DMARC (RFC 7489) tells receiving mail servers what to do when a message claiming to be from your domain fails SPF or DKIM. You publish exactly one DMARC record at `_dmarc.<your-domain>`, regardless of which ESP you use — DMARC is a domain-level policy, not a per-sender configuration. Google Workspace doesn't run DMARC for you, but their SPF + DKIM setup is what makes your DMARC checks pass.
Start every domain at `p=none` with a `rua` (aggregate report) address pointing somewhere you actually read. Watch the reports for two to four weeks to confirm 100% of legitimate mail is aligned, then progress to `p=quarantine` and finally `p=reject`. Skipping the monitoring step is the single most common way founders accidentally block their own mail.
Publish these DNS records
Add the following record(s) to your domain's DNS zone. Most registrars (Cloudflare, Route 53, Namecheap, GoDaddy) accept values exactly as shown.
- Type
TXT- Host
_dmarc- Value
v=DMARC1; p=none; rua=mailto:dmarc-reports@your-domain.com; adkim=s; aspf=s
- Replace the `rua=` address with one you read. MailerMonk users get a managed reporting address that aggregates and parses these reports for you.
- Strict alignment (`adkim=s; aspf=s`) is fine for Google Workspace because Google's signing aligns the From: domain with the DKIM `d=` tag by default.
Where in Google Workspace
The DMARC configuration lives in Admin console → Apps → Google Workspace → Gmail → Authenticate email.
Verify the records
Once published, run the DMARC Checker on your apex domain to confirm the record parses, reporting URIs are valid, and the policy is what you intended.
dig +short TXT _dmarc.your-domain.comCommon pitfalls
- Generating a new DKIM key in the Admin console rotates the key — old signatures stay valid until they expire, but verify mail still signs cleanly afterwards.
- If you've migrated from another provider and inherited an SPF record with conflicting includes, Google's authentication check will appear to pass while DMARC still fails alignment. Always check the DMARC report, not just the Admin console green checkmark.
Frequently asked questions
What DMARC record should I use with Google Workspace?
Start with: v=DMARC1; p=none; rua=mailto:dmarc-reports@your-domain.com; adkim=s; aspf=s — published at _dmarc.your-domain.com. The p=none policy monitors without rejecting. Replace the rua= address with one you actively monitor. Google Workspace supports strict alignment (adkim=s; aspf=s) without issues because their signing aligns the From: domain by default.
How long should I stay at DMARC p=none before moving to enforcement?
Collect reports for at least 30 days. Review the aggregate reports to confirm that all legitimate mail streams (Google Workspace, your CRM, your marketing tool, any forwarding services) are passing SPF or DKIM alignment. Once the reports show only intended senders and all align cleanly, move to p=quarantine at pct=10 and gradually increase before moving to p=reject.
Does Google Workspace generate DMARC reports?
Yes — Google generates aggregate DMARC reports (XML) for mail received at Gmail accounts. Your rua= address will receive these reports within 24 hours of publishing your DMARC record. The reports show all senders that sent mail claiming to be from your domain, whether they passed or failed, and how many messages were affected. A DMARC report aggregator service turns the raw XML into readable dashboards.
Want to know if it actually keeps working?
MailerMonk continuously watches your DMARC record, aggregate DMARC reports, and inbox placement — and pings you the moment something drifts. Free for the first domain.
Start free trialAbout the author
Other records for Google Workspace
DMARC setup for other ESPs
- microsoft.comDMARC for Microsoft 365
- sendgrid.comDMARC for SendGrid
- mailgun.comDMARC for Mailgun
- aws.amazon.comDMARC for Amazon SES