Setting Up DMARC with Google Workspace
Setting Up DMARC with Google Workspace
Overview
If your organisation uses Google Workspace for email, this guide covers everything you need to configure SPF, DKIM, and DMARC to protect your domain. Google Workspace makes this straightforward — most of the hard work is just DNS changes.
Step 1 — Set up SPF for Google Workspace
Add (or update) an SPF record in your domain's DNS:
v=spf1 include:_spf.google.com ~allIf you already have an SPF record, add include:_spf.google.com to it — don't create a second SPF record. Two SPF records cause PermError.
Verify: After adding, run:
dig TXT yourdomain.comYou should see the SPF record with the Google include.
Step 2 — Set up DKIM in Google Workspace
DKIM requires generating a key in Google Admin and publishing it in DNS.
Generate the DKIM key
- Go to Google Admin Console → Apps → Google Workspace → Gmail
- Click Authenticate email
- Select your domain from the dropdown
- Click Generate new record
- Choose key length: 2048-bit (recommended for security)
- Note the DNS hostname and TXT record value — you'll need these
Publish the DKIM record in DNS
Add a TXT record to your domain's DNS:
| Field | Value |
|---|---|
| Name/Host | google._domainkey.yourdomain.com (or the hostname Google provided) |
| Type | TXT |
| Value | The long string Google gave you (starts with v=DKIM1; k=rsa; p=...) |
Note: DNS changes can take up to 48 hours to propagate, though usually it's minutes to a few hours.
Enable DKIM signing in Google Admin
- Go back to Gmail → Authenticate email
- Click Start authentication
- Google will verify the DNS record and confirm DKIM is active
Verify: Send a test email to a Gmail address and view the original message source. Look for a DKIM-Signature: header with d=yourdomain.com.
Step 3 — Publish a DMARC record
Start with monitoring only:
_dmarc.yourdomain.com TXT "v=DMARC1; p=none; rua=mailto:[email protected]"Replace [email protected] with a real mailbox that you'll check, or use your DMARC+ reporting address.
Important: The _dmarc prefix is literal — your full DNS hostname will be _dmarc.yourdomain.com.
Step 4 — Check your DMARC+ Dashboard
After 24–48 hours, DMARC+ will start showing authentication data. For a pure Google Workspace setup, you should see:
- Google's sending IPs in the sources list
- SPF passing (via the Google include)
- DKIM passing (once DKIM signing is active)
- DMARC passing on both
Step 5 — Handle other sending services
Most organisations send email from multiple sources beyond Workspace. Check your DMARC+ Dashboard for sources you didn't configure. Common ones:
| Service | SPF include | DKIM setup location |
|---|---|---|
| Google Workspace | include:_spf.google.com |
Admin Console → Gmail → Authenticate email |
| Mailchimp | include:servers.mcsv.net |
Mailchimp → Domains → Authenticate |
| HubSpot | include:_spf.hubspot.com |
HubSpot → Settings → Domains & URLs |
| Zendesk | include:mail.zendesk.com |
Zendesk → Settings → Email → Setup DKIM |
| Salesforce | include:_spf.salesforce.com |
Salesforce → Email → Deliverability → DKIM |
Add each service's SPF include to your SPF record and configure DKIM through the service.
Step 6 — Advance to enforcement
Once your DMARC+ Dashboard shows 95%+ pass rates consistently:
-
Update to quarantine:
"v=DMARC1; p=quarantine; pct=10; rua=mailto:[email protected]" -
Monitor for a week, increase
pctgradually to 100 -
Once stable at
p=quarantine; pct=100, advance to reject:"v=DMARC1; p=reject; rua=mailto:[email protected]"
Troubleshooting Google Workspace DKIM
DKIM not signing emails → Check that you clicked "Start authentication" in Google Admin after adding the DNS record → Verify the DNS record is published: dig TXT google._domainkey.yourdomain.com
DKIM failing alignment → Ensure the key is set to your primary domain, not a subdomain → Check if you have multiple domains in Workspace — each needs its own DKIM key
SPF PermError (too many lookups) → Google's SPF include itself uses 2–3 lookups. If adding other services pushes you over 10, use SPF flattening.