← Back to Learn Hub

How to Set Up DMARC for Google Workspace (Gmail)

Setting up DMARC for Google Workspace is a DNS record, not a setting inside the Admin console. You publish one record, Google and other providers read it, and you tighten the policy over time. This guide shows you what to publish and how to roll it out safely.

DMARC tells providers what to do with mail that fails authentication, and it reports who is sending as your domain. Without it, anyone can send email that appears to come from you.

DMARC is a DNS record, not a Workspace setting

Unlike DKIM, which you turn on inside the Google Admin console, DMARC has no switch in Google Workspace. You enable it by publishing a TXT record in your domain's DNS, and Google reads it from there.

So if you're looking for a DMARC option in the Admin console, there isn't one. The work happens in your DNS.

Set up SPF and DKIM first

DMARC relies on SPF and DKIM, so set those up before publishing it. DMARC passes when a message passes SPF or DKIM and the domain aligns with the From address.

If you haven't done them yet, start with SPF for Google Workspace and DKIM for Google Workspace, then come back here.

Step 1: Create your DMARC record

A safe starting record looks like this:

v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com

v=DMARC1 marks it as a DMARC record, p=none means monitor only (nothing is blocked yet), and rua is where the daily reports are sent. Starting at none lets you see who sends as your domain before you turn on blocking.

Step 2: Publish the record in your DNS

Add the record where your domain's DNS is managed.

  • Type: TXT
  • Host / Name: _dmarc
  • Value: your DMARC record (the v=DMARC1 line above)
  • Save, then allow time for DNS to update.

Step 3: Move to enforcement

p=none only watches. Once your reports confirm Google Workspace and any other senders pass, move from p=none to p=quarantine (failing mail to spam), then p=reject (failing mail blocked). Google and Yahoo require DMARC for bulk senders, so enforcement matters.

One Google Workspace note: some Google services (like Calendar invites) send using Google's own bounce domains, and they fail DMARC if DKIM isn't fully turned on. Keep DMARC at p=quarantine while you confirm everything passes, so you don't lose legitimate mail by jumping straight to reject.

How to check it worked

Confirm your record with our free DMARC checker. It reads your published record and shows your policy in plain English, and your rua reports will show which senders pass.

Common problems

Most Google Workspace DMARC confusion comes down to a few things.

  • Looking for a DMARC setting in the Admin console: there isn't one. It's a DNS record.
  • Record at the wrong name: the host must be _dmarc, not your full domain.
  • Policy stuck at p=none: the record exists but blocks nothing yet.
  • Calendar invites failing after enforcement: confirm DKIM is fully turned on and use p=quarantine while testing.

Check your domain now

Enter your domain to see your current email security status.

Frequently Asked Questions

Where do I set up DMARC in Google Workspace?

You don't set DMARC inside the Google Admin console. There's no option for it. DMARC is a TXT record you publish in your domain's DNS at the host _dmarc. Google reads it from there. Only DKIM is turned on inside the Admin console.

What DMARC policy should I use for Google Workspace?

Start at p=none to monitor without blocking. Once your reports confirm Google Workspace and your other senders pass, move to p=quarantine, then p=reject. With Workspace, keep an eye on Calendar invites, which can fail if DKIM isn't fully enabled.

Do I need DMARC if I use Google Workspace?

Yes. Google and Yahoo require a DMARC record from bulk senders, and it's what actually stops someone spoofing your domain. Google Workspace handles your SPF and DKIM signing, but DMARC is a separate DNS record you publish and manage yourself.

Do I need SPF and DKIM before DMARC?

Yes. DMARC checks the results of SPF and DKIM and whether they align with your From address, so set those up first. Publish SPF and turn on DKIM for Google Workspace, then add your DMARC record.

Setting up DMARC for Google Workspace is one DNS record at _dmarc, tightened from monitoring to enforcement as your reports confirm your senders pass. There's no switch in the Admin console. It all happens in your DNS.

Check your record with our DMARC checker. If you'd rather not manage the rollout and reports yourself, readyDMARC sets up and monitors DMARC for you.

Related Articles

How to Set Up DKIM for Google Workspace (Gmail)

Set up DKIM for Google Workspace (Gmail): generate the key in the Admin console, publish the google....

Read more →

How to Set Up SPF for Google Workspace (Gmail)

Set up SPF for Google Workspace (Gmail): publish the v=spf1 include:_spf.google.com ~all TXT record,...

Read more →

What Is DMARC? How It Protects Your Email

Learn what DMARC is, how it stops email spoofing and phishing, and why every domain needs a DMARC po...

Read more →

Misconfiguring this is easy, and costly

One wrong record can let attackers send email as your domain, or block your own legitimate mail once you turn on enforcement. Getting from a published record to real protection, without breaking delivery, is where most teams get stuck. Our specialists set up SPF, DKIM, and DMARC for you and roll it out safely, checking at every stage.

Book a call with our team