Why DMARC matters for Google Workspace users
Google Workspace handles email for millions of organisations, but using Gmail alone does not automatically protect your domain from being impersonated. Without DMARC, anyone can forge your domain in the “From” header of an email, and most recipients will have no way to tell the difference.
DMARC (Domain-based Message Authentication, Reporting, and Conformance) ties together two existing protocols, SPF and DKIM, and adds a policy layer that tells receiving servers what to do when authentication fails. With DMARC in place, you gain visibility into who is sending email as your domain and the ability to block unauthorised senders.
The Google and Yahoo bulk sender requirements mandate that anyone sending 5,000+ messages per day publish a DMARC record. Even if you send far fewer messages, having DMARC configured improves deliverability and protects your reputation. For a deeper overview of the protocol itself, see our complete guide to DMARC.
Step 1: Configure SPF for Google Workspace
SPF (Sender Policy Framework) tells receiving servers which IP addresses are authorised to send email for your domain. Google publishes a shared SPF include that covers all of its mail infrastructure.
Add the following TXT record to the root of your domain in DNS:
Type: TXT
Host: @
Value: v=spf1 include:_spf.google.com ~all
This record authorises Google's servers and soft-fails everything else. If you use additional services that send email on your behalf (such as a CRM, marketing platform, or transactional email provider), add their SPF include before the ~all mechanism. For example:
Be mindful that SPF is limited to 10 DNS lookups. Each include: counts towards this limit. If you are approaching the cap, read our guide on fixing SPF too many DNS lookups or use our SPF Flattener tool.
Use our free SPF Generator to build the correct record for your setup with all the services you use.
Step 2: Enable DKIM signing in Google Workspace
DKIM (DomainKeys Identified Mail) adds a cryptographic signature to every outgoing email. Receiving servers look up the corresponding public key in your DNS and verify that the message has not been altered in transit.
Follow these steps to enable DKIM in the Google Workspace Admin Console:
- Navigate to DKIM settings. Open the Google Admin Console and go to Apps > Google Workspace > Gmail > Authenticate email.
- Select your domain. If you have multiple domains, choose the one you want to configure.
- Generate a new DKIM key. Click Generate new record. Select a key length of 2048 bits (recommended for stronger security). The default prefix selector is
google, which creates a DNS record atgoogle._domainkey.yourdomain.com. - Add the TXT record to DNS. Copy the generated DKIM record value and create a TXT record in your DNS zone:
Type: TXT
Host: google._domainkey
Value: v=DKIM1; k=rsa; p=MIIBIjANBgkqh... (your public key)
- Start authentication. After the DNS record has propagated (allow up to 48 hours, though it is usually much faster), return to the Admin Console and click Start authentication. Google will verify the DNS record and begin signing outgoing messages.
For provider-specific DKIM walkthroughs beyond Google, see our Setup DKIM by Provider guide. You can also use our DKIM Generator to create DKIM records for other sending services.
Step 3: Publish a DMARC record
With SPF and DKIM in place, you are ready to publish a DMARC record. DMARC builds on both protocols by requiring alignment (the domain in the “From” header must match the SPF or DKIM domain) and by defining a policy for messages that fail authentication.
Start with a monitoring-only policy so you can review reports before enforcing anything:
Type: TXT
Host: _dmarc
Value: v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com
Replace dmarc@yourdomain.com with the address where you want to receive aggregate reports. The rua tag tells receiving servers where to send XML reports about authentication results for your domain.
The recommended path to full enforcement follows three phases:
Use our DMARC Generator to build the correct record for your domain. For a thorough explanation of what each DMARC tag does, see our SPF vs DKIM vs DMARC comparison guide.
Step 4: Verify with free tools
Once your DNS records are published, verify that everything is configured correctly. Use these free ShieldMarc tools:
- DMARC Checker validates your DMARC record syntax, policy, and reporting configuration.
- Security Grade scores your domain across SPF, DKIM, DMARC, MTA-STS, DNSSEC, and TLS in a single scan.
- Email Header Analyser lets you paste raw email headers to confirm that SPF, DKIM, and DMARC are all passing for live messages sent from your Google Workspace account.
- DNS Lookup queries authoritative servers directly so you can inspect your TXT, MX, and DKIM records in real time.
Common Google Workspace issues
Even with SPF, DKIM, and DMARC correctly published, there are several Google Workspace-specific pitfalls that can cause authentication failures. Watch for these:
- DKIM key size: always 2048 bits. Google Workspace defaults to a 1024-bit DKIM key, but RFC 8301 deprecates 1024-bit RSA for DKIM. Always choose 2048 bits. Some DNS providers restrict TXT record length and may need the key split across two strings or a CNAME delegation; if your DNS provider cannot handle a 2048-bit key, switch DNS provider rather than stay on 1024.
- Google Groups and mailing lists breaking DKIM alignment. When email passes through a Google Group, the message is often modified (footers, subject prefixes) which breaks the original DKIM signature. Google re-signs the message with its own domain, causing DKIM alignment to fail for the original sender's domain. This is expected behaviour for mailing lists. Your DMARC reports will show these failures, but they do not indicate spoofing.
- Third-party apps sending on your behalf. CRMs (Salesforce, HubSpot), marketing tools (Mailchimp, SendGrid), and helpdesk platforms often send email using your domain. Each of these services needs to be included in your SPF record and ideally configured with DKIM signing for your domain. If they are not, messages from these services will fail DMARC once you move beyond
p=none. - SPF lookup limits with multiple services. Each
include:in your SPF record triggers one or more DNS lookups. The SPF specification limits you to 10 lookups per evaluation. Google's_spf.google.comalone uses several of those. If you add too many services, you will exceed the limit and SPF will fail entirely. Use our SPF Flattener to reduce your lookup count, and read our guide to fixing SPF too many DNS lookups for a full walkthrough. - Multiple SPF records on the same domain. DNS allows only one SPF TXT record per domain. If you accidentally publish two (for example, one for Google and one for another provider), SPF will return a permanent error and all authentication will fail. Combine all your authorised senders into a single record.
Understanding your DMARC reports
Once your DMARC record includes a rua tag, you will start receiving aggregate reports from receiving servers (Google, Microsoft, Yahoo, and others). These XML reports show you exactly which IP addresses are sending email as your domain and whether those messages passed or failed SPF, DKIM, and DMARC.
Reviewing these reports is essential during the monitoring phase. They help you identify legitimate senders you may have missed, spot spoofing attempts, and confirm that your authentication is working as expected. For a detailed walkthrough, see our Understanding DMARC Reports guide.
Next steps
With SPF, DKIM, and DMARC configured for your Google Workspace domain, here is what to focus on next:
- Monitor your DMARC reports at
p=noneuntil every authorised sender is consistently aligning. The gate is report cleanliness, not the calendar. - Move to p=quarantine, then to p=reject once you are confident that no legitimate email will be blocked.
- Aim for a strong Security Grade. Run a Security Grade check to see your overall domain security score and identify any remaining gaps in SPF, DKIM, DMARC, MTA-STS, DNSSEC, and TLS.
- Read our SPF vs DKIM vs DMARC comparison to deepen your understanding of how the three protocols work together.
- Review DKIM setup for other providers if you have additional services sending email alongside Google Workspace.
Frequently asked questions
My Google Workspace emails fail DMARC on some recipients, why?
Intermittent, per-recipient DMARC failures from Google Workspace almost always come down to one of two causes: forwarding or DKIM not being enabled yet. When a recipient auto-forwards your mail or it travels through a mailing list, the forwarding hop changes the envelope sender and often rewrites the body, which breaks SPF and sometimes the original DKIM signature, so only the forwarded copies fail while direct deliveries pass. The other common cause is that DKIM is still off: Google Workspace ships with DKIM disabled until you generate and publish a 2048-bit key and click Start authentication, so before that step every message relies on SPF alignment alone and any path that breaks SPF fails DMARC. Read your aggregate (RUA) reports to isolate the exact source IPs and tell forwarding apart from genuine spoofing. The aggregate report XML format was originally defined in RFC 7489 and is now covered by DMARCbis aggregate reporting in RFC 9990. See also Google's DMARC documentation.
Why do Google Workspace emails fail DMARC?
The usual reasons are DKIM not being enabled, an SPF or DKIM alignment mismatch, or mail being forwarded or sent by a service you have not authorised. Google Workspace leaves DKIM off until you publish the key, so until then DMARC leans entirely on SPF, which breaks easily on forwarding. Alignment is the other frequent culprit: DMARC requires the domain in the visible From header to match the SPF or DKIM domain, so a third-party sender (CRM, marketing platform, helpdesk) that authenticates on its own domain will fail DMARC even though SPF or DKIM technically passes. Finally, mailing lists and auto-forwards rewrite the message and break the original signature. Aggregate reports show you which source is failing and why, as originally described in RFC 7489 and now in the DMARCbis aggregate reporting specification, RFC 9990.
How do I turn on DKIM in Google Workspace?
Turn on DKIM in the Google Admin console under Apps, Google Workspace, Gmail, Authenticate email, then generate a key, publish the TXT record, and click Start authentication. Select your domain, choose Generate new record, and pick a 2048-bit key length with the default google selector. Copy the generated value into a TXT record at google._domainkey.yourdomain.com, wait for DNS to propagate (up to 48 hours, usually much faster), then return to the Admin console and click Start authentication so Google begins signing outgoing mail. Until you complete that final step DKIM is not active, which is why newly set up domains often see DMARC failures. Full steps are in Google's documentation.
How do I fix DMARC alignment for Google Workspace?
Fix DMARC alignment by making sure the domain that passes SPF or DKIM matches the domain in your From header. For mail sent directly through Google Workspace, that means enabling DKIM on your own domain (so the signature aligns) and including _spf.google.com in your SPF record. For third-party services that send as your domain, configure DKIM signing for your domain with that provider and add their SPF include, rather than relying on their default signing on a different domain. For forwarding and mailing lists, expect SPF to break and lean on DKIM alignment, since a surviving DKIM signature still aligns; ARC can help receivers honour the upstream result, though it does not change your published policy. Stay at p=none and use aggregate reports to confirm every legitimate sender aligns before progressing to p=quarantine then p=reject; we do not recommend ramping the pct= tag, because it only samples enforcement at random and delays nothing useful. DMARCbis removes the pct= tag entirely (Appendix A.6 of RFC 9989), which reinforces this report-driven approach. Alignment rules are defined in RFC 7489, obsoleted in May 2026 by DMARCbis (RFC 9989).
Is your Google Workspace domain fully protected?
Find out in seconds with our free DMARC Checker. For continuous DMARC monitoring, aggregate report parsing, and alerts when your authentication breaks, create a free ShieldMarc account and start protecting your domain in under two minutes.