Skip to content Skip to footer

Email security: how to secure you Google Workspace domain

Gmail Spoofing

What is SPAM?

Spam refers to mass unsolicited electronic mail—typically advertisements or spoofed messages. Not only is it annoying, but it can also pose significant security risks.

Each email platform uses different configurations to filter spam. Google employs an advanced algorithm, incorporating multiple layers, to determine which emails are considered spam. It utilizes AI to learn from user behavior. In 2007, Google acquired Postini to enhance Gmail’s spam filters and ensure the safety of its users. Google is renowned for having one of the best spam filters in the market, a claim that has been substantiated numerous times.

Currently, there is no complete solution to the spam problem. Each platform faces trade-offs between incorrectly rejecting legitimate emails and effectively blocking all spam.

How can we prevent this?

There are many factors at play when it comes to email security and maintaining a safe Google Workspace environment. We guide our customers to consider the following aspects when they encounter issues:

  • Authentication Reputation: Is SPF, DKIM, or DMARC implemented correctly? Are all sending IPs included on the SPF record? Check your domain with this Google tool.
  • IP Reputation: Has the IP been listed on an RBL? Are you using SMTP relay when sending from a third-party tool? Is it configured properly in the Google Admin console and in the third-party tool?
  • Domain Reputation: Has this domain been recognized as a spammer? Have you checked if the site appears on the Safe Browsing transparency report?
  • User Reputation: Has the user been sending bulk spam messages? Are they marking received messages as spam?
  • Environment Setup: How is authentication configured within the environment?
    Message Content and Format: Does the message contain numerous links? Is it compliant with RFC 5322? Does it follow the recommendations of the bulk sender guidelines?

By addressing these questions, you can enhance your email security and reduce the likelihood of encountering spam.

SPF (Sender Policy Framework)

SPF (Sender Policy Framework) is a record added as TXT into the sender DNS that identifies which mail server is permitted to send email on behalf of your domain.

This works in the following way. If somewhen send a email from your domain to someone, the mailserver will look at the domain DNS settings to see if the server that is sending this message is authorised to send this message in name of this domain. If that’s not the case, the SPF record will fail and mark 🚩 the message as SPAM. It will show add the following rule in the message header; Received-SPF: fail / neutral / pass.

If the 3rd party send is not in the SPF record of the domain the message will be marked as SPAM.

Basic Google Workspace SPF record

The very basic SPF record that has to be in the DNS record of the domain is the following: v=spf1 include:_spf.google.com ~all. If there is already a SPF record available in the DNS of the domain, you only have to add the include:_spf.google.com.

A SPF record is made up out of the following parts:
v=spf1
Indicates the version of SPF to use. Only spf1 currently exists.

include:_spf.google.com SPF record inherits all of Google’s IP addresses. This can also be A, MX, IP4.

For the end of the SPF record we have to look at what we want to do with the domain, if we want to PASS all the message, let them FAIL or be relaxed with a Softail or if you don’t care you can have no opinion about it.

MechanismResultExplanationAction
+PassThe SPF record designates the host to be allowed to sendAccept
FailThe SPF record has designated the host as NOT being allowed to sendReject
~SoftFailThe SPF record has designated the host as NOT being allowed to sendAccept & Tag
?NeutralThe SPF record specifies explicitly that nothing can be said about validityAccept

If you don’t have a SPF record and want to add for example the Google Workspace SPF and your printer. You can add for example the following SPF record: v=spf1 ip4:0.0.0.0 include:_spf.google.com ~all. The IP4 adres is the address where the printer is sending from, if this is a office building the IP address of the office building has to be added. More information about this here.

We recommend that SPF records not more than 10 DNS lookups, because it will fail with some recipients. This is not a Google limitation but rather an SPF standard limit. You can use for example Kitterman to check if you SPF records are correct.

DKIM (DomainKeys Identified Mail)

DKIM (DomainKeys Identified Mail) is a digital cryptographic signature that is added to outgoing message headers in order to prevent spoofing. This is done by generating a private domain key to encrypt outgoing mail headers and by adding a public key into your DNS.

The recipient then uses the public key to decode the incoming header and verify that the message is indeed coming from your domain.

This is created by entering google._domainkey@domain.com followed by the private key generated in the Google Admin console.

You can generate a DKIM key in the Workspace admin panel by going to the following link.

DMARC (Domain-based Message Authentication)

DMARC (Domain-based Message Authentication, Reporting & Conformance) is a technical specification to help reduce the potential for email-based abuse. DMARC standardizes how email receivers perform email authentication using the SPF and DKIM mechanisms.

The way it works is to help email receivers determine if the message “aligns” with what the receiver knows about the sender. As such, in order for that to work, the domain needs to have a published SPF and DKIM.

Understanding DMARC

DMARC is a TXT based record added to the DNS of the domain, this is most of the time done in the subdomain dmarc.domain.com but can also be added to the root of the domain. The record has to be point to a value such as:

“v=DMARC1; p=none; rua=mailto:postmaster@domain.com”

Where the postmaster in the case the receiver is of the reports that are being send by other mailservers.

Syntax used to create a DMARC record.

Tag NameRequiredPurposeSample
vrequiredProtocol versionv=DMARC1
prequiredPolicy for domainp=quarantine
pctoptional% of messages subjected to filteringpct=20
ruaoptionalReporting URI of aggregate reportsrua=mailto:aggrep@example.com
spoptionalPolicy for subdomains of the domainsp=reject
aspfoptionalAlignment mode for the SPFaspf=r

How DMARC authenticates

DMARC verdicts depend on SPF and DKIM for the sender in the ‘From:’ header only.

If the ‘From:’ header and the envelope sender have the same domain then DMARC depends on the combination of both SPF and DKIM.

From: Header = domain.com
Envelope Sender = domain.com

SPFDKIMDMARC
PassPassPass
PassFailPass
FailPassPass
FailFailFail

If the From: header and the envelope sender have different domains, then the SPF verdict is irrelevant and DMARC depends entirely on the DKIM verdict.

From: Header = domain.com
Envelope Sender = thirdparty.com

SPFDKIMDMARC
Pass (for thirdparty.com)Pass (for domain.com)Pass
Pass (for thirdparty.com)Fail (all signatures must fail)Fail
FailPass (for domain.com)Pass
FailFail (all signatures must fail)Fail
Pass (for thirdparty.com)Pass (passes for thirdparty.com and not for domain)Fail

DMARC samples

“v=DMARC1; p=none; rua=mailto:postmaster@domain.com”
In this TXT record, if a message claims to be from your domain.com and fails the DMARC checks, no action is taken. Instead, all of these messages appear on the daily aggregate report sent to “postmaster@domain.com.”

“v=DMARC1; p=quarantine; pct=10; rua=mailto:postmaster@domain.com”
In this TXT record, if a message claims to be from your domain.com and fails the DMARC checks, it is quarantined 10% of the time. Then email daily aggregate reports to “postmaster@domain.com.”

“v=DMARC1; p=reject; rua=mailto:postmaster@domain.com, mailto:dmarc@domain.com”
In this TXT record, if a message claims to be from “your_domain.com” and fails the DMARC checks, it is rejected 100% of the time. Then email daily aggregate reports to “postmaster@domain.com” and “dmarc@domain.com.

Google Workspace options

In Google Workspace there are different options to prevent SPAM and Spoofing. If you login at the admin panel, you can go to Apps→ Google Workspace→ Gmail→ Safety.

Here you can find different options for Google Workspace to prevent SPAM and Spoofing, it’s possible to add this to an specific OU.

Attachments
Attachments are a common vector for malware and phishing attacks. Enhanced protection mechanisms scrutinize every attachment from untrusted sources, flagging or blocking those uncommon for your domain.

Link and Image Scanning
Cyber threats often lurk behind innocent-looking links or embedded images. Advanced security settings are designed to unveil the true nature of shortened URLs, scanning linked images for malicious content. 

Spoofing and Authentication
Email spoofing damages more than just your digital security; it undermines trust. Protect your domain and your team from impersonators by enforcing strict authentication measures. Unauthenticated emails are clearly marked, alerting recipients to tread with caution. 

Warning Banners 
Despite other spam filter settings, warning banners in Gmail will alert users to potential threats, unless explicitly disabled.

Spoofing and authentication settingsActions

Protect against domain spoofing based on similar domain names

Protect against incoming messages from domains that appear visually similar to your company’s domains or domain aliases. 

  • Keep email in inbox and show warning (Default)

  • Move email to spam

  • Quarantine

Protect against spoofing of employee names

Protect against messages where the sender’s name is a name in your Google Workspace directory, but the email isn’t from your company domain or domain aliases.

  • Keep email in inbox and show warning (Default)

  • Move email to spam

  • Quarantine

Protect against inbound emails spoofing your domain

Protect against potential Business Email Compromise (BEC) messages not authenticated with either SPF or DKIM, pretending to be from your domain. 

  • Keep email in inbox and show warning (Default)

  • Move email to spam

  • Quarantine

Protect against any unauthenticated emails

Protects against messages that are not authenticated. Messages must be authenticated (by any domain) with either SPF or DKIM (or both).

  • Keep email in inbox and show warning (Default)
  • Move email to spam

  • Quarantine

Protect Groups from inbound emails spoofing your domain

Protect your Google Groups from inbound emails spoofing your domain. You can apply this setting to all groups or to private groups only.

  • Keep email in inbox and show warning (Default)

  • Move email to spam

  • Quarantine