DMARC is the policy layer that ties your email authentication together. Without it, even a correctly configured SPF and DKIM setup leaves receiving servers without clear instructions on what to do when authentication fails.
This guide walks through the exact steps to add DMARC to your Google Workspace domain — safely, without breaking your email delivery.
Before You Start: The One Question Everyone Asks
"Won't setting up DMARC break my email?"
Not if you start with p=none. This is the monitoring mode — it tells receiving servers to collect data about your email, but to deliver everything regardless of whether it passes authentication. Your email flow is unaffected.
Only p=quarantine and p=reject affect delivery. You won't touch those until you've verified that all your legitimate senders are passing authentication. That verification process is built into this guide.
Prerequisites
DMARC works by checking whether your email passes SPF, DKIM, or both. If those aren't set up first, DMARC will report 100% failures — even for your own legitimate email.
Before setting up DMARC, confirm:
- Your SPF record exists and includes Google Workspace (
include:_spf.google.com) - Your DKIM signature is enabled in the Google Admin Console and passes verification
If you're not sure whether these are in place, run a free Full Audit on your domain first. It will show the status of both.
For a full overview of what SPF, DKIM, and DMARC do and why all three are needed, see our explainer guide.
Step-by-Step: Setting Up DMARC for Google Workspace
Step 1: Log In to Your DNS Provider
Your DMARC record is a DNS TXT record — it lives with your domain's DNS, not inside Google Workspace itself. Log in to wherever you manage your domain's DNS records. Common providers include:
- Cloudflare
- GoDaddy
- Namecheap
- Google Domains (now Squarespace Domains)
- Your web hosting provider's DNS panel
Step 2: Create a New TXT Record
Navigate to the DNS management area and create a new TXT record with these settings:
| Field | Value |
|---|---|
| Type | TXT |
| Host / Name | _dmarc |
| Value | (see Step 3) |
| TTL | 3600 (or default) |
The host field varies by DNS provider. Some ask for the full domain (_dmarc.yourdomain.com), others ask for just the subdomain prefix (_dmarc). Check your provider's interface — it's usually labelled "Name" or "Host."
Step 3: Set Your Starting DMARC Record
Start with this record exactly:
v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com
Replace yourdomain.com with your actual domain, and dmarc-reports@yourdomain.com with a real email address you monitor. This is where aggregate DMARC reports will be delivered — typically one report per day from each major mail provider.
What each tag means:
v=DMARC1— identifies this as a DMARC record (required)p=none— monitor mode; delivery is unaffectedrua=mailto:...— the address to receive aggregate reports
Step 4: Save and Wait for Propagation
Save the DNS record. DNS changes typically propagate within 1–24 hours, though full global propagation can take up to 48 hours.
Step 5: Verify the Record Is Live
After propagation, verify the record using a DMARC checker tool. It should show:
- Record found at
_dmarc.yourdomain.com - Policy:
none - RUA tag present
You can also run a free Full Audit at EmailAudit.io — it checks DMARC as part of the full authentication scan.
Step 6: Monitor Aggregate Reports for 2–4 Weeks
With p=none active, you'll start receiving DMARC aggregate reports at the email address in your rua tag. These XML reports show:
- Which servers are sending email from your domain
- Whether each sender passes SPF, DKIM, or both
- Volume of email per source
Review these reports to identify every legitimate sender for your domain — your email platform, CRM, marketing tools, support system, and any other services that send on your behalf.
Moving from p=none to Enforcement
Once you've identified all legitimate senders and confirmed each one passes SPF and DKIM, you're ready to move to enforcement.
The safe progression is:
- p=none (2–4 weeks) — monitor, identify all senders
- p=quarantine (2–4 weeks) — failed emails go to spam; watch for false positives
- p=reject — failed emails are blocked entirely; full protection against domain spoofing
To update your policy, edit your DMARC TXT record and change p=none to p=quarantine, then later to p=reject.
For a detailed explanation of each policy level and when to move between them, see DMARC policy: none vs quarantine vs reject.
Common Mistakes to Avoid
Jumping straight to p=reject. If any legitimate sender (a marketing tool, your CRM, a billing platform) isn't in your SPF record or doesn't have DKIM configured, their emails will be blocked when you enforce. Always use the phased approach.
Wrong TXT record host. The record must be at _dmarc.yourdomain.com — not at your root domain. A common mistake is adding the record at yourdomain.com instead of _dmarc.yourdomain.com.
Missing rua tag. Without the rua tag, you receive no aggregate reports. You're enforcing blind. Always include it.
Not removing old DMARC records. If a DMARC record already exists and you create a second one, both become invalid. Check first with a DMARC lookup tool.
If You're on Microsoft 365 Instead
The setup process is nearly identical — the DNS record format is the same. The difference is in SPF and DKIM setup, which are platform-specific. See the Microsoft 365 authentication setup guide for those steps.
Checklist: DMARC Setup for Google Workspace
- SPF record exists and includes
_spf.google.com - DKIM signing enabled in Google Admin Console and verified
- TXT record created at
_dmarc.yourdomain.com - Record starts with
p=none -
ruatag points to a monitored email address - Record verified live after propagation
- Aggregate reports reviewed for 2–4 weeks before moving to enforcement
For a complete email migration checklist covering SPF, DKIM, and DMARC together, see the Google Workspace email migration checklist.
Get a free Full Audit PDF showing your exact current DMARC status and recommended next step at EmailAudit.io
The Full Audit checks your SPF, DKIM, and DMARC records, scores each one, and delivers a branded PDF report to your inbox. No account required.