For Google Workspace, add a DMARC TXT record at _dmarc.yourdomain.com with v=DMARC1; p=none; rua=mailto:[email protected]. Ensure SPF includes _spf.google.com and DKIM is enabled in Admin Console. Monitor aggregate reports for 2-4 weeks to confirm all Workspace email passes authentication, then advance through quarantine to reject.
DMARC for Google Workspace: Complete Configuration
Prerequisites
Before adding DMARC, configure these first:
- SPF: Add
include:_spf.google.comto your SPF record - DKIM: Enable DKIM signing in Google Workspace Admin Console
- Verify both work: Send a test email and check headers for
spf=passanddkim=pass
DMARC without SPF and DKIM is just an empty policy — it has nothing to align against.
Add the DMARC Record
Add a TXT record to your DNS:
Host: _dmarc.yourdomain.com
Type: TXT
Value: v=DMARC1; p=none; rua=mailto:[email protected]; pct=100
Start at p=none. This monitors without affecting delivery.
Google Workspace-Specific Considerations
Default DKIM: Workspace doesn't enable DKIM automatically. If you never turned it on, your emails pass SPF but have no DKIM signature. This is fine until someone forwards your email — then SPF fails and there's no DKIM to fall back on.
Multiple domains: If you have secondary domains in Workspace, each needs its own SPF, DKIM, and optionally DMARC records. DMARC on the parent domain covers subdomains via the sp= tag, but secondary domains need explicit records.
Google Groups: If you use Google Groups for mailing lists, messages sent to groups and then forwarded to external recipients may fail DMARC for external domains. Google adds ARC headers to help, but not all receivers evaluate ARC.
Practitioner note: The number one DMARC mistake I see with Google Workspace clients is never enabling DKIM. They set up SPF during Workspace onboarding, add DMARC thinking they're covered, and then wonder why forwarded mail fails. Always enable DKIM — it's a five-minute task in Admin Console.
Monitor and Advance
Follow the standard DMARC advancement timeline:
- Weeks 1-4: p=none — collect aggregate reports
- Weeks 5-8: p=quarantine with pct= rollout
- Week 9+: p=reject
Check reports for any Google Workspace services you might have forgotten — Calendar invites, Drive sharing notifications, and Sites all send email from your domain.
Practitioner note: Google Workspace sends email from a surprising number of internal services. Calendar invitations, shared document notifications, Google Forms responses — they all come from your domain. The good news is they all use Workspace's authentication, so they should pass if SPF and DKIM are configured.
If you're running Google Workspace alongside other sending services and need help getting everything aligned for DMARC enforcement, schedule a consultation.
Sources
- Google: Set up DMARC
- Google: Turn on DKIM
- Google: SPF records for Google Workspace
- Google: DMARC reports
v1.0 · April 2026
Frequently Asked Questions
How do I set up DMARC with Google Workspace?
Add a TXT record at _dmarc.yourdomain.com with your DMARC policy. Make sure SPF and DKIM are configured first, then monitor reports before advancing beyond p=none.
Does Google Workspace support DMARC?
Yes. Google Workspace fully supports DMARC. Google also sends DMARC aggregate reports to other domain owners and processes DMARC policies on inbound email.
What SPF record do I need for Google Workspace?
Include v=spf1 include:_spf.google.com ~all in your SPF record. If you have other senders, add their includes too.
Do I need to enable DKIM before DMARC in Google Workspace?
You should. DMARC checks alignment against SPF and DKIM. If DKIM isn't enabled, you're relying solely on SPF alignment, which breaks during forwarding.
How do I read DMARC reports from Google Workspace?
Google sends aggregate reports as XML attachments. Use a DMARC monitoring tool like dmarcian or Postmark DMARC to parse and visualize them.
Want this handled for you?
Free 30-minute strategy call. Walk away with a plan either way.