How to Control Spam within G Suite Email with SPF and DKIM

In the last couple of weeks, we have received a number of requests and complaints from our G Suite Customers that they have sent emails that have been “rejected” or “blocked” but the recipient. What could go wrong when they are on G Suite they asked? Did we not “leave this blocking” problem in our legacy systems? They ask genuinely annoyed and shocked at the same time.

What Could it be?

Most Likely the recipient has implemented email security checks that reject the incoming email from your G Suite because “it thinks/suspect” you domain is a spammy one or an attempt to spoof users. But why?

“ 553-Message filtered: This error indicates that your email was blocked as spam by our Signature anti-spam filters: Source; https://support.symantec.com/us/en/article.tech246726.html#553-filtered

Well, I always ask or check if they/we had deployed SPF/DKIM on their DNS Control. What is SPF and what does it matter if you ask? The Simple Answer: Spam Classification.

SPF: Sender Policy Framework

SPF is a DNS record added as TXT into a domain’s DNS that identifies which mail servers, domains, IPs and MX among others, are permitted to send email on behalf of your domain. Its purpose is to prevent spammers from sending emails with forged From addresses at your domain.

What is Email Spam: SPAM is an undesirable electronic mail designed to trick a recipient to act on it by impersonation and social engineering for the purpose of marketing, monetary gain, identity theft or malware dissemination.

Spam Factors;

  • Authentication Reputation: Is SPF, DKIM or DMARC added? Is it correct? Are all the sending IPs on the SPF?
  • IP reputation: Has the IP been placed in a Realtime Blackhole List (RBL)? →a list of IP addresses whose owners refuse to stop the proliferation of spam. The RBL usually lists server IP addresses from ISPs whose customers are responsible for the spam and from ISPs whose servers are hijacked for spam relay.
  • Are you using SMTP relay when sending from a third-party tool? Is it configured properly in the Admin console and in the third-party tool
  • Domain Reputation: Has this domain being recognized as Spammer? Have you checked if the site appears on the Safe browsing transparency report?
  • User Reputation: Has the user been sending bulk Spam messages? Are they marking messages as Spam?
  • Environment setup: How is authentication defined for the environment?Open Relay?SSL
  • Message Content and format: Does it has lots of links? Is it RFC 5322 compliant? Does the message follow the recommendation of the Bulk Sender Guidelines?

Now You can see how, even despite being on G Suite/Cloud email, your domain could still end up being blocked/on the RBL List? Well let us see how to sort that our

How to Setup SPF for G Suite

 

  • The standard SPF record recommended by Google is:
v=spf1 include:_spf.google.com ~all

→ Uses simple plain G Suite to send email

  • If you have other systems that send emails on behalf of your domain/users such as CRM, ERPs, HRMs, Mass Mailings etc; You need to get their SPF records and add them to the Google SPF; otherwise those set of emails could end up being “blocked”. Here is an example:
v=spf1 include:md02.com include:_spf.google.com ~all include:zohocrm.com ~all include:zohoaccounts.com ~all include:servers.mcsv.net ?all 

→ Uses some 3rd party mass emailing systems as well as Zoho CRM/Accounts to send emails on its behalf

v=spf1 ip4:2.2.2.2 include:_spf.google.com ~all 

→Has Emails sent over an application/system on IP 2.2.2.2; Please note only IPv4 IP ranges are supported

Add SPF to your DNS Zone;

Log into your DNS Control/Cpanel or whatever you use. Add this record as you added the previous TXT record. Modify/Delete any existing SPF records. Only 1 SPF record is needed per 1domain

Record Type: TXTName: @Value: v=spf1 include:_spf.google.com ~allTTL:300 or (or Lower or what is allowed by your provider)

*Restrict your SPF not to have more than 10 DNS Lookups

DKIM: DomainKeys Identified Mail (DKIM) DKIM

DKIM is a digital cryptographic signature that is added to outgoing message headers in order to prevent spoofing. This is done by generating a private domain Key to encrypt outgoing mail headers and by adding a public key into your DNS.

What is Email spoofing: is the forgery of an email header so that the message appears to have originated from someone or somewhere other than the actual source. Email spoofing is a tactic used in phishing and spam campaigns because people are more likely to open an email when they think it has been sent by a legitimate source. One type of spear phishing used in business email compromises (BEC), involves spoofing emails from the CEO or someone senior to make instructions to suppliers or employees with the intention to defraud or misinform It is surprisingly very easy to spoof emails from legacy email servers; Read More about BEC Here:

How to Setup DKIM for G Suite

You can generate a domain key 24 hours after you create your G Suite account.You must be signed in as a super administrator for this task.

  1. In your Google Admin console (at admin.google.com)…
  2. Go to Apps > G Suite > Gmail.
  3. From Gmail, go to Authenticate email.
  4. Select the domain where you’ll use DKIM. You’ll generate a domain key for this domain.
  5. Your primary domain appears by default. To generate a domain key for a different domain, click the to select another domain.
  6. Click Generate new record.
Generate DKIM from Google Admin Console

Add DKIM to your DNS Zone;

Log into your DNS Control/Cpanel or whatever you use. Add this record as you added the previous TXT record. Modify/Delete any existing SPF records. Only 1 SPF record is needed per 1domain

Record Type: TXTName: google._domainkeyValue: *value from above*TTL:300 (or Lower or what is allowed by your provider)

Parting Shot

Largely, SPF and DKIM should stop the Email Blockage and Spam Classification. For more watertight integration, the following could be explored:

  1. Deploy DMARC: will direct what should be done to the received message based on the published SPF and DKIM and will enforce the policies you have set based on the aforementioned mechanisms.

2. Explore and Deploy More Google Admin Controls such as:

Copyright ©2019 Pawa IT - Powering businesses through technology, Your preferred Cloud solutions provider| Privacy Policy