Security Setup Guides

Download one of these apps to your smartphone:

• Google Authenticator (simple, reliable)

• Microsoft Authenticator (cross-platform sync)

• Authy (multi-device support, backups)

• 1Password (if you use 1Password for passwords)

When you enable 2FA, you'll receive backup codes

Print these or save in a secure location

Use these if you lose your phone

Never screenshot or email backup codes

Banking and financial accounts (highest priority)

Social media accounts

Cloud storage (Dropbox, iCloud, Google Drive)

Work email and collaboration tools

Shopping sites with saved payment info

Recommended options:

• 1Password - $3-5/month, excellent UX, family plans

• Bitwarden - Free or $10/year, open-source

• LastPass - Free basic, $3/month premium

• Dashlane - $5/month, includes VPN and dark web monitoring

Download app for your device (desktop + mobile)

Install browser extension

Create account with VERY strong master password

This is the only password you'll need to remember

Make it 20+ characters: passphrase or random

Example: 'CorrectHorseBatteryStaple!2024'

This is critical - your password vault needs 2FA

Use authenticator app (not SMS)

Or hardware key for maximum security

Save backup codes in secure physical location

Most managers can import from browsers

Chrome: chrome://settings/passwords → Export

Firefox: about:logins → ⋮ menu → Export

Safari: Passwords → ⋮ → Export Passwords

Import CSV file into password manager

Change passwords starting with most critical accounts

Use password manager to generate random passwords

Recommended: 16-20 characters, all character types

Every account gets a unique password

Update stored passwords as you change them

Most password managers have security audit features

Check for: Weak passwords, reused passwords, compromised passwords

Prioritize changing: Banking, email, work accounts

Set goal to change all reused passwords within 1 month

SPF tells receiving servers which IPs are allowed to send from your domain

1. Identify all servers that send email for your domain:

• Your email server (Office 365, Google Workspace, etc.)

• Marketing platforms (Mailchimp, Constant Contact)

• Ticketing systems, CRMs, notification systems

2. Create SPF record in your DNS:

• Type: TXT

• Name: @ (or your domain)

• Value examples:

Office 365:

v=spf1 include:spf.protection.outlook.com -all

Google Workspace:

v=spf1 include:_spf.google.com -all

Multiple services:

v=spf1 include:_spf.google.com include:servers.mcsv.net -all

3. The '-all' at the end means FAIL if not listed (strict)

4. Use '~all' for soft fail during testing

5. Verify: dig TXT yourdomain.com

DKIM adds a digital signature to your outgoing emails

1. Generate DKIM keys in your email service:

Office 365:

• Admin Center → Exchange → Protection → DKIM

• Select your domain → Enable

• Copy the two CNAME records shown

Google Workspace:

• Admin Console → Apps → Google Workspace → Gmail

• Click 'Authenticate email'

• Generate new record → Copy CNAME details

2. Add DKIM CNAME records to your DNS:

• Type: CNAME

• Name: (provided by your email service)

• Value: (provided by your email service)

3. Wait 24-48 hours for DNS propagation

4. Return to email service and click 'Start Authentication'

DMARC tells receiving servers what to do if SPF/DKIM fail

1. Create DMARC record in DNS:

• Type: TXT

• Name: _dmarc

• Value (start with monitoring):

v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com

This means: Monitor only, send reports to dmarc@yourdomain.com

2. After 2-4 weeks of monitoring, increase policy:

v=DMARC1; p=quarantine; pct=50; rua=mailto:dmarc@yourdomain.com

This means: Quarantine 50% of failing emails

3. Final strict policy:

v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com; ruf=mailto:forensics@yourdomain.com

This means: Reject all emails that fail authentication

You'll receive daily XML reports to your rua= email

Use a DMARC report analyzer:

• dmarcian.com (paid, excellent)

• Postmark DMARC Analytics (free tier)

• MXToolbox DMARC (free)

Reports show:

• Who's sending email from your domain

• Which emails are passing/failing

• Potential spoofing attempts

Send test email to: check-auth@verifier.port25.com

You'll receive automated report on SPF/DKIM/DMARC status

Or use online tools:

• MXToolbox.com → DMARC Lookup

• DMARCian → Domain Checker

• Google Admin Toolbox → Check MX

See the 2FA guide above for detailed steps

Gmail 2FA is your #1 security priority

Go to myaccount.google.com → Security → Third-party apps with account access

Remove any apps you don't recognize or no longer use

Each app is a potential security risk

Go to myaccount.google.com → Security → Your devices

Sign out of devices you don't recognize

Look for unusual locations or device types

For journalists, activists, executives, political figures

Go to landing.google.com/advancedprotection

Requires two hardware security keys (YubiKey)

Strongest Google account protection available

Gmail Settings → Filters and Blocked Addresses → Create a new filter

Useful filters:

• Block emails with 'urgent' + 'verify account' → Delete

• External emails from CEO names → Label 'VERIFY'

• Emails with 'suspended' + 'account' → Mark as spam

Gmail Settings → General → Images

Select 'Ask before displaying external images'

Prevents tracking pixels and malicious images

Trade-off: Less convenient, more secure

iPhone: Settings → Face ID & Passcode (or Touch ID)

• Use 6+ digit passcode (not 4)

• Or alphanumeric passcode for maximum security

• Enable Face ID or Touch ID

• Require passcode immediately

Android: Settings → Security → Screen lock

• Use PIN (6+ digits) or password

• Enable fingerprint

• Lock immediately when screen turns off

iPhone: Settings → [Your Name] → Find My → Find My iPhone → ON

• Also enable 'Send Last Location'

Android: Settings → Security → Find My Device → ON

• Or google.com/android/find

iPhone: Settings → General → Software Update → Automatic Updates → ON

Android: Settings → System → System Update → Automatic

Also: Enable auto-updates for apps in App Store / Play Store

iPhone: Settings → Privacy → [Each permission type]

Android: Settings → Apps → Permission manager

Remove unnecessary permissions:

• Why does a flashlight app need location?

• Why does a game need contacts?

• Be especially cautious with: Location, Contacts, Microphone, Camera

Android is more vulnerable to malware than iOS

Install: Malwarebytes, Bitdefender, or Norton

Run regular scans

iPhone: Built-in security is usually sufficient

iPhone: Enabled by default when you set a passcode

Android: Usually enabled by default on modern phones

• Check: Settings → Security → Encryption

• Should say 'Encrypted'