If you haven’t checked out the article on Secure Email Frameworks – SPF, I recommend you do that before reading this one. But the gist is this, email left unsecured can cause problems with spoofing, spam, and phishing. We can secure our email by using the magic three frameworks, SPF, DKIM, and DMARC. This article will focus on the DKIM framework.
Low Hanging Fruit
DKIM is probably the easiest of the three tools to set up for Google. What’s DKIM do? It digitally signs email. In doing so, it signs off that the message came from the given domain and that the message content hasn’t been modified.
Here’s a great Google link that is a “how to” with their recommendations… https://support.google.com/a/answer/174124?hl=en I’d recommend using it (and this article) to get going with DKIM.
To get started, go to your Google Admin Console. Search “authenticate email” or go to Apps > Google Workspace > Settings for Gmail > Authenticate email. From here, Google will generate a DNS TXT record for your domain. You’ll take that and add it to your domain’s public DNS records as a TXT record. It’ll look something like google._domainkey.your_domain.org “v=DKIM1; k=rsa; p=M3IBIjaNBzkq… Once it is added, you’ll wait for DNS propagation, and then you’ll turn on email signing in Google Admin Console. That’s it!
You can check your record today by going to https://toolbox.googleapps.com/apps/dig/#TXT/ and looking up the google._domainkey.your_domain.org
Some things to note, DKIM does not cause emails to be blocked on its own, so very low risk on set up and all the more reason to JUST DO IT! Once you’ve done it, then Google users who authenticate to Google via the web, an app, etc. will have their emails properly DKIM signed. For devices like faxes or scanners, Google offers some options for getting them properly signed/supported too through an SMTP relay.
Next up, we’ll talk DMARC.