How to Set Up DMARC for Gmail

If you're searching for how to set up DMARC for Gmail, the answer depends on whether you use a free Gmail address or a custom domain with Google Workspace.

Free Gmail (@gmail.com) vs Custom Domain

Free Gmail Users

If you send email from a @gmail.com address, Google handles all email authentication (SPF, DKIM, and DMARC) for you. You don't need to — and can't — configure DMARC for gmail.com.

Google already publishes a DMARC record for gmail.com with p=none, and they sign all outgoing Gmail messages with DKIM.

Custom Domain Users

If you use Google Workspace (formerly G Suite) to send email from your own domain (e.g., you@yourcompany.com), you are responsible for setting up DMARC. This guide covers that setup.

Before You Start

DMARC requires SPF and DKIM to be configured first. Set these up before adding DMARC.

Verify SPF

Your domain needs an SPF record that includes Google's mail servers:

v=spf1 include:_spf.google.com ~all

If you use other email services alongside Gmail, include those too:

v=spf1 include:_spf.google.com include:sendgrid.net ~all

Check your current SPF record at SPF Record Check.

Enable DKIM

1. Open the Google Admin console
2. Go to Apps → Google Workspace → Gmail → Authenticate email
3. Select your domain
4. Click Generate new record (choose 2048-bit)
5. Add the provided TXT record to your DNS at google._domainkey.yourdomain.com
6. Wait 15-30 minutes, then click Start authentication

Verify DKIM is working at DKIM Test using selector google.

Step 1: Create Your DMARC Record

Start with a monitoring policy to collect data without affecting mail delivery:

v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com

Replace dmarc@yourdomain.com with an address where you want to receive reports. Use a dedicated address — DMARC reports can generate significant volume.

Use DMARC Creator if you want to customize additional options.

Step 2: Add the DNS Record

Add a TXT record to your domain's DNS:

Where you add this depends on your DNS provider:

• Google Domains / Squarespace: DNS settings in your domain dashboard
• Cloudflare: DNS tab in the Cloudflare dashboard
• GoDaddy: DNS Management in your domain settings
• Namecheap: Advanced DNS in your domain settings

For provider-specific steps, see our guides for Cloudflare, GoDaddy, and Namecheap.

Step 3: Verify Your Record

After waiting for DNS propagation (a few minutes to a few hours), check your record:

Step 4: Monitor Reports

Within 24-48 hours, you'll start receiving aggregate reports. These XML files show:

• Every IP address sending email as your domain
• Whether each source passes SPF and DKIM
• How many messages each source sent
• Whether authentication aligned with your From domain

Review these for 2-4 weeks to understand your email ecosystem before enforcing.

Step 5: Move to Enforcement

Once reports confirm all legitimate email is passing authentication:

Quarantine (intermediate step)

v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com

Failing emails go to spam. Run this for 1-2 weeks.

Reject (full protection)

v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com

Failing emails are blocked entirely.

Gmail-Specific Considerations

Gmail's Sender Requirements

As of 2024, Gmail requires bulk senders (5,000+ messages/day) to:

• Have SPF and DKIM authentication
• Have a DMARC record published (at minimum p=none)
• Align the From domain with the SPF or DKIM domain

If you send to Gmail users in volume, DMARC is no longer optional.

Gmail and Email Forwarding

Email forwarding is a common cause of DMARC failures with Gmail. When someone forwards your email:

• SPF often fails (the forwarding server's IP isn't in your SPF record)
• DKIM usually survives (the signature stays intact if the message isn't modified)

This is why having DKIM properly configured is critical — it survives forwarding while SPF doesn't.

"Send Mail As" in Gmail

If you use Gmail's "Send mail as" feature to send from a custom domain through Gmail's SMTP:

• Gmail adds its own DKIM signature
• SPF may not align if the sending IP isn't in your SPF record
• For best results, configure DKIM for your custom domain in Google Workspace

Google Groups and Mailing Lists

Google Groups can modify message headers, which may break DKIM signatures. If you use Google Groups:

• Monitor DMARC reports for failures from Groups
• Consider ARC (Authenticated Received Chain) support in your evaluation
• Some failures from mailing lists are expected and normal

Troubleshooting

DMARC Record Not Found

• Verify the TXT record is at _dmarc.yourdomain.com (not the root domain)
• Check for typos in the host field
• Wait for DNS propagation

SPF Fails for Gmail

• Confirm include:_spf.google.com is in your SPF record
• Check you have only one SPF record
• Verify no syntax errors

DKIM Fails

• Ensure DKIM signing is started in the Admin console (not just generated)
• Verify the DNS record matches what Google provided
• Check the selector is google at google._domainkey.yourdomain.com

Reports Not Arriving

• Check your spam folder
• Verify the rua email address is correct
• Allow 24-48 hours for the first reports
• Make sure the mailbox can receive attachments

Monitor Your DMARC Records

Checking once is good. Monitoring continuously is better. The Email Deliverability Suite watches your SPF, DKIM, DMARC, and MX records daily and alerts you when something breaks.