How to Set Up DMARC for Google Workspace
Step-by-step guide to configuring DMARC for Google Workspace. Learn how to add the DMARC record and verify SPF and DKIM are working.
Setting up DMARC for Google Workspace involves three steps: verifying SPF, enabling DKIM, and adding your DMARC record. This guide walks through each step to get your domain fully authenticated.
Prerequisites
Before setting up DMARC, you need:
- Admin access to Google Workspace
- Access to your domain's DNS settings
- SPF and DKIM configured (we'll verify below)
Step 1: Verify SPF for Google Workspace
Google Workspace requires an SPF record to authorize their mail servers.
Check Your Current SPF
Use SPF Record Check to see if you have SPF configured.
Add or Update SPF
Your SPF record should include Google's servers:
v=spf1 include:_spf.google.com ~all
If you have other sending services, include them too:
v=spf1 include:_spf.google.com include:sendgrid.net ~all
Add this as a TXT record at your root domain (e.g., example.com).
Only one SPF record
You can only have one SPF record per domain. If you already have one, modify it to include Google rather than adding a second record.
Step 2: Enable DKIM in Google Workspace
DKIM signs your outgoing email so receivers can verify it's authentic.
Generate the DKIM Key
- Sign in to the Google Admin console
- Go to Apps → Google Workspace → Gmail
- Click Authenticate email
- Select your domain
- Click Generate new record
- Choose your key length (2048-bit recommended)
- Copy the provided TXT record value
Add the DKIM Record to DNS
Add a TXT record with these settings:
| Field | Value |
|---|---|
| Type | TXT |
| Host/Name | `google._domainkey` |
| Value | (the value from Admin console) |
| TTL | 3600 |
The host name format may vary by DNS provider:
- Some need:
google._domainkey - Some need:
google._domainkey.yourdomain.com
Start DKIM Signing
After adding the DNS record:
- Wait 15-30 minutes for propagation
- Return to Gmail → Authenticate email in Admin console
- Click Start authentication
Google will verify the DNS record and begin signing outgoing mail.
Verify DKIM Is Working
Use DKIM Test with selector google to verify your DKIM key is published correctly.
Step 3: Add Your DMARC Record
Now that SPF and DKIM are configured, add your DMARC record.
Start with Monitoring
For your first DMARC record, use a monitoring policy:
v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com
Replace dmarc@yourdomain.com with an email address for receiving reports.
Add the DMARC Record
Add a TXT record at _dmarc.yourdomain.com:
| Field | Value |
|---|---|
| Type | TXT |
| Host/Name | `_dmarc` |
| Value | `v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com` |
| TTL | 3600 |
Verify the Record
After DNS propagation (1-4 hours), verify your DMARC record:
Step 4: Monitor and Progress to Enforcement
Review DMARC Reports
After a few days, you'll start receiving aggregate reports at your rua address. These XML reports show:
- Who's sending email as your domain
- Whether emails pass SPF, DKIM, and DMARC
- Any authentication failures
Review these reports for 2-4 weeks before changing your policy.
Move to Quarantine
Once you've verified all legitimate email is passing:
v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com
Move to Reject
After running quarantine without issues:
v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com
Third-Party Services
If you use other services to send email (marketing platforms, CRM, etc.), each needs configuration:
For SPF: Add their include mechanism to your SPF record.
For DKIM: Configure the service to sign with your domain (usually involves adding CNAME or TXT records they provide).
Check the documentation for each service:
- Mailchimp, SendGrid, Postmark, etc. all have authentication setup guides
- Most require adding DNS records they provide
- Some support custom Return-Path for SPF alignment
Troubleshooting
DKIM Shows "Not Started"
- Verify the DNS record is correctly added
- Check the hostname format matches your DNS provider's requirements
- Wait for DNS propagation (can take up to 48 hours)
- Try the "Start authentication" button again
SPF Fails for Google
- Ensure
include:_spf.google.comis in your SPF record - Check you only have one SPF record (multiple records cause failures)
- Verify there are no syntax errors in the record
DMARC Alignment Fails
- Google Workspace automatically aligns SPF (Return-Path uses your domain)
- DKIM alignment requires the signing domain matches your From domain
- Verify DKIM is signing with your domain, not a subdomain
Reports Not Arriving
- Verify the rua email address is correct
- Check spam/junk folders
- Ensure the mailbox can receive large attachments (reports can be several MB)
- Wait a few days; reports are typically sent daily
Complete Setup Checklist
- [ ] SPF record includes
_spf.google.com - [ ] DKIM enabled in Google Admin console
- [ ] DKIM DNS record added with correct hostname
- [ ] DKIM authentication started in Admin console
- [ ] DMARC record added at
_dmarc.yourdomain.com - [ ] Test email sent and headers show DMARC pass
- [ ] DMARC reports arriving at rua address
Monitor Your DMARC Records
Checking once is good. Monitoring continuously is better. The Email Deliverability Suite watches your SPF, DKIM, DMARC, and MX records daily and alerts you when something breaks.
Never miss a DMARC issue
Monitor your SPF, DKIM, DMARC and MX records daily. Get alerts when something breaks.
Start Monitoring