略

CNAME记录，TXT记录，MX记录，SPF，DKIM和DMARC
还有NS记录，A记录等。

参考链接https://support.google.com/a/answer/140034

检查MX
工具URL为https://toolbox.googleapps.com/apps/checkmx/

点击报警会给出解决方法

You need to make a change to your MX records and you want the change to be implemented as soon as possible. What approach can you take?

1. Change your MX records in the admin console and reduce the Time to Live (TTL) value to one hour. Once the change has been implemented revert the TTL value to 24 hours
2. Make the change in your DNS console and reduce the Time to Live (TTL) value to 1 hour. Once the change has been implemented revert the TTL value to 24 hours
3. Change your MX records in the admin console and reduce the Time to Live (TTL) value to one hour
4. Make the change in your DNS console and reduce the Time to Live (TTL) value to 1 hour

Which type of DNS record determines where mail destined for your domain is routed?

1. MX Record
2. TXT Record
3. NS Record
4. CNAME Record

In general, from where would you manage your domain's DNS records?

1. All of the options here
2. In your local DNS files
3. In your domain registrar console
4. In the Google Workspace admin console

What are common uses for a DNS TXT record when using Google Workspace? (Choose 2)

1. Customise a Google service address
2. Control inbound mail to your domain
3. Domain verification
4. Email security records

3招，SPF，DKIM和DMARC
SPF: verify the domain you own
DKIM: prevent email spoofing on outbound message by adding an encrypted header
DMARC: tell email servers how to handle messages that fail SPF/DKIM checks

SPF，通过添加TXT记录到DNS中
Xserver中已经有一条记录了，现在在后面追加

include:_spf.google.com ~all

记录生效需要24小时左右
参考链接：https://support.google.com/a/answer/33786#zippy=%2Cspf-%E8%AE%B0%E5%BD%95%E7%A4%BA%E4%BE%8B

生成后长这个样子

生成的记录在Xserver的DNS DKIM记录中已经有了，一模一样。
参考链接：
https://support.google.com/a/answer/174124

这条TXT记录告诉收件邮箱服务器，如果判定Fail，如何操作，这里是通知管理员。

What is the main purpose of a Sender Policy Framework (SPF) record?

1. It specifies which servers/domains can send messages on your behalf
2. It can be used to verify that message content is authentic and has not changed
3. It defines the action to take on suspicious incoming messages

You have been asked to implement DomainKeys Identified Mail (DKIM) for your organization. How would you do this?

1. Enable DKIM from Apps > Google Workspace > Gmail > Authenticate email
2. Enable DKIM directly in your DNS records
3. Generate a key from your DNS records and add it to the Google Workspace admin console. Then Enable DKIM from Apps > Google Workspace > Gmail > Authenticate email
4. Generate a DKIM record from Apps > Google Workspace > Gmail > Authenticate email. Add the record to your DNS records and then start authentication from the admin console

What policy defines what to do if an incoming message is not authenticated?

1. SPF
2. DKIM
3. All of the options here
4. DMARC

DKIM adds an encrypted signature to the header of all outgoing messages. What happens if you don't turn on email signing with your own domain DKIM key?

1. Gmail signs all outgoing messages with a temporary key generated for your domain
2. Gmail signs all outgoing messages with this default DKIM domain key d=*.gappssmtp.com
3. Gmail signs all outgoing messages with a key generated using the From address in the message
4. Messages are sent as normal with no additional headers

对于未受信任的发件人的加密附件，处理方式是隔离。

对于外包人员，禁止他们的自动转发邮件到个人邮箱，并且禁止POP和IMAP，但那些开户GWS Sync的人例外。

现在Rules也会终止工作

The attachment section in the Gmail Safety settings page allows you to protect against malicious attachments. What actions can you perform on a suspicious attachment? (Choose 2)

1. Keep email in inbox without warning
2. Move email to spam
3. Send to a designated user
4. Keep email in inbox and show warning

You have enabled protection against anomalous attachment types in emails from the Gmail > Safety page but you are finding some emails with valid attachment types are not being delivered. How can you resolve this?

1. Ask each user to create an allowlist of allowable file types
2. Add an allowlist of allowable file types to the entry in the Attachments section on the Safety page
3. Have all messages that trigger this setting delivered to a quarantine and then release the messages manually
4. You cannot control what file types are considered anomalous so you must disable this protection to allow messages to be delivered

What are valid reasons for allowing per-user outbound gateways in your organization? (Choose 2)

1. An outbound gateway ensures that the same mail server delivers all messages from otherdomain and that server has a record that the mail has been sent
2. Mail delivery times are improved because messages bypass the Gmail servers
3. An outbound gateway can prevent the appearance of “on behalf of” addresses in the From field
4. Allows your users to send mail from their business and personal Gmail account from one inbox

Google recommends against the use of the Image URL proxy allowlist?

1. True
2. False

添加一个信任IP地址，虽然是信任，但如果从它发出来可疑邮件，仍然会被放入垃圾邮箱

从自己的邮箱发一封邮件给GWS管理员邮箱。
在Console中添加黑名单


参考链接：https://support.google.com/a/answer/2364632?hl=zh-Hans&sjid=16549908282098203174-AP

创建白名单
Gmail>Spam,Phishing and Malware>Spam

参考链接：https://support.google.com/a/answer/7380368