Guide
How to set up DMARC for Google Workspace
The exact SPF, DKIM and DMARC steps for a Google Workspace (Gmail) domain — including the Admin console bits people miss.
Check your DMARC record →What it is
Google Workspace sends your mail through Google's servers, so authentication means three things: an SPF record that includes Google, DKIM signing enabled in the Google Admin console, and a DMARC record telling receivers what to do on failure.
The step most people skip is generating and publishing the DKIM key in the Admin console — Workspace does not sign your mail by default.
Why it matters
Without DKIM turned on, Workspace mail relies on SPF alone, which breaks on forwarding and leaves DMARC fragile. With all three set, your Gmail-sent mail passes cleanly and you can safely enforce DMARC.
Google itself now requires authentication for anyone sending to Gmail — so this isn't optional if you use Workspace.
How to set it up
- 1SPF: publish a TXT record at your root domain: v=spf1 include:_spf.google.com ~all (merge the include into your existing SPF if you have one — never publish two SPF records).
- 2DKIM: in the Google Admin console go to Apps → Google Workspace → Gmail → Authenticate email, generate a 2048-bit key, and publish the TXT record it gives you at google._domainkey.yourdomain.com. Then click Start authentication.
- 3DMARC: publish a TXT record at _dmarc.yourdomain.com: v=DMARC1; p=none; rua=mailto:you@yourdomain.com to begin monitoring.
- 4Wait ~48 hours, confirm DKIM shows as signing, then move DMARC to p=quarantine and finally p=reject once your reports are clean.
Common problems
- I enabled DKIM in Google but it still fails.
- Two common causes: you didn't click 'Start authentication' after publishing the key, or the TXT record isn't at google._domainkey.yourdomain.com exactly. Re-check the selector and that Google shows authentication as active.
- Do I need to include anything else in SPF?
- Only if other services send as your domain (a CRM, marketing tool, help desk). Add each one's include to the same single SPF record, and mind the 10-lookup limit.
- What SPF ending should I use, ~all or -all?
- Start with ~all (softfail) while you confirm everything passes, then tighten to -all (hardfail) once you're sure every legitimate sender is listed.
Check it — then keep it healthy
Run a free scan now, or let DomainHealthPro monitor it continuously and alert you the moment it breaks.