Nazaudy, a spark in your curious mind

How to configure DMARC record in your Google Workspace domain

In this article we explore how to configure DMARC record in your Google Workspace domain. This applies to you if you have a small business with Google Workspace as your platform for email communication. If you have not configured the DMARC record for your domain. Here are the points that I cover in this article:

  1. Determine if the DMARC record is missing
  2. Add the DKIM record
  3. Add the SPF record
  4. Add DMARC record
  5. What are the DKIM, SPF and DMARC records?

 

1. Determine if the DMARC record is missing

To know how to configure DMARC record in your Google Workspace domain, we first of all need to ensure that the record is actually missing. You can easily notice that because some of the emails that you send out will come back to you and bounce back with a "Mail Delivery Subsystem, Delivery Status Notification (Failure)" error message similar to this:

The response from the remote server was:
550 permanent failure for one or more recipients (This email address is being protected from spambots. You need JavaScript enabled to view it.:blocked)

Message blocked in how to configure DMARC record in your Google Workspace domain

You can confirm that indeed your domain is not configured with a DMARc record by using the MX Lookup Toolbox here: https://mxtoolbox.com/  and entering your domain in the toolbox. The result most likely will come out with the "DMARC record not found" error message

DMARC record not found

 

You can further analyse this by pasting the "header" of the bounced back emails in the Google Admin Toolbox, found in this this link: https://toolbox.googleapps.com/apps/messageheader/analyzeheader To access the "header" on an email click on the 3 dots and choose "Show Original"

Google Admin Toolbox

Another way to test this issue, is to see the automatic emails that your GMail account send out when you are out of the office. You will notice that the message contain a question mark meaning that they have not been fully authenticate by your domain

email message not authenticated in how to configure DMARC record in your Google Workspace Domain

 

 

2. Add the DKIM record

The first step to start fixing this is by adding the DKIM record to your domain. Check which records you currently have on your domain by visiting the Google Admin Toolbox again on this link:: https://toolbox.googleapps.com/apps/checkmx/ and entering your domain in the search box.

If you don't have any SPF or DKIM records, as well as no DMARC record, you'll get this error message:

DKIM, SPF and DMARC records missing

 

Visit your G-Suite Console >> Gmail settings (https://admin.google.com/ac/appsettings/740348119625) and click on Authenticate email. Once you are in there, create a new record or copy into notepad the existing one. For this step we are basically following this other guide from Google: https://support.google.com/a/answer/180504?hl=en&ref_topic=2752442

 

Gmail DKIM Authentication

 

Now visit your WordPress or whichever other platform you have that controls the DNS settings of you domain, and add a new TXT record to reflect the record (DKIM record) that you previously created in Google Admin Workspace (formally known as G-Suite). As you can see, the DKIM record is known as "google._domainkey"

 

Add DKIM record

 

3. Add the SPF record

For the SPF record we reference to this other guide: https://support.google.com/a/answer/33786?fl=1 that explains you how to do it. Basically, you just need to add another TXT record to your WordPress console as describe here: https://support.google.com/a/answer/10684623?fl=1

Because we are using Gmail to send mail, our SPF record text will be: 

v=spf1 include:_spf.google.com ~all

 

add SF record

 

4. Add the DMARC record

Finally, start by creating an alias or a new email address to receive email from the DMARC service, something like "This email address is being protected from spambots. You need JavaScript enabled to view it.", and add a new TXT record to your WordPress as follows, that will be the DMARC record, know as "_dmarc". Follow this guide to add the dmarc record: https://support.google.com/a/answer/2466563?hl=en

v=DMARC1; p=quarantine; rua=mailto:This email address is being protected from spambots. You need JavaScript enabled to view it.

 

Add DMARC record in How to configure DMARC record in your Google Workspace domain

 

Wait a few hours, and then visit both the MX Toolboox (https://mxtoolbox.com/) and Google Admin Toolbox CheckMX to verify that the domain does list all the records

No problem found in the configuration of this domain

 

 

5. What are the DKIM, SPF and DMARC records?

This is it, all done. I guess I'd leave for the end of the article about how to configure DMARC record in your Google Workspace domain what those records are and what we need them to be configured. Here they are in a nutshell:

  • DKIM (Domain Keys Identified Domain); it ensures that the email is authenticated and legitimate
  • SPF (Sender Policy Framework); it determines which email servers are allowed to send email on your behalf, on our example it will be Gmail servers
  • DMARC (Domain Base Message Authenticator); it protects your domain from unauthorised use in activities like email spoofing, phishing email and email scams

 

After you configure the DMARC record, you'll receive on the email address configured in the record, regular reports from "This email address is being protected from spambots. You need JavaScript enabled to view it.". Open some of these reports and ensure that the dkim and spf are set as "pass", other than that, these are only informative reports and can safely be ignored

London, December 2022

 

References