DMARC for Google Workspace

A step-by-step guide to setting up SPF, DKIM, and DMARC for organisations using Google Workspace (formerly G Suite). Google Workspace handles the email sending, but you need to add the settings to your domain’s public directory (DNS) that verify it.

⚠️ Google’s 2024 Sender Requirements
Since February 2024, Google requires all bulk senders (5,000+ messages/day to Gmail) to have SPF, DKIM, and DMARC properly set up. Even if you’re not a bulk sender, these are strongly recommended for making sure your emails get delivered.

Step 1: Configure SPF

Add a TXT record to your domain’s settings (DNS) that tells email providers which servers are allowed to send email for your domain:

Type:TXT
Host/Name:@ (or leave blank — depends on your DNS provider)
Value:v=spf1 include:_spf.google.com -all
TTL:3600 (or default)
If you also use other sending services:
Add their SPF entries too. For example, with SendGrid:
v=spf1 include:_spf.google.com include:sendgrid.net -all

See the SPF Record Syntax Guide for the full list of common provider entries and the 10-lookup limit.

Step 2: Configure DKIM

Google Workspace generates a DKIM key pair (a digital seal) for you. You need to retrieve the public key and add it to your domain’s settings (DNS).

Generate the DKIM Key in Google Admin

  1. Sign in to the Google Admin Console
  2. Navigate to Apps → Google Workspace → Gmail → Authenticate Email
  3. Select your domain
  4. Click “Generate new record”
  5. Choose your key length:
    • 2048-bit (recommended) — more secure but the DNS value is longer
    • 1024-bit — if your DNS provider has a character limit on TXT records
  6. The prefix selector is typically google (you can leave the default)
  7. Google will display a DNS hostname and a TXT record value

Add the DKIM Record to Your Domain’s Settings

Type:TXT
Host/Name:google._domainkey (as shown in Admin Console)
Value:The long v=DKIM1; k=rsa; p=... string from the Admin Console
TTL:3600 (or default)

Activate DKIM Signing

  1. Wait for the changes to spread across the internet (up to 48 hours, usually much faster)
  2. Return to Admin Console → Gmail → Authenticate Email
  3. Click “Start authentication”
💡 Note: If you get a “DNS record not found” error, the changes haven’t spread yet. Wait a few hours and try again. You can check the status using our Domain Checker.

Step 3: Configure DMARC

With SPF and DKIM in place, add your DMARC record:

Type:TXT
Host/Name:_dmarc
Value:v=DMARC1; p=none; rua=mailto:your-selector@dmarccloud.com; adkim=r; aspf=r
TTL:3600 (or default)

Use our DMARC Record Generator to build a record customised for your needs.

✓ Start with p=none
Always start with monitoring mode. Collect reports for 2–4 weeks, confirm everything’s working, then progress toward full protection (p=reject).

Verify Your Setup

After configuring all three records, verify everything is working:

  1. Use our Domain Checker to verify SPF, DKIM, and DMARC records are published correctly
  2. Send a test email to an external address (e.g., a personal Gmail account)
  3. In the received email, click the three dots → “Show original” to view the full headers
  4. Confirm you see:
    • SPF: PASS
    • DKIM: PASS
    • DMARC: PASS
  5. Wait 24–48 hours for your first DMARC aggregate report to arrive

Common Google Workspace Issues

“SPF record not found” despite adding it
Make sure you added the TXT record at the root domain (@), not a subdomain. Also check you don’t have two SPF records — only one is allowed per domain.
DKIM key too long for DNS provider
Some DNS providers have a 255-character limit per TXT record string. If using a 2048-bit key, split the value into two strings (most providers handle this automatically). Alternatively, regenerate with a 1024-bit key.
DMARC fails for emails sent via Google Groups
Google Groups can rewrite the From: header when configured as a “collaborative inbox”. Ensure DKIM is properly configured — it usually survives the rewriting.
Third-party apps sending via Gmail SMTP relay
If you’ve configured apps to send via smtp-relay.gmail.com, these emails are covered by Google’s SPF and your DKIM. No additional configuration needed, but verify with a test email.

Summary Checklist

  • ☐ SPF TXT record added at @ with include:_spf.google.com
  • ☐ Only one SPF record exists for the domain
  • ☐ DKIM key generated in Google Admin Console
  • ☐ DKIM TXT record added at google._domainkey
  • ☐ DKIM authentication activated in Admin Console
  • ☐ DMARC TXT record added at _dmarc with p=none
  • ☐ Test email shows SPF PASS, DKIM PASS, DMARC PASS
  • ☐ Aggregate reports arriving (check after 24–48 hours)

For more on the implementation process, see How to Implement DMARC. When you’re ready to enforce, follow the p=none to p=reject guide.