Troubleshoot DMARC problems for Google Workspace domains
Google Workspace encourages domain owners to use the three email authentication protocols, SPF, DKIM, and DMARC, to ensure outgoing emails are properly authenticated. This reduces the security gaps; otherwise, threat actors can exploit them to send phishing and spoofing emails from your domains. Moreover, from February 2024, Google has mandated DMARC deployment for regular and bulk email senders, urging domain owners or administrators to create a DMARC record in their DNS settings and specifying policies to handle emails that fail SPF and/or DKIM checks.
However, when it comes to DMARC, you can’t just deploy it and then forget about it. DMARC demands regular management, maintenance, and updates. If these aren’t done properly and timely, your DMARC record can run into technical issues. Since DMARC is an intricate protocol, you are more than likely to come across issues, so here is a guide on fixing the common DMARC issues.
Troubleshooting DMARC issues
Please follow the guided steps if legitimate emails sent from your Google Workspace domain are failing DMARC, getting rejected by receiving servers, or being marked as spam.
Verify the existence of SPF, DKIM, and DMARC records for your domain
Sometimes, you think you have SPF, DKIM, and DMARC records in place for your Google Workspace domain, but they aren’t. So, the first step should be to use lookup tools to check the existence of your records. You can also do this manually by opening a command-line tool like Terminal or Command Prompt.
If these records are not present, create them from scratch and update them on DNS. If present, proceed with the next steps to spot and troubleshoot errors.
Check the correctness of your SPF, DKIM, and DMARC records
For this step also, you will need the lookup tools you used to verify the existence of these records. Note that SPF and DKIM should be enabled for at least 48 hours before enabling DMARC; otherwise, there will be delivery issues.
Check message headers
Email headers include the results of SPF, DKIM, and DMARC authentication checks. So, to ensure messages from your Google Workspace domain are passing these checks, you need to follow these simple steps-
- Open Gmail.
- Go to the email you want to analyze.
- Next to Reply ↰, click More ⋮ > Show original. The full header will open in the new window.
- Click ‘Copy to clipboard.’
- Open the Google Admin Toolbox Messageheader and paste the copied header in the space provided.
- Click ‘Analyze the header above.’
Check DMARC reports
There are two types of DMARC reports- aggregate and forensic. Aggregate reports are sent in XML format and include a high-level summary of data about the email authentication status. On the other hand, forensic reports are sent in JSON format and include more message-specific details.
Since these reports are in XML and JSON format, they are not human-readable, so convert them into an easy format using DMARC report analyzers. Once converted, review the key sections-
- Check the source IP addresses to see if they belong to the authorized senders.
- Check SPF and DKIM alignment.
- Note the disposition field that tells you what actions (none, quarantine, or reject) were taken by receiving servers for emails that didn’t pass SPF and/or DKIM checks. This section will also tell you of any policy overrides and their reasons, such as forwarding and mailing list modifications.
- Look at the overall percentage of emails that pass or fail DMARC, SPF, and DKIM. A high fail rate could indicate misconfigurations or attempts at spoofing.
Based on your DMARC report analysis, you can enhance your email security by adjusting your policy. If most emails are passing the checks, you can change your DMARC policy from ‘p=none’ (monitoring) to a stricter option like ‘p=quarantine’ (send to spam) or ‘p=reject’ (block). If legitimate emails are failing, update your SPF record to include the correct IP addresses, ensure your emails are DKIM-signed, and fine-tune your DMARC policy to prevent false failures. If you find unauthorized emails being sent from your domain, block the suspicious IPs and consider moving to a ‘p=reject’ policy to stop those emails.
Go through the guideline
Here’s a detailed document by Google on how it wants senders to send emails to Gmail users. We are sharing the critical bullet points.
- The sender should have SPF, DKIM, DMARC, and ARC in place.
- The IP address of the sender’s SMTP server should have a corresponding PTR record that resolves to a hostname.
- Use a shared IP address only if it isn’t on any blocklist.
- For mailing lists or subscriptions, ensure recipients opt-in to your emails. Do include a clear one-step unsubscribe button.
- Message headers and message content should be accurate and not misleading or deceptive.
- The same types of messages sent on behalf of your company should use the same ‘From’ address. For example, emails from newdomain.com could use sales@newdomain.com or deals@newdomain.com.
- Regularly monitor affiliates and remove the ones that are sending spam emails.
- The spam rates in the Postmaster Tools should be below 0.10%.
Use Email Log Search
Email Log Search helps you find and review all the emails sent and received by people in your organization. It assists you in identifying potentially fraudulent emailers. This practice should be combined with regular analysis of DMARC reports.
Find messages with ELS predefined search
- Sign in to your Google Admin console.
- Go to Menu > Reporting > Email log search.
- Click the ‘Predefined search’ tab.
- Select an option from the menu. The options are- ‘All messages from today,’ ‘All messages since yesterday,’ ‘All messages in the last 7 days,’ ‘Messages sent from your domain since yesterday,’ and ‘Messages received from your domain since yesterday.’
- Click ‘Search’, and the results will be shown.
Find messages with ELS custom search
- Sign in to your Google Admin console.
- Go to Menu > Reporting > Email log search.
- Click the ‘Custom search’ tab.
- On the Custom Search tab, enter search criteria in one or more of the fields (date, sender, recipient, sender IP, recipient IP, subject, and message ID). All fields except ‘Date’ are optional unless the selected date range is older than 30 days.
- Click ‘Search’, and the results will be shown.
Wrapping it
If all this sounds overwhelming to you, then reach out to us. We can take care of DMARC configurations and management for you.