Recently there is high growth in cyber attacks, companies like Sony, Samsung and TCS and even USA Government are the major victims. Here is an attempt to give you basic information about how to secure your outgoing emails from phishing and spoofing using simple techniques like creating DKIM and SPF records.
What is an DKIM record?
Google Apps facilitates you to include a digital signature in header of the mails which are being sent from your domain, this will allow the receivers of your mail to confirm whether the message has been truly sent from your domain without any modifications in between after verifying the domain signature.
This Google Apps digital signature complies to all the standards set by DomainKeys Identified Mail (DKIM), before adding this signature to any outgoing mail it is essential that you generate a domain key which will be utilized by Google Apps to produce encrypted mail headers which are distinctive to your domain. Further, the mail recipients can also check on the source of mails by extracting the public key which has been updated by you in the DNS records for your domain.
If your domain already has a DMIK domain key, then another key has to be produced to use with Google Apps and the domain key for Google apps can be differentiated from other keys through selector prefix.
To enable the facility of adding DKIM signature to any outgoing mail:
1) Generate your domain key
2) Include public domain in DNS records of your domain
3) Turn on the validation
If there are number of domains related to your Google Apps accounts, each of the above specified steps have to used for each and every domain.
There are certain mail gateways like Postini which often modifies the mail by including a footer, which cancels the DKIM signature, you have to take care to stop the gateway server from changing the messages or switching off the DKIM authentication.
What does SPF record mean?
It is highly recommended to have SPF (Sender Policy Framework) record for your domain, which is a type of DNS record that categorizes the mail servers which are allowed to send mail in the interest of your domain.
The main idea of SPF record for your domain is to prevent the spammers from sending mails with fake from addresses on the domains. For the recipients to know if the message which is claiming to be from your domain through legal mail server, they simply have to refer to these SPF records.
If you create an SPF record for your domain where certain mail servers is given as authorized mail server for your domain. The recipient after receiving the mail from your domain, can verify with your domain SPF record to see if the message is valid which will be true only if the message is sent from a server that has been authorized mail server for your domain and if the mail is from any other server it will be immediately rejected considering it spam by the recipient’s mail server.
How to add DKIM and SPF records in DNS settings?
To generate domain key:
1) Login to the control panel of Google Apps Administrator
2) Click on “Advanced Tools” from the menu on top of the page
3) Select “Set up email authentication (DKIM)” from the Authenticate email section
4) Choose the domain name from drop down list for which the domain key has to be generated.
5) Select “Generate new record”
6) Fill in the text that has to be used as DKIM selector prefix which is google by default that can be modified based on the user’s choice.
7) Click Generate
Information will be displayed in the text box that will be useful to create DNS records to allow the recipients extract public domain key.
Adding Domain Key generated to DNS records for your domain:
1) Login to the administrator console which is given by your domain provider
2) Find the page from which DNS records can be updated
3) Use the name and value from Google apps control panel to create TXT record ,the information can be found in the authenticate email page from control panel of Google Apps.
4) Save the changes.
Creating SPF record for domain:
1) Login to your domain’s administrative console
2) Search for the page from where the DNS records can be updated for which you will need to allow advanced settings.
3) Use this text: v=spf1 include:_spf.google.com ~all to create a .txt record
SPF record which use –all instead of ~all may give problems related to mail delivery.
4) Save the changes
For all the changes done to DNS records may take at least 48 hours to circulate through the internet.