DMARC for Google Workspace

Complete setup guide for implementing email authentication with Google Workspace.

15 min readLast updated: November 2025Platform Specific

What you'll accomplish

  • • Set up SPF for Google Workspace
  • • Enable and configure DKIM signing
  • • Create and publish your DMARC policy
  • • Configure DMARC reporting
  • • Test your complete setup

Prerequisites

  • Google Workspace Admin Access

    You need super admin privileges to configure email settings

  • DNS Management Access

    Ability to add TXT records to your domain's DNS

  • Verified Domain

    Your domain must be verified in Google Workspace

Step 1: Set Up SPF for Google Workspace

SPF authorizes Google's mail servers to send email on behalf of your domain. This is essential for email delivery and DMARC compliance.

Add SPF Record to DNS

Add this TXT record to your domain's DNS at the root level (@ or your domain name):

Type: TXT

Name: @ (or your domain)

Value:

v=spf1 include:_spf.google.com ~all

If you already have an SPF record:

Don't create a second SPF record! Instead, add include:_spf.google.com to your existing SPF record, before the final ~all or -all.

Note: If you only send email through Google Workspace, you can use -all (hard fail) instead of ~all for stronger protection.

Step 2: Enable DKIM Signing

DKIM adds a cryptographic signature to emails sent from Google Workspace, proving they haven't been tampered with.

Enable DKIM in Google Admin Console

  1. 1

    Access Admin Console

    Go to admin.google.com

  2. 2

    Navigate to Email Authentication

    Go to Apps → Google Workspace → Gmail → Authenticate email

  3. 3

    Generate DKIM Key

    Select your domain and click "Generate New Record"

    Recommended: Use 2048-bit key for better security

  4. 4

    Copy DNS Record

    Google will display the DKIM TXT record you need to add to DNS

Add DKIM Record to DNS

Add the TXT record provided by Google to your DNS:

Type: TXT

Name: google._domainkey (or as shown by Google)

Value: (long string provided by Google)

Activate DKIM in Google Admin

  1. 5

    Wait 24-48 hours for DNS propagation

  2. 6

    Return to the Gmail authentication page in Admin Console

  3. 7

    Click "Start Authentication" to enable DKIM signing

Step 3: Create DMARC Policy

Now that SPF and DKIM are configured, you can implement DMARC to tell receiving servers how to handle emails that fail authentication.

Recommended DMARC Record (Monitor Mode)

Start with monitoring mode to collect data before enforcing:

Type: TXT

Name: _dmarc

Value:

v=DMARC1; p=none; rua=mailto:[email protected]; ruf=mailto:[email protected]; pct=100

Important: Replace [email protected] with a real email address where you want to receive reports. This can be a Google Group or mailbox in your Workspace.

DMARC Policy Progression

Follow this timeline to gradually strengthen your DMARC policy:

Phase 1: Monitor (Weeks 1-4)

p=none

Collect data on all email sources. Review DMARC reports weekly and fix any legitimate sources failing authentication.

Phase 2: Quarantine (Weeks 5-8)

p=quarantine

Failed emails go to spam. Monitor for any legitimate mail ending up in spam folders.

v=DMARC1; p=quarantine; rua=mailto:[email protected]; pct=100

Phase 3: Reject (Week 9+)

p=reject

Failed emails are blocked entirely. Maximum protection against spoofing and phishing.

v=DMARC1; p=reject; rua=mailto:[email protected]; pct=100

Step 4: Testing Your Setup

After configuring all records and waiting 24-48 hours for DNS propagation, test your setup:

  1. Use Our Checker

    Check your domain with our free DMARC checker

  2. Send Test Emails

    Send emails from your Workspace to Gmail and Outlook accounts

  3. Check Email Headers

    Look for "dmarc=pass" in the Authentication-Results header

  4. Monitor Reports

    Watch for DMARC reports to arrive (can take 24-48 hours for first reports)

Common Issues & Solutions

DKIM Not Activating

Problem: Google Admin shows "Awaiting Activation" for DKIM

Solution: DNS record may not be propagated yet. Wait 48 hours and try again. Verify the TXT record is published correctly using a DNS checker.

SPF Too Long

Problem: SPF record exceeds 10 DNS lookups when using other services

Solution: Use our SPF Generator to optimize your record, or consider using SPF flattening services.

Emails Failing from Third-Party Services

Problem: Emails from CRM, marketing tools, or ticketing systems fail DMARC

Solution: Either add their IPs to SPF, enable DKIM in those services, or configure them to send through Google Workspace SMTP relay.

Need Help Setting Up?

Use our tools to generate properly formatted DNS records and check your configuration.

Check Your DomainDMARC Generator

Related Resources

General DMARC Setup GuideUnderstanding DMARC ReportsSPF Record GeneratorDMARC for Microsoft 365

Ready to check your DMARC records?

Test your email security in 30 seconds with our free tool.

Check Your Domain Now