The Google Admin Bootcamp

Master the Google Admin Console

Manage your
users, data, and devices

using the Google Admin Console

Master the Google Admin Console...subscribe to the Google Admin Weekly!

Three critical steps to stop SPAM and PHISHING emails

February 16, 2025 by John R. Sowash

I have personally received several phishing emails in the past month. Email security is an essential task you should take seriously for your Google Workspace domain.

Stop spam

Today I’m going to summarize three terms should know: DKIM, SPF, and DMARC.

I was a little overwhelmed when I first learned about these protocols. The good news is that they are pretty easy to set up and don’t require a lot of ongoing maintenance.

DKIM (DomainKeys Identified Mail) – A DKIM record prevents email spoofing by matching a special key embedded in an outgoing email with a matching key that is saved to your domain. If the email actually originated from your domain, it will “pass” inspection. If it doesn’t match, it will be flagged as a suspicious message.

You can generate your unique DKIM key from the admin console. This is a critical email security procedure.


SPF (sender policy framework) – This record specifies the servers that can send email on your behalf. This prevents someone from using your email address to send spam. You most likely added Google’s mail servers as authorized sender when you set up Gmail.

You can find Google’s SPF values here. You may need to add secondary SPF values for other systems that send email from your domain such as PowerSchool, School Messenger, and Quickbooks.

DMARC (Domain-based Message Authentication, Report, and Conformance) – What happens if a message doesn’t pass a DKIM or SPF check? That’s exactly what DMARC decides! This is the instruction code that tells your email system to allow, reject, or quarantine messages that seem suspicious.

There are many free services that you can use to create a DMARC record. Your DMARC record can be simple or complex. Flagged messages can be sent to a managed inbox that you review and triage.

Tip: all three of these email security protocols need to be added to your domain registrar (GoDaddy, Name Cheap, Host Gator, etc), NOT the Google Admin console. Each of these protocols will be added as a TXT record. The specific steps for updating your domain records will vary from host to host.

Check your email security…

You can use a free tool called dmarcian  to check your domain for all three policies. If you need an extra hand, email security is one of the things that I check during my Google Admin Audit.

DMARC domain checker

Additional resources:

Reader Interactions

Leave a Reply

Your email address will not be published. Required fields are marked *