How do you set up DMARC on Google Workspace?

Updated July 3, 2026

To set up DMARC for Google Workspace, first confirm your SPF record includes _spf.google.com and turn on DKIM under Admin console → Apps → Google Workspace → Gmail → Authenticate email (which publishes a google._domainkey TXT record at your DNS host), then add a TXT record named _dmarc with a value starting with v=DMARC1. The DMARC record is published at your DNS host, not inside Google Workspace.

What you need before starting

  • Super admin access to the Google Admin console at admin.google.com
  • Access to your domain's DNS host (SPF, DKIM, and DMARC are all published there)
  • A DMARC record value (generate one with our free DMARC generator if you don't have one yet)

Step by step

  1. 1

    Check your SPF record

    Your domain needs one TXT record at the root with the value v=spf1 include:_spf.google.com ~all. Add or update it at your DNS host, keeping all senders in a single SPF record.

  2. 2

    Generate your DKIM key in the Admin console

    In admin.google.com, go to Apps → Google Workspace → Gmail → Authenticate email. Select your domain and click Generate new record. Keep the defaults (2048-bit key, selector prefix google).

  3. 3

    Publish the DKIM record and start authentication

    At your DNS host, add a TXT record at google._domainkey with the v=DKIM1; k=rsa; p=... value Google displays. Back in the Admin console, click Start authentication. Google may take up to 48 hours to begin signing.

  4. 4

    Add the DMARC record at your DNS host

    At your DNS host, add a TXT record with host _dmarc (most hosts append your domain automatically; if yours expects a fully qualified name, use _dmarc.yourdomain.com) and paste the DMARC value.

    Host _dmarcType TXT
    v=DMARC1; p=none; rua=mailto:[email protected]; fo=1
  5. 5

    Send a test email

    Send a message from your Workspace account to another Gmail address and use Show original to confirm SPF, DKIM, and DMARC all show PASS.

  6. 6

    Verify it's live

    Run your domain through our free DMARC checker. If the record shows up and parses cleanly, you're done. The first aggregate reports typically arrive within 24-48 hours.

Check that it worked

Our free checker reads your domain's DMARC record live and explains every tag. Run it after the record saves.

Open the DMARC checker →

Common mistakes

Skipping Start authentication after publishing the DKIM record

Publishing the google._domainkey TXT record isn't enough. Gmail only signs your mail after you click Start authentication in the Admin console and the record is verified.

Publishing DMARC before DKIM is active

Google recommends DKIM be signing for at least 48 hours before adding DMARC with any enforcement. Starting at p=none (as in our example record) is safe either way, but don't jump to p=reject until DKIM passes are confirmed.

Creating a second SPF record for Google

A domain must have exactly one SPF record. If you already have one for another sender, add include:_spf.google.com into it rather than creating a new v=spf1 record. Two SPF records cause a permanent error.

Frequently asked questions

Where do I add the DMARC record, in Google Workspace or at my DNS host?
At your DNS host. The Admin console manages DKIM key generation and shows setup instructions, but the SPF, DKIM, and DMARC records themselves live in your domain's DNS.
What is google._domainkey?
It's the DNS name of your DKIM public key: Google's default selector (google) plus ._domainkey plus your domain. Receivers look it up to verify the signature Gmail adds to your outgoing mail.
Doesn't Gmail require DMARC now?
Google and Yahoo require bulk senders to publish a DMARC record (p=none is enough to comply). Even if you send low volume, setting it up protects your domain from spoofing and gets you visibility via reports.

The record is step one. The reports are the point

Publishing p=none starts a stream of XML reports about everyone sending as your domain. DMARCPath turns them into a plain-English dashboard and walks you to full protection at p=reject. One domain free.

Monitor this domain free →