Skip to main content
New AI-powered DMARC analysis + open REST API See how →
Foundational 8 min read

DMARC for Google Workspace (Gmail): Complete Setup Guide (2026)

Brad Slavin
Brad Slavin CEO
Updated April 14, 2026 | Updated for 2026

Quick Answer

To set up DMARC for Google Workspace: (1) configure SPF with include:spf.google.com (uses 4 DNS lookups), (2) enable DKIM signing in the Google Admin console under Apps → Gmail → Authenticate email, (3) publish a DMARC TXT record at dmarc.yourdomai

Related: Free DMARC Checker

Share
DMARC for Google Workspace (Gmail): Complete Setup Guide (20

Try Our Free DMARC Checker

Validate your DMARC policy, check alignment settings, and verify reporting configuration.

Check DMARC Record →

**To set up DMARC for Google Workspace (Gmail for Business), configure SPF with include:_spf.google.com, enable DKIM signing in the Google Admin console, and publish a DMARC TXT record at _dmarc.yourdomain.com. Google has enforced DMARC for bulk senders (5,000+ daily messages to Gmail) since February 2024.

The most common mistake we see during DMARC setup is jumping straight to p=reject without monitoring first, says Vasile Diaconu, Operations Lead at DuoCircle. Start at p=none, analyze your reports for at least a full quarter — you need to catch monthly, quarterly, and annual email senders that only fire periodically. Then fix any legitimate senders that fail before enforcing. We walk every customer through this sequence.

Per Google’s sender guidelines, all bulk senders must authenticate with SPF AND DKIM AND publish a DMARC policy of at least p=none. Non-compliant email is rejected or routed to spam.

Step 1: Configure SPF for Google Workspace

yourdomain.com. IN TXT "v=spf1 include:spf.google.com -all"

Note: Google’s include uses 4 of your 10 RFC 7208 DNS lookups (1 top-level + 3 netblocks). If you also use other email services, watch the lookup count.

Check your SPF record →

Step 2: Enable DKIM for Google Workspace

  1. Go to Google Admin consoleAppsGoogle Workspace → **Gmail 2. Click **Authenticate email 3. Select your domain → **Generate new record 4. Choose key length (2048-bit recommended)
  2. Copy the TXT record value
  3. Add it as a TXT record at google._domainkey.yourdomain.com in your DNS
  4. Return to Google Admin and click Start authentication Verify your DKIM is working →

Step 3: Publish DMARC Record

dmarc.yourdomain.com. IN TXT "v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com"

Use our DMARC Record Generator for custom settings.

Step 4: Monitor and Enforce

Point rua= at DMARC Report to automatically analyze the incoming reports. Google sends detailed aggregate reports showing every source that sends email from your domain.

Check your DMARC record → Start monitoring →

Sources

Topics

DMARC email security
Brad Slavin
Brad Slavin

CEO

Founder and CEO of DuoCircle. Product strategy and commercial lead for DMARC Report's 2,000+ customer base.

LinkedIn Profile →

Take control of your DMARC reports

Turn raw XML into actionable dashboards. Start free — no credit card required.

Start Free Trial Check Your DMARC Record

Related Articles

Foundational 8m

10 Critical Learnings From Verizon’s 2021 DBIR — A DMARCReport Perspective

Foundational 12m

10 DNS Blacklist Insights That Improve Email Security And Deliverability Fast

Foundational 12m

10 Email Spoofing Detection Tools That Dramatically Improve Brand Protection

Foundational 12m

10 Reasons SPF Filtering Is Critical For Email Security