Skip to main content
ShieldMarc
Resources/Guides
Guide

How to Set Up DMARC for Google Workspace

Google Workspace is one of the most widely used email platforms for businesses, but without proper email authentication, your domain is vulnerable to spoofing. Setting up SPF, DKIM, and DMARC ensures that only authorised servers can send email on behalf of your domain, protecting your brand and improving deliverability. This guide walks you through each step, from your first DNS record to full enforcement.

10 min read

Why DMARC matters for Google Workspace users

Google Workspace handles email for millions of organisations, but using Gmail alone does not automatically protect your domain from being impersonated. Without DMARC, anyone can forge your domain in the “From” header of an email, and most recipients will have no way to tell the difference.

DMARC (Domain-based Message Authentication, Reporting, and Conformance) ties together two existing protocols, SPF and DKIM, and adds a policy layer that tells receiving servers what to do when authentication fails. With DMARC in place, you gain visibility into who is sending email as your domain and the ability to block unauthorised senders.

The Google and Yahoo bulk sender requirements mandate that anyone sending 5,000+ messages per day publish a DMARC record. Even if you send far fewer messages, having DMARC configured improves deliverability and protects your reputation. For a deeper overview of the protocol itself, see our complete guide to DMARC.

Step 1: Configure SPF for Google Workspace

SPF (Sender Policy Framework) tells receiving servers which IP addresses are authorised to send email for your domain. Google publishes a shared SPF include that covers all of its mail infrastructure.

Add the following TXT record to the root of your domain in DNS:

Type: TXT

Host: @

Value: v=spf1 include:_spf.google.com ~all

This record authorises Google's servers and soft-fails everything else. If you use additional services that send email on your behalf (such as a CRM, marketing platform, or transactional email provider), add their SPF include before the ~all mechanism. For example:

v=spf1 include:_spf.google.com include:sendgrid.net ~all

Be mindful that SPF is limited to 10 DNS lookups. Each include: counts towards this limit. If you are approaching the cap, read our guide on fixing SPF too many DNS lookups or use our SPF Flattener tool.

Use our free SPF Generator to build the correct record for your setup with all the services you use.

Step 2: Enable DKIM signing in Google Workspace

DKIM (DomainKeys Identified Mail) adds a cryptographic signature to every outgoing email. Receiving servers look up the corresponding public key in your DNS and verify that the message has not been altered in transit.

Follow these steps to enable DKIM in the Google Workspace Admin Console:

  1. Navigate to DKIM settings. Open the Google Admin Console and go to Apps > Google Workspace > Gmail > Authenticate email.
  2. Select your domain. If you have multiple domains, choose the one you want to configure.
  3. Generate a new DKIM key. Click Generate new record. Select a key length of 2048 bits (recommended for stronger security). The default prefix selector is google, which creates a DNS record at google._domainkey.yourdomain.com.
  4. Add the TXT record to DNS. Copy the generated DKIM record value and create a TXT record in your DNS zone:

Type: TXT

Host: google._domainkey

Value: v=DKIM1; k=rsa; p=MIIBIjANBgkqh... (your public key)

  1. Start authentication. After the DNS record has propagated (allow up to 48 hours, though it is usually much faster), return to the Admin Console and click Start authentication. Google will verify the DNS record and begin signing outgoing messages.

For provider-specific DKIM walkthroughs beyond Google, see our Setup DKIM by Provider guide. You can also use our DKIM Generator to create DKIM records for other sending services.

Step 3: Publish a DMARC record

With SPF and DKIM in place, you are ready to publish a DMARC record. DMARC builds on both protocols by requiring alignment (the domain in the “From” header must match the SPF or DKIM domain) and by defining a policy for messages that fail authentication.

Start with a monitoring-only policy so you can review reports before enforcing anything:

Type: TXT

Host: _dmarc

Value: v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com

Replace dmarc@yourdomain.com with the address where you want to receive aggregate reports. The rua tag tells receiving servers where to send XML reports about authentication results for your domain.

The recommended path to full enforcement follows three phases:

1.p=none (monitoring). Collect aggregate reports and identify all legitimate senders. Fix any SPF or DKIM alignment issues before moving on. Stay in this phase until every authorised sender is consistently aligning. The gate is report cleanliness, not the calendar.
2.p=quarantine.Messages that fail DMARC are sent to the recipient's spam folder. This lets you catch any remaining issues without outright blocking email.
3.p=reject. Full enforcement. Messages that fail DMARC are rejected entirely. This is the strongest protection against domain spoofing.

Use our DMARC Generator to build the correct record for your domain. For a thorough explanation of what each DMARC tag does, see our SPF vs DKIM vs DMARC comparison guide.

Step 4: Verify with free tools

Once your DNS records are published, verify that everything is configured correctly. Use these free ShieldMarc tools:

  • DMARC Checker validates your DMARC record syntax, policy, and reporting configuration.
  • Security Grade scores your domain across SPF, DKIM, DMARC, MTA-STS, DNSSEC, and TLS in a single scan.
  • Email Header Analyser lets you paste raw email headers to confirm that SPF, DKIM, and DMARC are all passing for live messages sent from your Google Workspace account.
  • DNS Lookup queries authoritative servers directly so you can inspect your TXT, MX, and DKIM records in real time.

Common Google Workspace issues

Even with SPF, DKIM, and DMARC correctly published, there are several Google Workspace-specific pitfalls that can cause authentication failures. Watch for these:

  • DKIM key size: always 2048 bits. Google Workspace defaults to a 1024-bit DKIM key, but RFC 8301 deprecates 1024-bit RSA for DKIM. Always choose 2048 bits. Some DNS providers restrict TXT record length and may need the key split across two strings or a CNAME delegation; if your DNS provider cannot handle a 2048-bit key, switch DNS provider rather than stay on 1024.
  • Google Groups and mailing lists breaking DKIM alignment. When email passes through a Google Group, the message is often modified (footers, subject prefixes) which breaks the original DKIM signature. Google re-signs the message with its own domain, causing DKIM alignment to fail for the original sender's domain. This is expected behaviour for mailing lists. Your DMARC reports will show these failures, but they do not indicate spoofing.
  • Third-party apps sending on your behalf. CRMs (Salesforce, HubSpot), marketing tools (Mailchimp, SendGrid), and helpdesk platforms often send email using your domain. Each of these services needs to be included in your SPF record and ideally configured with DKIM signing for your domain. If they are not, messages from these services will fail DMARC once you move beyond p=none.
  • SPF lookup limits with multiple services. Each include:in your SPF record triggers one or more DNS lookups. The SPF specification limits you to 10 lookups per evaluation. Google's _spf.google.com alone uses several of those. If you add too many services, you will exceed the limit and SPF will fail entirely. Use our SPF Flattener to reduce your lookup count, and read our guide to fixing SPF too many DNS lookups for a full walkthrough.
  • Multiple SPF records on the same domain. DNS allows only one SPF TXT record per domain. If you accidentally publish two (for example, one for Google and one for another provider), SPF will return a permanent error and all authentication will fail. Combine all your authorised senders into a single record.

Understanding your DMARC reports

Once your DMARC record includes a rua tag, you will start receiving aggregate reports from receiving servers (Google, Microsoft, Yahoo, and others). These XML reports show you exactly which IP addresses are sending email as your domain and whether those messages passed or failed SPF, DKIM, and DMARC.

Reviewing these reports is essential during the monitoring phase. They help you identify legitimate senders you may have missed, spot spoofing attempts, and confirm that your authentication is working as expected. For a detailed walkthrough, see our Understanding DMARC Reports guide.

Next steps

With SPF, DKIM, and DMARC configured for your Google Workspace domain, here is what to focus on next:

  • Monitor your DMARC reports at p=none until every authorised sender is consistently aligning. The gate is report cleanliness, not the calendar.
  • Move to p=quarantine, then to p=reject once you are confident that no legitimate email will be blocked.
  • Aim for a strong Security Grade. Run a Security Grade check to see your overall domain security score and identify any remaining gaps in SPF, DKIM, DMARC, MTA-STS, DNSSEC, and TLS.
  • Read our SPF vs DKIM vs DMARC comparison to deepen your understanding of how the three protocols work together.
  • Review DKIM setup for other providers if you have additional services sending email alongside Google Workspace.

Is your Google Workspace domain fully protected?

Find out in seconds with our free DMARC Checker. For continuous DMARC monitoring, aggregate report parsing, and alerts when your authentication breaks, create a free ShieldMarc account and start protecting your domain in under two minutes.