What DMARC policy should I start with on Google Workspace domains?

Start with p=none to collect reports without blocking anything. Move to quarantine and reject only when SPF and DKIM alignment look healthy.

Where do I publish the DMARC record?

DMARC is a TXT record at _dmarc.yourdomain.com. It should start with v=DMARC1 and include a p= policy.

Why does DMARC fail even when SPF and DKIM pass?

DMARC cares about alignment. The domain in the visible From header must align with the domain authenticated by SPF or DKIM.

How to set up DMARC on Google Workspace

Step by step DMARC setup for Google Workspace: complete instructions, examples, verification commands, and common pitfalls.

Want to check your domain while following this guide?

Run a free SPF, DKIM and DMARC check on your domain to see exactly what is passing and what needs fixing.

No signup required. Works on any domain.

search Run a Free Domain Check notifications_active Monitor my domain

This is a reference guide for configuring DMARC on Google Workspace. Use it while editing DNS or when troubleshooting deliverability.

Tip: Avoid common mistakes: follow these steps to add DMARC on Google Workspace. Then verify everything with the InboxGreen Free Checker.

Provider-specific notes for Google Workspace

Google Workspace SPF is usually just one include. Problems show up when people add a second SPF TXT record instead of editing the existing one.
DKIM signing must be enabled in the Admin console - publishing the DNS record alone is not enough. Go to Apps → Google Workspace → Gmail → Authenticate email.
Admin console → Apps → Google Workspace → Gmail → Authenticate email (DKIM and SPF).

DMARC policy ladder

DMARC connects SPF and DKIM to the visible From domain. The safe approach is to start in monitoring, fix alignment issues, then gradually move to stricter policies.

Stage	TXT value	When to use it
Monitor	`v=DMARC1; p=none; rua=mailto:[email protected]; fo=1`	Collect reports and understand who sends on your behalf.
Quarantine	`v=DMARC1; p=quarantine; pct=25; rua=mailto:[email protected]; fo=1`	Quarantine a portion of failing mail. Raise `pct` as confidence grows.
Reject	`v=DMARC1; p=reject; pct=100; rua=mailto:[email protected]; fo=1`	Full protection once alignment is good and monitored.

Publish DMARC

Create a TXT record at host _dmarc with your chosen value.
Make sure the rua address exists and can receive XML reports.

Verify and troubleshoot

dig TXT _dmarc.yourdomain.com +short
nslookup -type=txt _dmarc.yourdomain.com

Check that either SPF or DKIM aligns with the visible From domain.
Debug failing sources before moving beyond p=none.

Related for Google Workspace

quick_reference_all Set up SPF on Google Workspace quick_reference_all Set up DKIM on Google Workspace quick_reference_all Set up List-Unsubscribe on Google Workspace

Pro tip: Turn on InboxGreen Monitoring to check these records daily and get alerts if something breaks.

Free Deliverability Scan

Check SPF, DKIM, DMARC and List-Unsubscribe for your domain in seconds.

Useful tools

tune SPF Generator tune DMARC Generator verified Badges