If you're running a business, it's important to make sure that your email is protected. One way to do this is to set up DMARC for your domain.
DMARC is a security protocol that adds an extra layer of security to email by verifying that the sender is who they say they are and that the message has not been tampered with in transit.
In this article, we will show you how to add a DMARC record in Google Workspace. We’ll also provide some troubleshooting tips if you experience any issues.
Let's get started!
What is a DMARC record?
DMARC stands for Domain-based Message Authentication, Reporting, and Conformance. It’s an email authentication protocol that helps combat email spoofing.
Email spoofing is when someone impersonates another person or organization by sending emails from a fake email address. This can be used to carry out malicious activities, such as collecting sensitive information.
DMARC is the standards you set for what happens when someone is using your domain maliciously. It does this by checking the SPF and DKIM records for the domain. If both of these checks fail, then the email's DMARC record authentication has failed. What happens afterward is what you set up.
Let's take a look at how to create DMARC records in Google Workspace.
How to create a DMARC record in Google Workspace
Step 1: Getting ready for creating DMARC record
Before you start, there are a few things you need to do to make sure that your domain is ready for DMARC.
First and foremost, you’ll need to set up SPF and DKIM in Google for your domain for DMARC to work in the first place. DMARC relies on SPF and DKIM to verify that emails are coming from authorized sources. If you need help setting these up, you can check out our guides on setting up SPF and setting up DKIM.
Next, get your domain host sign-in information if you don’t already have it. You'll need this to add the DMARC record to your DNS settings. You can get it by reaching out to your domain provider.
You can optionally check to see if there’s already a DMARC record for your domain. If you find one, make sure to review your DMARC reports to see if any changes need to be made.
To find out if you already have a DMARC record:
- Go to the Google Admin Toolbox.
- Go to “Verify DNS issues” and then “Check MX.”
- Enter your domain name, then click RUN CHECKS!
- It will tell you if your DMARC isn’t set up. If it is, it will say “Formatting of DMARC policies.”
Once you have all of this information, you're ready to move on!
Step 2: Define your DMARC record
The next step is to define your DMARC record. This is going to be a TXT record that tells your email provider what your DMARC policy is and what should be done with emails that fail authentication.
Here's an example DMARC record:
v=DMARC1; p=none; rua=mailto:email@example.com
Looks complicated, huh? Let’s go through what all of this means.
There are 3 main elements to a DMARC record.
The first is the “v” tag, which means version. The "v" tag defines the version of DMARC being used. The current version is DMARC1, so you’re welcome to just put that.
Up next is the “p” tag, which means policy. The "p" tag tells email providers what to do with emails that fail DMARC authentication. You can put one of three things for this tag:
- none: This value tells email providers to take no action. This is the recommended setting when you first start using DMARC since it allows you to monitor your DMARC reports and make changes as needed.
- quarantine: This value tells email providers to put emails that fail DMARC authentication in the spam folder.
- reject: This value tells email providers to reject emails that fail DMARC authentication. This is the most strict setting and it should only be used once you're confident that your DMARC reports are accurate.
Last is the “rua” tag. The "rua" tag tells email providers where DMARC reports should be sent. This is where you put your email address; you can put multiple email addresses here, but make sure to separate them with a comma! Before each address, put “mailto:” so it gets sent properly.
Step 3: Adding your DMARC record
The next step is to add your DMARC record to your domain’s DNS settings. This will tell email providers where to find your DMARC record and what to do with emails that fail DMARC authentication.
First up, sign in to your domain host account. The interface is going to vary depending who hosts your domain, but the process is the same. For Google, you’ll want to go to Google Domains. Log in to your account, go to “My Domains”, and click “Manage” next to the relevant domain. Then, go to “DNS,” and you’ll be taken to a page where you can add your DMARC record.
Click “Create new record.”
You’re going to put “_dmarc” for the first field. Since you’ve already clicked through to the right domain, you don’t need to put your domain after as you normally would.
Next, you’ll want to choose the record type from the drop-down menu. We’ll select the TXT option.
The next drop-down is your TTL (time to live). This is the amount of time that DNS servers should cache this record. It can be any range of times, but the number is based in seconds. For our example, we’ll put “3600” (one hour).
Finally, in the last field, copy over that DMARC record you made in the last step.
Last, save your changes! You don’t want to have to do this all again, do you?
It can take up to 48 hours for your DMARC record to start coming in. Once it does, you'll start receiving DMARC reports and you can monitor your domain's email security.
Step 4: Start with a “none” policy and review Google DMARC reports
When you first implement DMARC, it's important to start with a "none" policy. This will allow you to monitor your DMARC reports and make sure that everything is working as expected.
To do this, simply set the "p" tag in your DMARC record to “none.”
Once you've made this change, start monitoring your DMARC reports. You should look for any anomalies or unusual activity. If everything looks good, you can move on to the next step.
Step 5: Enforce stricter policies while setting up DMARC
Once you're confident that your DMARC reports are accurate, you can start enforcing stricter policies. The most common policy is "quarantine", which tells email providers to put emails that fail DMARC authentication in the spam folder.
You can also use the "reject" policy, which tells email providers to reject emails that fail DMARC authentication. This is the most strict setting and it should only be used once you're confident that your DMARC reports are accurate. Remember, it's important to take things slowly when you're first getting started with DMARC.
So, those are the basics of DMARC! By following these steps, you can help protect your domain from email spoofing.
How to troubleshoot common issues with DMARC
If you're having trouble setting up DMARC, here are a few troubleshooting tips:
Make sure your DMARC settings are correct
The most common issue is that DMARC is not configured correctly. Make sure that you've followed all the steps in this guide and that your DMARC record is correct.
Make sure your Google Workspace DKIM and SPF record are enabled
SPF and DKIM are required for DMARC to work. If you're not using Google SPF or DKIM, enable them and try again.
Check if messages pass all three checks
DMARC uses three checks to authenticate emails: SPF, DKIM, and DMARC. If a message fails any of these checks, it will fail DMARC authentication. Make sure that your messages are passing all three checks.
Check out your Google DMARC reports
DMARC reports can be helpful when troubleshooting issues. These reports show you how many messages are passing or failing DMARC authentication. They can also help you identify any potential issues with your email security.
Improve deliverability by personalizing with YAMM
So, there you have it! Setting up your DMARC in Google Workspace is a great way to protect your domain from any spoofing shenanigans. You might ask, though, “Does my bulk mailer take care of this for me?” Unfortunately, it’s on you.
However, YAMM does offer a notification feature that tells you if the email you’re sending is flagged as spam by SPF records. You can then figure out beforehand how to combat this issue.
Also, if you’re looking to improve deliverability, you can take it one step further by personalizing your messages with YAMM.
With our tool, you can easily send mass emails right from your Gmail account and track the results in real-time. Plus, since all of your data is housed in Google Sheets, it’s easy to keep track of who opened your email, clicked on your links, and even unsubscribed from your list.
To get started, install the free YAMM add-on for Gmail and start sending personalized messages today!