Spoofed messages are often used for malicious purposes, for example, to communicate false information or to send harmful software. Spoofed messages are also used for phishing, a scam that tricks people into entering sensitive information like usernames, passwords, or credit card data. Spoofing can have a lasting effect on your organization’s reputation and impacts the trust of your users and customers.
Sometimes spammers forge messages so that they appear to come from well-known or legitimate organizations. If spammers use your organization’s name to send fake messages, people who get these messages might report them as spam. If many people report these messages as spam, legitimate messages from your organization might also be marked as spam.
What is SPF?
SPF is a standard email authentication method. SPF helps protect your domain against spoofing and helps prevent your outgoing messages from being marked as spam by receiving servers. SPF specifies the mail servers that are allowed to send email for your domain. Receiving mail servers use SPF to verify that incoming messages that appear to come from your domain were sent by servers authorized by you.
Without SPF, messages sent from your organization or domain are more likely to be marked as spam by receiving mail servers.
Email authentication requirements for sending to Gmail accounts
To verify messages sent to personal Gmail accounts are authenticated, Google performs random checks on these messages. To help ensure messages sent to personal Gmail accounts are delivered as expected, you should set up either SPF or DKIM for your domain.
DomainKeys Identified Mail (DKIM) anti-forgery protection
DKIM is a security check that makes sure email messages aren't changing between when the email is sent and when the recipient receives them. Emails are less likely to be labeled as spam when they pass DKIM checks.
Enabling DKIM authentication is not required but is recommended. 📧LuxSci Secure Connector supports DKIM authentication for optimal email delivery.
Recent Gmail Changes
Google has begun checking for DKIM authentication to make sure your email is really coming from your clients.
To learn more about DKIM and Gmail changes to assist in helping prevent spoofing, phishing, and spam, check out the Google help article Help prevent spoofing and spam with DKIM.
Google Workspace uses 3 email standards to help prevent spoofing and phishing of your organization’s Gmail. These standards also help ensure your outgoing messages aren’t marked as spam. It is recommended Workspace administrators always set up these email standards for Gmail:
SPF: Specifies the servers and domains that are authorized to send emails on behalf of your organization.
DKIM: Adds a digital signature to every outgoing message, which lets receiving servers verify the message actually came from your organization.
DMARC: Lets you tell receiving servers what to do with outgoing messages from your organization that doesn’t pass SPF or DKIM.
Why Do I Need to Setup DKIM
Google and other services may bounce your email messages or put them in spam folders if you do not have a DKIM record set up. As of April 2022, Google Workspace users have reported a recent increase in bounded email messages and emails being sent to spam folders.
DMARC is a standard email authentication method. DMARC helps mail administrators prevent hackers and other attackers from spoofing their organization and domain. Spoofing is a type of attack in which the From address of an email message is forged. A spoofed message appears to be from the impersonated organization or domain.
DMARC also lets you request reports from email servers that get messages from your organization or domain. These reports have information to help you identify possible authentication issues and malicious activity for messages sent from your domain.
How DMARC prevents spoofing & phishing
Spammers can spoof your domain or organization to send fake messages that impersonate your organization. DMARC tells receiving mail servers what to do when they get a message that appears to be from your organization but doesn't pass authentication checks or doesn’t meet the authentication requirements in your DMARC policy record. Messages that aren't authenticated might be impersonating your organization or might be sent from unauthorized servers.
DMARC is always used with these two email authentication methods or checks:
Sender Policy Framework (SPF) lets the domain owner authorize IP addresses that are allowed to send email for the domain. Receiving servers can verify that messages appearing to come from a specific domain are sent from servers allowed by the domain owner.
Domain Keys Identified Mail (DKIM) adds a digital signature to every sent message. Receiving servers use the signature to verify messages are authentic, and weren't forged or changed during transit.
How does DMARC help?
It prevents spoofing & phishing
Do SPF, DKIM, and DMARC Encrypt my Emails?
No one with SPF, DKIM, or DMARC will encrypt your emails. All three are email authentication protocols to help prevent your emails from being flagged as spam.
How do I make Gmail HIPAA Compliant?
Gmail does not have native HIPAA compliance. However, Google Workspace BAA meets the requirements for HIPAA compliance for your data at rest. This means that any data stored within your core applications will be secure and covered under the BAA. However, please note that any data that leaves your account, also known as "data in transit," is not covered under the BAA. This includes emails sent from Gmail.
You will need a third-party add-on to encrypt your Gmail and Calendar invites. At Flourish Health, we recommend LuxSci's Secure Connector. The Secure Connector works seamlessly with Gmail and Google Calendar, automatically encrypting emails while adding no additional steps for the sender or receiver. LuxSci advocates for small healthcare businesses and private practices; and has made its technology available at reduced pricing through its partnership with Flourish Health.