How to configure DMARC record in your Google Workspace domain
In this article we explore how to configure DMARC record in your Google Workspace domain. This applies to you if you have a small business with Google Workspace as your platform for email communication. If you have not configured the DMARC record for your domain. Here are the points that I cover in this article:
- Determine if the DMARC record is missing
- Add the DKIM record
- Add the SPF record
- Add DMARC record
- What are the DKIM, SPF and DMARC records?
1. Determine if the DMARC record is missing
To know how to configure DMARC record in your Google Workspace domain, we first of all need to ensure that the record is actually missing. You can easily notice that because some of the emails that you send out will come back to you and bounce back with a "Mail Delivery Subsystem, Delivery Status Notification (Failure)" error message similar to this:
The response from the remote server was:
550 permanent failure for one or more recipients (
You can confirm that indeed your domain is not configured with a DMARc record by using the MX Lookup Toolbox here: https://mxtoolbox.com/ and entering your domain in the toolbox. The result most likely will come out with the "DMARC record not found" error message
You can further analyse this by pasting the "header" of the bounced back emails in the Google Admin Toolbox, found in this this link: https://toolbox.googleapps.com/apps/messageheader/analyzeheader To access the "header" on an email click on the 3 dots and choose "Show Original"
Another way to test this issue, is to see the automatic emails that your GMail account send out when you are out of the office. You will notice that the message contain a question mark meaning that they have not been fully authenticate by your domain
The first step to start fixing this is by adding the DKIM record to your domain. Check which records you currently have on your domain by visiting the Google Admin Toolbox again on this link:: https://toolbox.googleapps.com/apps/checkmx/ and entering your domain in the search box.
If you don't have any SPF or DKIM records, as well as no DMARC record, you'll get this error message:
Visit your G-Suite Console >> Gmail settings (https://admin.google.com/ac/appsettings/740348119625) and click on Authenticate email. Once you are in there, create a new record or copy into notepad the existing one. For this step we are basically following this other guide from Google: https://support.google.com/a/answer/180504?hl=en&ref_topic=2752442
Now visit your WordPress or whichever other platform you have that controls the DNS settings of you domain, and add a new TXT record to reflect the record (DKIM record) that you previously created in Google Admin Workspace (formally known as G-Suite). As you can see, the DKIM record is known as "google._domainkey"
For the SPF record we reference to this other guide: https://support.google.com/a/answer/33786?fl=1 that explains you how to do it. Basically, you just need to add another TXT record to your WordPress console as describe here: https://support.google.com/a/answer/10684623?fl=1
Because we are using Gmail to send mail, our SPF record text will be:
v=spf1 include:_spf.google.com ~all
Finally, start by creating an alias or a new email address to receive email from the DMARC service, something like "
v=DMARC1; p=quarantine; rua=mailto:
Wait a few hours, and then visit both the MX Toolboox (https://mxtoolbox.com/) and Google Admin Toolbox CheckMX to verify that the domain does list all the records
5. What are the DKIM, SPF and DMARC records?
This is it, all done. I guess I'd leave for the end of the article about how to configure DMARC record in your Google Workspace domain what those records are and what we need them to be configured. Here they are in a nutshell:
- DKIM (Domain Keys Identified Domain); it ensures that the email is authenticated and legitimate
- SPF (Sender Policy Framework); it determines which email servers are allowed to send email on your behalf, on our example it will be Gmail servers
- DMARC (Domain Base Message Authenticator); it protects your domain from unauthorised use in activities like email spoofing, phishing email and email scams
After you configure the DMARC record, you'll receive on the email address configured in the record, regular reports from "
London, December 2022
References
- Google Admin Toolbox https://toolbox.googleapps.com/apps/main/
- Setup DKIM record https://support.google.com/a/answer/174124
- DMARC quarantine vs DMARC reject https://www.agari.com/blog/pros-cons-dmarc-reject-vs-quarantine
- SPF Record checker https://www.dmarcanalyzer.com/spf/checker/
- Understanding DMARC https://www.sparkpost.com/resources/email-explained/dmarc-explained/
- Why do I receive a DMARC report everyday? https://stackoverflow.com/questions/30342550/why-do-i-receive-a-dmarc-report-everyday