Skip to main content
How-to DMARC Google Workspace

SPF, DKIM, and DMARC for Google Workspace: complete setup guide

A complete walkthrough for publishing SPF, DKIM, and DMARC on Google Workspace (Gmail). SPF is one short include; DKIM is opt-in and the step most people miss; DMARC ties them together. Groups and aliases are the gotchas.

TL;DR

  • 1 SPF: publish v=spf1 include:_spf.google.com ~all. The include is 1 DNS lookup (the chain expands to about 4).
  • 2 DKIM: generate the key at Admin console -> Apps -> Google Workspace -> Gmail -> Authenticate email, then publish the google._domainkey TXT it gives you, or mail only signs with google.com and never aligns.
  • 3 DMARC: start at p=none with rua, watch reports, then ramp to p=quarantine and p=reject.

Watch

Publish SPF, generate DKIM in the Admin Console, add your DMARC record, and ramp to enforcement.

What it does

This guide gets all three email-authentication records live for Google Workspace. SPF authorises Google's outbound servers to send as your domain, DKIM signs your mail with a key under your own domain, and DMARC ties them together and tells receivers what to do on failure.

Google Workspace ships with the SPF include ready to use, but DKIM signing for your custom domain has to be explicitly enabled. Until you do, outbound mail is unsigned for your domain (Google still signs with google.com, but that d= will not align with your visible From), so DMARC fails on DKIM.

Once enabled, Workspace signs with the selector you pick (the default is google). The selector becomes part of the DNS record name: google._domainkey.yourdomain.com.

Step 1: Set up SPF for Google Workspace

Google Workspace sends through Google's mail servers, all covered by one include. You add that include to a single SPF TXT record at your domain apex.

  1. 1

    Publish a TXT record at your domain apex (yourdomain.com) with the value: v=spf1 include:_spf.google.com ~all

  2. 2

    If you also send from other services, add each one's include to the same single SPF record. You can only have one SPF TXT record per domain.

  3. 3

    Keep ~all (soft fail) while you discover senders, then move to -all (hard fail) once you are confident the record is complete.

yourdomain.com TXT Click to select
v=spf1 include:_spf.google.com ~all

_spf.google.com is a single direct lookup, but it nests further includes that expand to roughly 4 lookups in total. That leaves headroom under the 10-lookup limit for other senders, but count with the SPF lookup tool before adding several more.

Step 2: Set up DKIM for Google Workspace

Google Workspace DKIM is opt-in per domain. Unlike Microsoft, Google generates the key and hands you a TXT record to publish (not a CNAME). You generate it inside the Admin console, publish the TXT, then start authentication.

Selector: google (the default; you can choose a custom selector prefix)

  1. 1

    In the Google Admin console, go to Apps -> Google Workspace -> Gmail -> Authenticate email, and select your domain. (Verify the exact path in your current Admin console.)

  2. 2

    Click Generate new record. Choose the 2048-bit key length (Google's default) and the default 'google' selector prefix unless you have a reason to change it.

  3. 3

    Google displays a long TXT value (starts with v=DKIM1; k=rsa; p=). Copy it.

  4. 4

    Publish it at google._domainkey.yourdomain.com as a TXT record. The value is long; most DNS providers accept it as-is or split it into 255-character chunks automatically.

  5. 5

    Wait for DNS to propagate (up to about an hour), then return to the Admin console and click Start authentication. The status flips to authenticating.

  6. 6

    Verify with the DKIM checker against the google selector, or send a test message and look for dkim=pass with d=yourdomain in the Authentication-Results header.

google._domainkey.yourdomain TXT Click to select
google._domainkey.yourdomain TXT v=DKIM1; k=rsa; p=<long public key from Workspace admin>

Google generates the key for you, so you paste a TXT value rather than a CNAME. If your DNS provider rejects the long string, use the DKIM splitter to chunk it into 255-character pieces.

Step 3: Publish DMARC

  1. 1

    With SPF and DKIM both live and aligning, publish your DMARC record at _dmarc.yourdomain. Start at p=none so receivers report but take no action.

  2. 2

    Add a rua address to collect daily aggregate reports.

  3. 3

    Watch the reports for a couple of weeks. Confirm Gmail and every other legitimate sender is passing and aligned.

  4. 4

    Move to p=quarantine, then p=reject once the only remaining failures are unknown or spoofed sources. See the DMARC rollout playbook for the full ramp.

Example record

_dmarc.yourdomain.com TXT Click to select
v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com; fo=1

Common pitfalls

  • Google Groups rewrite sender addresses by default. A message sent to engineering@yourdomain by a Workspace user goes out from the group address, breaking alignment for whoever the group forwards to externally. Set the Group to 'Don't display' from external members or use modern-style Collaborative Inbox.

  • Calendar invites sent from a personal alias or delegated account use a different DKIM signing path. Always test calendar.ics flow specifically.

  • Routing mail through a third-party (Mimecast inbound filtering) and then to Workspace breaks DKIM if the filter strips body whitespace. Configure the inbound gateway as a 'mail flow' Connector with strict header preservation.

  • Sub-account or aliased senders: an alias like sales@yourdomain that points to a Workspace user signs with that user's domain, not the alias. Use a routing rule, not a simple alias.

FAQ

Why does my Google Workspace mail fail DMARC?

The most common cause is that DKIM signing for your custom domain was never enabled, so mail signs with d=google.com instead of your domain and DKIM never aligns. Generate the key in the Admin console under Apps -> Google Workspace -> Gmail -> Authenticate email, publish the google._domainkey TXT record, and click Start authentication.

Do I need an SPF include for Google Workspace?

Yes. Add include:_spf.google.com to a single SPF TXT record at your domain apex. It is one direct lookup that nests to about four, so it is well within the 10-lookup limit on its own.

Where do I turn on DKIM in Google Workspace?

In the Google Admin console under Apps -> Google Workspace -> Gmail -> Authenticate email. Pick your domain, generate a 2048-bit key, publish the TXT it shows you at google._domainkey.yourdomain, then click Start authentication. Confirm the menu path in your current Admin console, as Google occasionally moves it.

What DMARC policy should I start with for Google Workspace?

Start at p=none with a rua address so you collect reports without affecting delivery. After a couple of weeks of clean reports for your known senders, ramp to p=quarantine and then p=reject.