How to set up DMARC on Google Workspace (step by step)
Google Workspace sends your mail, but SPF, DKIM, and DMARC are DNS records you have to publish yourself. Here is the full setup in four steps — in plain English.
Check what your domain has today — free, no signupStep 1: verify your SPF record
One TXT record on your root domain authorizing Google's servers:
Type: TXT
Host: @ (yourdomain.com)
Value: v=spf1 include:_spf.google.com ~all
If other services also send as your domain (marketing platform, invoicing tool), add their include: to the same record — you may have only one v=spf1 record, and it must stay under 10 DNS lookups.
Step 2: enable DKIM in the Admin console
- In admin.google.com, go to Apps > Google Workspace > Gmail > Authenticate email.
- Select your domain and click Generate new record (choose 2048-bit unless your DNS host can't store it).
- Publish the record it gives you as a TXT record on the host
google._domainkey.yourdomain.com. - Wait for DNS to propagate (up to an hour), come back, and click Start authentication.
Until you do this, Gmail signs your mail with a shared Google identity that does not align with your domain for DMARC — the console will show "Not authenticating email" on domains still in that state.
Step 3: publish the DMARC record
A TXT record at the _dmarc host:
Type: TXT
Host: _dmarc (_dmarc.yourdomain.com)
Value: v=DMARC1; p=none; rua=mailto:reports@yourdomain.com
p=none changes nothing about delivery yet — it switches on the daily aggregate reports that show which sources pass and fail. Point rua at a mailbox you'll actually process, or at a monitoring service. You can assemble the record with our free DMARC generator.
Step 4: verify, monitor, then tighten
Confirm all three records exist:
dig +short TXT yourdomain.com
dig +short TXT google._domainkey.yourdomain.com
dig +short TXT _dmarc.yourdomain.com
Send a test message to a Gmail address you control and open Show original: you want spf=pass, dkim=pass with header.d=yourdomain.com, and dmarc=pass. If DMARC fails anyway, it's an alignment issue — see why DMARC fails and how to fix it. If no reports show up within 48 hours, see not receiving DMARC reports.
Then watch your reports for a few weeks. When every legitimate source passes aligned, move to p=quarantine, and finish at p=reject — the only setting that actually stops spoofing. The trade-offs at each level are covered in p=none vs quarantine vs reject.
Common Workspace-specific mistakes
- Generating the DKIM key but never clicking "Start authentication". The key exists in DNS, but Gmail keeps sending unsigned until you flip the switch.
- Publishing the DKIM record on the wrong host. It belongs on
google._domainkey, not on the root and not on_domainkeyalone. - Forgetting non-Gmail senders. Workspace being clean doesn't cover your newsletter or invoicing tools — each needs its own DKIM alignment, which your aggregate reports will surface.
On a different provider? The same walkthrough exists for Microsoft 365, Zoho Mail, Amazon SES, and Mailgun.
Step 3 asks where to send reports — send them somewhere useful. Point rua at PlainDMARC and get a plain-English weekly verdict instead of zipped XML: which sources pass, which fail, and when you're ready to tighten the policy.