the scope of the tutorial manageable. :) 


With that in mind, let’s secure our email environment!

DKIM

First, let’s add DKIM keys to our domain. DKIM is a digital signature that confirms to the email recipient that the content has not been modified. Your users won’t see these keys, they are validated on the server level.


To add DKIM to your Google Workspace environment, do the following:


  1. Log in with that Super Admin account we mentioned earlier. In the admin section on the left side of your screen, go to Apps > Gmail > Authenticate email.

  2. Generate a new key by clicking “Generate New Record”. Make sure the key length is set to 2048. Copy what you see in “TXT record value”. The host name should be something like google._domainkey.myawesomedomain.com

  3. Go to your DNS record management dashboard. This would be GoDaddy, Wix, AWS or something like that.

  4. Add a new TXT record. The hostname is… you guessed it, google._domainkey.myawesomedomain.com. Obviously enter your actual domain name in the hostname. The record should be the long string of characters that we copied from “TXT record value” from Google. Save and commit your new TXT record. Note that DNS changes may take 48 hours to propagate but it’s usually much quicker than that.

  5. We’re almost done. Go back to Google and click the “start authentication” button. Boom, all of our outgoing email from Google Workspace is authenticated.

SPF

Not just an acronym for evaluating sunscreen, SPF stands for Sender Policy Framework and protects your email domain against spoofing.


This one’s easy: you only need to add your SPF record in your DNS management console.


Create another TXT record like we did with DKIM and leave the hostname blank (it might just say “@”, but it’ll probably just look like myawesomedomain.com). Paste this into the TXT record:


v=spf1 include:_spf.google.com ~all

In plain English, this says “Everything being sent from google.com’s mail servers under this domain is legit and not being spoofed.” If you allow other services to send email using your domain (Salesforce.com, for example) you can add them to your SPF record by adding this after the “include” statement: 


IMPORTANT: SPF records can only be 255 characters long or include 10 include statements. That’s a hard limit of the spec so be careful.


DMARC

Time for Daddy DMARC. DMARC builds on DKIM and SPF and allows you to set a policy on how to handle unauthenticated emails. Want to set your policy to take no action, and just watch what’s being sent from your domain? Sure, go ahead. Want to go full Gandalf and tell spammers that they shall not pass? Go for it.


We’re going to log back in to our DNS management console (you should have lots of practice with this by now) and add a new TXT record. This time the host name will be _dmarc.myawesomedomain.com. The body of the TXT record will read as follows:



From left to right this means, version of DMARC is DMARC1, policy is none, let the spam flow, and send all of my dmarc reports to dmarc-reports@myawesomedomain.com


If you want to send sketchy email that’s not validated by DKIM and SPF to spam, change the policy to quarantine so it looks like this: 


v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@myawesomedomain.com

You can also change it to reject and block anything that isn’t authenticated. Be careful, though. This might block legitimate messages if you haven’t added DKIM keys for their senders, or added them to your SPF record.

Verifying That it All Works


We’re almost done! You’re doing great so far, by the way.


To test that it all works go to https://mxtoolbox.com/. Click on DMARC from the menu, and type in your hostname: _dmarc.myawesomedomain.com. Click DMARC Lookup. Voila, we’re green across the board.



A mxtoolbox DMARC report showing green check boxes


It will show you exactly what tests it’s running and what it finds as a result. Mxtoolbox.com is an awesome tool for troubleshooting general email delivery issues.


Closing It Out


That’s it, your emails will now go safely to their intended destination. Not too bad, huh? 


If you have any feedback about the article or want us to help you with this process, please drop us a line at valarsecurity.com

 
 
bottom of page