RSS

How to Set Up DMARC for Google Workspace: A Step-by-Step Guide

meysamazad1 pts0 comments

DMARC for Google Workspace: Step-by-Step Setup [2026] | DMARCguard Skip to main content<br>16 min read Share

How to Set Up DMARC for Google Workspace: A Step-by-Step Guide<br>DMARC for Google Workspace doesn’t live in the Google Admin Console — and that one fact trips up most first-time admins. To set up DMARC for Google Workspace, you publish a DNS TXT record at your domain host, not inside any Google settings page. This guide is for the IT admin or founder-operator running their own Workspace tenant who needs a working DMARC record published and progressing toward enforcement without blocking legitimate mail.<br>The stakes are concrete, not alarmist. Google’s bulk-sender rules require a DMARC record at a minimum policy of p=none for anyone sending more than 5,000 messages per day to Gmail accounts, a threshold in force since February 1, 2024 (Google’s 5,000-email-per-day rule). Below that volume you still need SPF or DKIM. Either way, DMARC (RFC 9989) is the layer that tells receivers what to do when a message claiming to be from your domain fails authentication.<br>By the end you will have the exact TXT record, the steps to publish it at your specific registrar, and the p=none → quarantine → reject rollout that gets you to enforcement safely.<br>Personal Gmail vs. Google Workspace: which one needs DMARC?<br>You can’t add DMARC to an @gmail.com address — Google owns and controls gmail.com and publishes its own DMARC policy for it. You publish DMARC only on the custom domain you brought to Google Workspace (@yourdomain.com).<br>This is the single most common point of confusion, so it’s worth settling first. If you send from a free @gmail.com mailbox, there is no record for you to create: the platform’s servers aren’t in gmail.com’s SPF record and no third party can DKIM-sign as gmail.com, so that mail can never pass DMARC for you, and Google is moving gmail.com toward a quarantine enforcement policy of its own (Valimail). Google Workspace is the opposite case — you brought your own domain, so you both can and, as a bulk sender, must publish DMARC on it.<br>AddressWhose DMARC policy?Can you edit it?@gmail.comGoogle’s — published and controlled by GoogleNo. This guide does not apply.@yourdomain.comYours — published on your own domainYes. This is the domain you configure here.

Where DMARC can and can't be published Before you begin: SPF and DKIM must be live first (the 48-hour bake)<br>Google requires SPF and/or DKIM to be live for at least 48 hours before you turn on DMARC. DMARC only passes when a message aligns on SPF or DKIM — so the prerequisites must exist first, or every message fails. In Google’s own words: “Allow 48 hours after setting up SPF and/or DKIM before setting up DMARC.”<br>Publish the SPF record<br>If you send only through Google Workspace, publish this exact value as a TXT record at the root of your domain (Sender Policy Framework, RFC 7208):<br>SPF (TXT at domain root) dns

v=spf1 include:_spf.google.com ~all

The ~all tag tells receiving servers to mark mail from servers not listed in the record as suspect. Publish only one SPF record per domain — multiple SPF records is itself a failure mode — and keep the record under the limit of 10 include: mechanisms.<br>Google’s include is cheap: include:_spf.google.com costs just 1 of your 10 allowed DNS lookups, so a Google-only SPF record is well within budget.<br>How we verified the 1-lookup cost<br>We verified it on 2026-06-01: dig +short TXT _spf.google.com returns a single flat record made only of ip4: and ip6: mechanisms with no nested include:, so include:_spf.google.com costs exactly 1 of your 10 DNS lookups. Google collapsed this from four lookups to one in December 2025 — always re-verify the live count, because provider records change.

Enable DKIM in the Google Admin Console<br>Enabling DKIM (DKIM signing, RFC 6376) is the one part of Workspace email authentication that does live in the Admin Console. The path is:<br>Generate and activate your DKIM key<br>In the Google Admin Console, go to Menu ▸ Apps ▸ Google Workspace ▸ Gmail , then click Authenticate email . (You need the Gmail Settings administrator privilege and must be signed in as a super administrator.)

In the Selected domain menu, choose your domain, then click Generate New Record . Keep the default selector google and the recommended 2048-bit key length.

Publish the generated value as a TXT record at the host google._domainkey in your DNS. The value starts with v=DKIM1.

Return to the Admin Console and click Start authentication to switch on signing. Google is explicit here: “Do not click Start Authentication yet. You’ll do that later” — only click it after the DNS record is published.

One correction worth stating plainly: until you complete this, Google signs your outgoing mail with a default key on d=*.gappssmtp.com. That default key uses a Google domain, so it does not align to your domain for DMARC — which is why manual custom-domain DKIM is still required. Expect 24–72 hours after turning on Gmail before the key is...

google dmarc record domain workspace gmail

Related Articles

The Newest Instagram "Exploit" Is the Goofiest I've Seen

ssiddharth34 ptsaccount attacker email instagram seen like

It's Not Just X. It's Y

mooreds21 ptslanguage model writing like grammarly human

Amazon, Facebook, FBI have access to a private intelligence-sharing network

root-parent18 ptsseattle prism shield network private intelligence

Show HN: GoPeek – open links in live mini browser windows without new tabs

GeorgeWoff2518 ptsgopeek open browser links live mini

Agent Memory: An Anatomy

brgsk17 ptsmemory library user agent semantic libraries
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.