Google Apps Message Authentication (DKIM & SPF)

posted Mar 9, 2012, 6:36 AM by Tom Pedersen [ updated Aug 4, 2016, 3:12 PM ]

I've been attempting to unravel technical underpinnings of an interesting message authorization effort over at DMARC.org. During this research, I noticed a couple of Google App domains under my watch that were not properly configured for email authentication (DKIM, SPF, etc). The following is a chronicle of updates and test tools used to remedy - hopefully useful.

Contents

1 Background
2 Cautions & Considerations
3 Gapps email authorization set-up
4 Testing email authorization
5 Resources

Background

Domain Key Identified Mail (DKIM) combined with Sender Policy Framework (SPF) technologies provide facilities to explicitly associate outbound email with a domain. This mechanism can be used to reduce the chances of having your domain's email mistakenly interpreted as spam or spoof. In the long haul, it may also improve delivery rates for bona fide traffic and reduce forgery.

As I was testing Gapp domains that I watch over, I noticed that domains defined using the Google Apps Setup Wizard tested fine for DKIM and SPF while older Gapp domains failed. These domains were established before Google's DKIM feature set add in 2011. The following is the step-by-step used to update and test the non-compliant domains.

*** June 2014 Update - This page/procedure was created years ago, prior to the unveiling of the new Google Admin Console in 2013/2014. I took a quick pass thru and (hopefully) updated to match new admin navigation ***

Cautions & Considerations

The specifications and technologies involved in message authentication appear to be evolving and may not be commonly deployed, adopted or enforced in your techno ecosystem - test/test/test. There also seems to be variants (e.g. SenderID or DomainKeys) that may need to be considered to interface with specific partners.

All related technologies seem to be exceptionally 'social' in nature. Broad and consistent participation, implementation and adoption appears to be required. Note also that DKIM and SPF are required underpinnings of Domain-based Message Authentication, Reporting and Conformance (DMARC) which will hopefully continue to generate interest/adoption.

Gapps email authorization set-up

The following step-by-step was originally recorded as I walked through the Google Apps admin control panel Setup Wizard (Setup > gmail > help prevent spoof) - updated to align with admin.google.com Admin Console:

Click Google Apps ICON on the Admin console
Click on Gmail link on Services page to access Gmail Settings
Highlight/Click Authenticate email section of the screen to popup Authenticate email (DKIM) dialog.
Generate and NOTE the domain key for EACH email domain in this Google App account

Select the app domain and click Generate new record.
Adjust Prefix Selector to include yourdomain (instead of google) in TXT record name.
(This may not be an option for domains hosted by google).
Copy the generated TXT record name and value to clipboard, notepad or something. It will be used to populate DNS TXT record at your domain host.

The DKIM dialog will offer to auto configure the DKIM TXT record for domains defined/registered thru Google (eNom), but did not automatically add the SPF TXT record in my experience.

For externally defined domains (godaddy, register.com, etc) refer to google help article outlining TXT record update process to add DKIM and SPF TXT records using your domain provider's DNS management console:
- SPF: Create a TXT record containing this text: v=spf1 include:_spf.google.com ~all
  Note: "...an SPF record that uses -all instead of ~all may result in delivery problems."
  Google Help HERE read IT!
- DKIM: Create a TXT record using the TXT record name and value saved in Step 3 above
  Google Help HERE read IT!
Turn on email signing using the Start Authentication button on the Authenticate Email screen of Apps Admin Control Panel (hopefully still open in tab/window from step 3 above).
Google Help HERE read IT!
Repeat above steps for each email domain until all are Authenticating email. Also remember, DNS updates may take a day or two to propagate through the net.

Testing email authorization

Due to the nature of DKIM/SPF it's a bit tricky to see if everything is working when the configuration dust settles. I found a number of (seemingly of good) online DKIM/SPF test tools and ran tests for each domain before and after implmentation. Here are a couple of my favorites - there are a quite a few more out there.

SPF - http://www.kitterman.com/spf/validate.html - online check for SPF TXT record.
DKIM - http://appmaildev.com/en/dkim/ - Send email to test address, returns a DKIM report.
Nice Automated Authorization Test Tool @ http://www.port25.com/auth/

Resources

Many useful webmeister resources @ http://www.whoishostingthis.com/resources/
Google Apps Admin Article - Authenticate email with a domain key
Google Apps Admin Article - Configuring SPF records
Google Apps Admin Article - Understanding DMARC
http://www.sendmail.org/dkim/friendlyOverview
http://www.openspf.org/
http://www.dmarc.org/
http://www.dkim.org/

--------------

I hope others find this useful. As always feel free to offer suggestions or improvements

Navigation

Ongoing Projects