You know the scenario. A campaign goes live Monday. By Tuesday afternoon, you're pulling reports and the attribution is already broken. Six different spellings of "google" in utm_source. Campaigns with no utm_medium at all. Links built without any UTMs whatsoever.
This isn't a naming convention problem. This is a governance problem — and a naming convention document nobody reads won't fix it.
Governance is the system of ownership, standards, validation, and enforcement around how UTM links are created.
Most teams have a naming convention. Governance is different. A naming convention says "here's how you should do it." Governance says "here's how it will be done" — because the system won't let you do it any other way.
Governance has four non-negotiable components:
1. A Defined Taxonomy
Clear definitions of what values are allowed in each parameter. "Google" vs "google" vs "google-ads" is one source, not three.
2. A Validation Layer
Every link is checked before it goes live. Required parameters are present. Values match the taxonomy. No typos. No missing data.
3. Clear Ownership
Someone — usually MarOps or RevOps — owns the taxonomy. They define it, maintain it, and enforce it. Not a committee. One person.
4. An Enforcement Mechanism
Without teeth, governance is just a document. Enforcement means the system requires correct parameters before a link is created, shared, or deployed.
When all four are in place, broken UTM links become nearly impossible. Not because your team is suddenly more careful — but because the system won't accept sloppy work.
Most teams create a Google Doc or Confluence page with their UTM naming rules. They call it done. It looks like this:
utm_source: google, facebook, linkedin, email utm_medium: cpc, social, email, organic utm_campaign: [month][_type][_description] Example: march_webinar_ai_launch utm_content: optional utm_term: paid search keywords only
Then your team uses six different tools to build links. Marketing manager uses the UTM builder tool. Paid search team uses their agency platform. Email team copies a template from last quarter. Sales DL uses a spreadsheet someone shared in Slack three years ago.
Within a week, your actual data looks like this:
google, Google, google_ads, googleads, google-ads cpc, CPC, ppc, paid-search march_webinar_ai_launch, march-webinar-ai-launch, March_Webinar_AI_Launch [missing utm_medium entirely on 40% of links] [utm_campaign is "traffic driver" on 12 campaigns] [utm_source is "newsletter" with no utm_medium]
Here's why the doc fails:
A naming convention doc is passive. It requires discipline. Governance is active. It requires a system.
This is the framework that stops broken attribution. It's built on five pillars. Implement them in order.
Someone needs to own the taxonomy. Not own creating links — own deciding what values are allowed. This person sets the rules and updates them when the business changes.
This should be your Marketing Operations or RevOps lead. Not a committee. One person. They own the source of truth.
That source of truth should live in a living, internal tool — not a static wiki. A Confluence page from 2023 is yesterday's governance. Your tool should be:
The ownership person doesn't have to create every link. But they control what's allowed. They're the gatekeeper.
Lock down allowed values for utm_source and utm_medium. These two parameters are the foundation of channel attribution. Everything else flows from them.
Here's the problem: in GA4, "google" and "Google" are two different sources. So are "cpc" and "CPC". Case sensitivity means small typos create new dimension values. After six months, you have 47 utm_source values, half of which are typos.
Solution: explicit allowed lists. Your taxonomy should say:
utm_source (allowed values): • google • facebook • linkedin • twitter (not "x") • email • direct utm_medium (allowed values): • cpc • social • email • organic • referral • paid-display
Not "or any variation of the above." Exactly these. Period.
utm_campaign can be more flexible — you may have hundreds of campaigns. But utm_source and utm_medium should be rigid. They're the spine of your attribution model.
When someone tries to create a link with "Google" (capital G) or "ppc" instead of "cpc", the system should reject it immediately. Not with an error message — with a dropdown that enforces the allowed value.
This is where governance gets real. If people are building UTM links in spreadsheets, random generators, or hand-typing them into URLs, you will have drift.
The single highest-leverage governance intervention is moving link creation into a tool that enforces your taxonomy.
That tool needs to:
Move link creation into a tool that owns the governance. Not spreadsheets. Not random generators. One place, enforced consistently.
Every link should be verified before it goes live. If your tool is enforcing the taxonomy, this should be automatic. But you still need an explicit validation step.
Before a link is marked "ready to use," it should pass:
When a link passes all five checks, mark it valid. When it fails, don't let the user deploy. Show them exactly what's wrong and how to fix it.
This isn't perfectionism. This is preventing garbage data before it hits your analytics.
Governance without monitoring drifts. You need a regular audit schedule.
Monthly: Run a utm_source dimension report in GA4. Look for any value with fewer than 5 sessions. Those are likely typos or rogue campaigns. Investigate and either fix the source (update the link) or archive it.
Quarterly: Audit all active campaign links. Does utm_campaign still make sense? Is there a campaign running that shouldn't be? Are there campaigns that should be running but aren't?
Continuous: Set up an alert in GA4 for new utm_source values. When an unrecognized source appears, an automated alert should notify your MarOps lead within 24 hours. Fast feedback loop = fast fixes.
The best governance is the kind you don't have to think about. Audits are the tripwire that catches problems before they become data quality issues.
You don't need to boil the ocean. Here's a realistic, phased implementation that takes one month and generates real data quality improvements by week three.
Week 1: Audit Current State
Run a GA4 report: utm_source dimension, all time. Export to CSV. Count unique values. Identify your offenders — values with fewer than 10 sessions. Those are almost certainly errors.
Output: A list of known good utm_source values and known bad ones. Document why the bad ones happened. Was it a typo? A tool misbehaving? A third-party campaign gone wrong?
Week 2: Define Your Taxonomy
Based on week 1, define your allowed lists. Taxonomy = what channels do you actually run campaigns through? List them. For each channel, what mediums are relevant? (Google runs cpc and organic. Email runs email. LinkedIn runs social and CPC.)
Get buy-in. Walk through the taxonomy with the people who create links. Paid search manager agrees on "google" not "google-ads". Email team agrees on "email" not "newsletter". Social team agrees on "facebook", "linkedin", "twitter".
Output: A locked-in taxonomy document. Assign an owner. This is the single source of truth.
Week 3: Move to a Governed Tool
Pick a tool (UTMStandard, Ruler Analytics, or your own internal tool). The requirement is simple: enforce your taxonomy. Configure the tool with your allowed values.
Import your taxonomy. Create templates for your most common link types (paid search, social, email, organic). Train your team.
Output: Everyone is building links in one place. New links now enforce the taxonomy. Older links (built before week 3) can stay in the wild for now.
Week 4: Run First Validation
Audit all active campaign links. Go through your spreadsheets, your tool history, your GA4 events. Pick the 20 links that are currently generating traffic. Validate each one.
For each link that fails validation, decide: fix the source link and update it, or archive it. Update GA4 annotations to document changes.
Output: Your 20 most active links are now clean. Set up the audit cadence for month two onward (monthly GA4 review, quarterly full audit, continuous alerts).
By end of month one, you've moved from "broken most of the time" to "clean for new links, auditing old ones." That's a win.
Mistake 1: Trying to Govern Retroactively
You've been running campaigns for two years. Now you want to clean up all your old links to match the new taxonomy. It's futile and wastes time. Focus on new links first. Old data is old. Let it be what it is. Start fresh with governance moving forward.
Mistake 2: Making the Taxonomy Too Complex
Six to eight utm_source values is usually enough. Fourteen is too many. Each additional value you add increases the cognitive load and the chance of mistakes. Keep utm_source simple. utm_campaign can be flexible, but utm_source should be tightly controlled.
Mistake 3: Not Having a Single Owner
Committees don't govern. When three people own the taxonomy, no one owns it. Designate one person as the taxonomy owner. Everyone else reports changes through them. One person decides.
Mistake 4: Skipping utm_medium
utm_source tells you the channel. utm_medium tells you the type of engagement. Google paid is different from Google organic. Email is different from email newsletter. utm_medium is the most important dimension for channel attribution. If you only govern one UTM parameter, make it utm_medium.
Mistake 5: Building Governance in a Spreadsheet
A spreadsheet "rule" is just a list of names. Without a tool to enforce it, it's a suggestion. That's what failed initially. Pick a tool that enforces the taxonomy at link creation time. The enforcement is the governance.
Good UTM governance is infrastructure. You don't notice it when it works. You only notice it when someone breaks it.
The difference between a team with clean attribution and a team with broken data is not more effort. It's not more carefulness. It's a system that makes the right choice the only available choice.
When you have governance:
Governance doesn't require heroic effort. It requires a system, clear ownership, and enforcement. The framework above is how you build it.
UTMStandard enforces your taxonomy at link creation, validates before deployment, and audits in real-time. No spreadsheets. No policing.
Get started freeNo credit card required · Free plan always available