Configuring DMARC for Google Workspace
by John Vincent
Posted on September 3, 2023
This is a discussion about configuring DMARC for Google Workspace
Overview
Domain to secure: johnvincent.io
SPF and DKIM
This domain has Google Workspace enabled, thus the SPF and DKIM records already exist. To verify this
- Start Google Domains
- Select the domain
DNS- In
Google Workspacesection, there will be
johnvincent.io SPF 1 hour "v=spf1 include:_spf.google.com ~all"
and
google._domainkey.johnvincent.io TXT 1 hour "v=DKIM1; k=rsa; p= ........ "
To verify these are working:
- MXToolBox
- Choose
SPF Record Lookup - Enter
johnvincent.io
should show
v=spf1 include:_spf.google.com ~all
- Choose
DKIM Lookup - Enter
google._domainkey.johnvincent.io
should show
v=DKIM1; k=rsa; p= ........
Search for DMARC record
- MXToolBox
- Choose
DMARC Lookup - Enter
johnvincent.io
should show
No DMARC Record found
Add DMARC record
To add a basic DMARC DNS record
- Start Google Domains
- Select the domain
DNS
Create new record
- Host name:
_dmarc - Type:
TXT - TTL:
1 hour - Data:
v=DMARC1; p=none; pct=100; sp=none; rua=mailto:postmaster@johnvincent.io; adkim=r; aspf=r
Retest with MXToolBox
More DMARC
The DMARC record above is for initial use only. Once is has been shown to be working correctly, the DMARC record should be updated to use stricter rules
v=DMARC1; p=quarantine; pct=5; rua=mailto:postmaster@johnvincent.io;
and then to
v=DMARC1; p=quarantine; pct=100; rua=mailto:postmaster@johnvincent.io;
as quarantine will send the offending email to spam.
Eventually, use
v=DMARC1; p=reject; pct=100; rua=mailto:postmaster@johnvincent.io;
Check Email Authentication
Start Google Admin Console
- Apps, Google Workspace, Gmail, Authenticate email
Should show:
- Gmail is turned on.
- DKIM authentication is turned on.
Reports
Reports will be sent to postmaster@johnvincent.io. Ensure the email id has been created.
References
How to set up a DNS record, SPF, DKIM and DMARC for Google Email Addresses
Setting up SPF, DKIM and DMARC RECORDS