Reducing spam for other people via SPF DMARC DKIM and Google Apps

So I own several domains that spamers like to forge and I do not like that.  Most of them are hosted on Google Apps.  This is the short version of how to make most of the forged spam get properly discarded.

http://www.dkim.org/
http://www.openspf.org/
http://dmarc.org/overview.html

1. Generate the domain key for your domain
http://support.google.com/a/bin/answer.py?answer=174126

2. Add the public domain key to the DNS records for your domain, so that recipients can retrieve it for decrypting the DKIM header.
http://support.google.com/a/bin/answer.py?answer=173535
google._domainkey       3600 IN TXT   "v=DKIM1; k=rsa; p=MIGf...Really...Long...AQAB"

3. Turn on authentication to begin adding the DKIM header to outgoing mail messages.
http://support.google.com/a/bin/answer.py?answer=180504

4. Create an SPF record
http://support.google.com/a/bin/answer.py?hl=en&answer=33786
YourDomain.com.     3600 IN TXT   "v=spf1 include:_spf.google.com ~all"

5. Tell people you put dkim on all messages and to discard everything that does not have one.
_adsp._domainkey        3600 IN TXT   "dkim=discardable"

6. Publish your DMARC record.  Depending on how busy your domain is, you will need to adjust your reporting.
http://support.google.com/a/bin/answer.py?hl=en&answer=2466563
_dmarc                  3600 IN TXT   "v=DMARC1; p=reject; pct=100; rua=mailto:dmarc-rua@OPTIONAL.com; ruf=mailto:dmarc-ruf@OPTIONAL.com;"

Check it all out:
dig -t TXT _dmarc.gavinhollinger.com @ns1.5sn.com
dig -t TXT google._domainkey.gavinhollinger.com @ns2.5sn.com
dig -t TXT _adsp._domainkey.gavinhollinger.com
dig -t TXT gavinhollinger.com

http://www.port25.com/support/authentication-center/email-verification/
Send an email to check-auth@verifier.port25.com
Wait for responce:
SPF check:          pass
DomainKeys check:   neutral
DKIM check:         pass
Sender-ID check:    pass
SpamAssassin check: ham

No comments: