10 minutes reading
An email impersonation can shatter your company’s credibility and cost millions in minutes. Cybercriminals impersonate CEOs, raise bogus invoices, and pose as suppliers.
Last month, a trusted NYC property management firm wired $19 million to criminals after falling for a single spoofed email. It looked real, carried the right branding, and passed a glance.
But how can this become possible?
Google Workspace provides email hosting, but like most email providers, it does not include comprehensive email authentication. That means anyone can send an email pretending to be you. When that happens, money, client relationships, the board’s trust, and your company’s reputation are all at stake.
The solution for this is DMARC. Think of it like your email’s digital bodyguard: it verifies every message claiming to come from your domain. DMARC works with SPF and DKIM to authenticate outgoing emails, block spoofed messages before they reach inboxes, and provide visibility into who is trying to send email on behalf of your brand.
In this tutorial, we will explore the essential steps to secure your domain, common things to avoid, and best practices.
What is DMARC and Why Does It Matter for Google Workspace?
DMARC (Domain-based Message Authentication, Reporting & Conformance) is an email authentication protocol that works like a digital signature verification system. It builds on two existing technologies, SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail), to create a comprehensive defense against email spoofing.
Here’s how it works in simple steps:
- SPF defines which mail servers are allowed to send on behalf of your domain.
- DKIM adds a cryptographic signature to your emails, proving the message is genuine and unaltered.
- DMARC checks both SPF and DKIM. If the mail server and signature match, it delivers to the primary inbox; otherwise, it sends to junk or blocks entirely.
Why It Matters
Without DMARC, an attacker can send a fake “letter” in your name. With DMARC in place, receiving mail servers can flag, quarantine, or block spoofed emails before they reach the inbox. This Google email security approach allows companies to prevent email spoofing attacks and avoid financial loss and data leakage.
For instance, a cybercriminal tries to send a fake email from your CEO’s address to your finance team, requesting an urgent wire transfer. Without DMARC, this email might reach your employee’s inbox looking completely legitimate. With DMARC properly configured, the receiving email server recognizes the message as fraudulent and either quarantines it or rejects it entirely, preventing the attack from succeeding.
Book a Free Demo Call with Our People Security Expert
Prerequisites for Setting Up DMARC on Google Workspace
Before beginning your Google Workspace DMARC setup, ensure you have:
Admin Access:
You need administrative access to your domain registrar or DNS provider to make changes to your domain’s DNS records. You also need super administrator access to your Google Workspace Admin console.
DNS Management:
You must have access to DNS records to manage various aspects of your domain’s online presence, including email routing, website access, and service verification. You can manage this access through the domain registrar’s console, DNS hosting provider, or the Google Admin console if the domain was purchased through Google Workspace.
SPF and DKIM Setup:
DMARC for Google Workspace requires both SPF and DKIM to be working correctly.
Set up SPF:
- List all servers and services that send email on behalf of your domain.
- Add a TXT record beginning with v=spf1.
- Use include: for third-party services and ip4: or ip6: for IP addresses.
- End with ~all to mark unauthorized senders as suspicious.
- Save the SPF record.
Your SPF will look like this: v=spf1 include: spf.google.com ~all.
Set up DKIM Authentication:
- Click Generate new record to create a 2048-bit DKIM key
- Copy the DNS record information provided by Google
- Add the DKIM TXT record to your DNS (google._domainkey)
- Click Start authentication in Google Admin Console
Step-by-Step Guide: Setting Up DMARC on Google Workspace
Step 1: Access the Google Admin Console
Head over to admin.google.com and log in using your Super Admin account. Once logged into the Google Admin Console, go to Apps → Google Workspace → Gmail → Authenticate email so you can access your Google Workspace authentication settings.
Step 2: Go to DNS Settings
Depending on how your domain is set up, you’ll access your domain’s DNS management system by one of the following methods:
Option A: Through Your Domain Registrar
- Log in to your domain registrar’s control panel.
- Go to DNS Management or DNS Zone Editor.
- Look for the option to add new DNS records.
Option B: Through Your DNS Hosting Provider
If you are using a different DNS hosting provider, log in to your DNS management dashboard with the DNS provider. Go to your domain’s DNS records.
Option C: Google Domains (if applicable)
- Go to domains.google.com
- Select the domain and click “DNS.”
- Scroll down to the area that states “Custom resource records.”
Step 3: Create a DMARC Record in DNS
Before creating your DMARC record, set up a dedicated group or mailbox to ensure your organization can manage DMARC reports. Larger organizations may receive hundreds or thousands of DMARC reports a day; therefore, Google recommends creating a dedicated email address such as [email protected] to monitor all incoming DMARC reports.
This step is crucial for your Google Workspace DMARC setup process. In your DNS management tool, create a new TXT record as follows:
- Record Type: TXT
- Name/Host/Subdomain: _dmarc
- Value/Content: Depending on organizational policy, you can classify the DMARC reports. Consult the policy section below.
v=DMARC1; p=none; rua=mailto:[email protected]
- TTL: 3600 (can also use the default setting)
Important Notes:
- Replace yourdomain.com in the email address with your company’s domain.
- The p=quarantine policy informs email servers to treat email as suspicious.
- The rua identifies where the DMARC reports are sent
- Ensure value is free of extra space characters or other characters
Step 4: Save and Verify
Click “Save,” “Add Record,” or “Update” in your DNS management interface. DNS propagation can take 24-48 hours to complete worldwide.
Verify Your Domain Using DMARC: Once you have waited out the DNS propagation, verify your domain’s protective status in many different ways:
- Use Threatcop’s spoof check tool
- Command line check
- Watch for DMARC reports
Protect your domain from spoofing threats. Scan now with Threatcop’s tool to ensure complete protection!
How to Check if Your Google Workspace Email Domain Can Be Spoofed
Even after you complete Google Workspace DMARC setup, you should verify that your configuration is working properly. Threatcop’s email spoof check tool gives you an immediate analysis of where your domain is at in regard to Google email security.
The tool checks your SPF, DKIM, and DMARC records and provides you with information on where there is vulnerability to spoofing attacks. The tool also checks if there are any common configuration errors that could compromise your Google Workspace authentication and Google email security protocols.
This is how you use the tool:
- Visit Threatcop’s spoof check tool page
- Enter your domain name
- View the full security report
- Address any vulnerabilities found
Check your domain now with Threatcop’s tool and make sure your Google Workspace email cannot be spoofed!
Common Mistakes to Avoid When Setting Up DMARC
Incorrect DMARC Record Syntax
Even the smallest syntax mistakes can disrupt DMARC functionality. Always double-check your record for formatting to be sure there are no extra spaces or misplaced colons. Be sure to use an online DMARC validator to ensure the record is correct before publishing it.
Not Setting SPF/DKIM Up First
For DMARC validation to be functional, SPF and DKIM must also be functioning properly. Implementing the DMARC record without proper SPF and DKIM offers no protection at all. Legitimate emails may have still failed authentication, compromising your ability to prevent email spoofing effectively.
Skipping DMARC Reports Monitoring
DMARC reports can reveal much interesting and useful data regarding your email traffic and attempts to spoof your messages. Failing to look at them and you lose sight of a valuable security tool to assess potential attacks.
Best Practices for Maintaining Email Security with DMARC
Monitor DMARC Reports Regularly
Automate the processing of the reports or review at least weekly. Watch for:
- Legitimate sources that fail authentication
- Unauthorized attempts to send email
- Abnormal email delivery volume patterns that may signal issues
Implement Stronger DMARC Policies
Starting with p=none allows you to receive all messages but sends DMARC reports to the domain owner. You will probably want to review reports for 2-4 weeks and ensure that legitimate email passes authentication, at which point you will want to move to p=quarantine. Once you’re confident that your configuration is correct, you can implement the strongest protection by using p=reject to block the spoofed email outright.
Layered security
DMARC for Google Workspace is a powerful protection mechanism, but it is most effective when employed as part of a more comprehensive, layered approach to email security. A combination of
- Advanced threat protection and anti-phishing filters
- Employee security awareness training
- Regular security assessments and monitoring tools
- Email encryption for emails containing sensitive communications
How DMARC Improves Your Google Workspace Email Security in the Long Run
Improved Domain Reputation
Putting DMARC in place sends a clear signal to major mail providers that you care about email security. The increased reputation also improves the deliverability rates of your email, which means the chances of your legitimate email landing in spam folders are minimized.
Prevention of Business Email Compromise
DMARC helps mitigate BEC attacks by preventing attackers from successfully impersonating your domain. Even if cybercriminals have their hands on employee credentials, they are unable to send a convincing spoofed email that passes DMARC authentication.
Regulatory Compliance Support
Many compliance frameworks now expect organizations to implement email authentication. DMARC helps meet requirements under regulations like GDPR, HIPAA, and industry-specific standards that mandate protection of sensitive communications.
Final Thoughts
Securing your organization’s Google Workspace email is an important measure against spoofing and phishing attacks that may impact your business reputation. Google Workspace DMARC setup is a proven solution for protection that can grow with your organization.
Threatcop’s TDMARC solution provides everything you need to manage DMARC effectively, ensuring email authentication, stopping legitimate misuse of domains, and improving deliverability. In doing so, you can protect your organization’s reputation, customer confidence, and finances.
Secure your Google Workspace email and business today. Use Threatcop’s email spoof check tool to determine if spoofing impacts your domain.
Director of Growth
Naman Srivastav is the Director of Growth at Threatcop, where he leads customer-facing and product marketing teams. With a self-driven mindset and a passion for strategic execution, Naman brings a competitive edge to everything he does — from driving market expansion to positioning Threatcop as a leader in people-centric cybersecurity.
