How long does Google Workspace DMARC setup take?

Initial configuration takes about 30 minutes. DNS changes propagate within 24-48 hours. Full enforcement readiness typically takes 2-4 weeks of monitoring.

What DKIM key size should I use for Google Workspace?

Use 2048-bit keys for stronger security. Google Workspace supports both 1024-bit and 2048-bit, but 2048-bit is recommended and selected by default.

Can I use DMARC with Google Workspace and other email services?

Yes. Add all authorized senders to your SPF record and configure DKIM for each service. Your DMARC policy applies to all email from your domain regardless of sender.

How to Set Up DMARC for Google Workspace

Overview

This guide walks you through setting up email authentication for a domain that uses Google Workspace (formerly G Suite) as its primary email provider. By the end, you will have properly configured SPF, DKIM, and DMARC records that authenticate your outbound email.

Email authentication protects your domain from spoofing and phishing attacks. Without it, anyone can send email that appears to come from your domain. With proper DMARC enforcement, receiving mail servers will reject unauthorized messages.

What You Will Configure

SPF (Sender Policy Framework): Specifies which servers are allowed to send email for your domain
DKIM (DomainKeys Identified Mail): Adds a cryptographic signature to outbound messages
DMARC (Domain-based Message Authentication): Tells receiving servers what to do when SPF or DKIM fails

Prerequisites

Before you begin, make sure you have the following:

Google Workspace Admin access: You need Super Admin privileges or delegated admin access to the Apps > Google Workspace > Gmail settings.
DNS access: You need the ability to create and edit TXT records at your domain registrar or DNS provider (Cloudflare, GoDaddy, Namecheap, Route 53, etc.).
Domain ownership verified: Your domain should already be verified in Google Workspace. If not, complete that process first.
Current DNS records documented: Export or screenshot your existing DNS records before making changes. This helps if you need to roll back.

Step 1: Check Your Current State

Before making changes, check what DNS records already exist for your domain. This prevents conflicts and helps you understand your starting point.

Check Existing Records

Run these commands in your terminal, or use an online DNS lookup tool:

# Check SPF record
dig TXT yourdomain.com +short | grep spf

# Check DMARC record
dig TXT _dmarc.yourdomain.com +short

# Check DKIM record (Google's default selector)
dig TXT google._domainkey.yourdomain.com +short

What to Look For

No SPF record: You will create one from scratch.
Existing SPF record: You will need to add Google’s include statement to it rather than creating a new record. Having multiple SPF records breaks authentication.
Existing DMARC record: Note the current policy (p=none, p=quarantine, or p=reject) before making changes.

Step 2: Configure SPF for Google Workspace

SPF tells receiving mail servers which IP addresses are authorized to send email for your domain. Google publishes their sending IP ranges, and you reference them in your SPF record.

If You Have No Existing SPF Record

Create a new TXT record at your domain’s root with this value:

v=spf1 include:_spf.google.com ~all

If You Have an Existing SPF Record

Add Google’s include statement to your existing record. For example, if your current record is:

v=spf1 include:sendgrid.net ~all

Update it to:

v=spf1 include:_spf.google.com include:sendgrid.net ~all

SPF Lookup Limit

SPF has a limit of 10 DNS lookups. Each “include” statement counts as at least one lookup. Google’s include (_spf.google.com) uses approximately 3 to 4 lookups on its own. If you have many email services, you may approach this limit.

Step 3: Enable DKIM in Google Admin Console

DKIM adds a cryptographic signature to every outbound email. Receiving servers use this signature to verify the message was not altered in transit and actually came from your domain.

Generate the DKIM Key

Sign in to the Google Admin console at admin.google.com
Navigate to Apps > Google Workspace > Gmail
Click Authenticate email
Select your domain from the dropdown
Click Generate new record
For DKIM key bit length, select 2048 (recommended for security)
For prefix selector, leave it as google unless you have a specific reason to change it
Click Generate

Add the DKIM Record to DNS

Google will display a TXT record value. Copy this value and create a new TXT record in your DNS:

Field	Value
Host/Name	`google._domainkey`
Type	TXT
Value	(Paste the value from Google Admin)
TTL	3600

Activate DKIM Signing

After adding the DNS record, wait 15 to 30 minutes for propagation. Then return to the Google Admin console and click Start authentication. Google will verify the DNS record and begin signing outbound messages.

If authentication fails, double-check that you copied the entire DKIM value. Long TXT records are sometimes split across multiple lines in DNS interfaces, which can cause copy/paste errors.

Step 4: Create Your DMARC Record

DMARC tells receiving servers what to do when an email fails SPF and DKIM checks. It also specifies where to send aggregate reports about your domain’s email authentication.

Start with Monitoring Mode

Always start with p=none. This policy tells receiving servers to deliver all messages regardless of authentication results, but to send you reports. This lets you see who is sending email as your domain before you start blocking anything.

Create a TXT record at _dmarc.yourdomain.com with this value:

v=DMARC1; p=none; rua=mailto:[email protected]

DMARC Record Breakdown

Tag	Meaning
`v=DMARC1`	Required. Identifies this as a DMARC record.
`p=none`	Policy: none (monitoring only), quarantine, or reject
`rua=mailto:...`	Where to send aggregate reports (daily summaries)

Using Verkh to Receive Reports

Instead of sending reports to a regular email inbox (where they arrive as unreadable XML files), point them to Verkh for automatic parsing and visualization:

v=DMARC1; p=none; rua=mailto:[your-summit-eap-address]@reports.verkh.io

Your unique Verkh reporting address is shown in the Domains section of the dashboard after you add your domain.

Step 5: Verify Your Configuration

After making DNS changes, verify everything is working correctly.

Wait for DNS Propagation

DNS changes can take anywhere from a few minutes to 48 hours to propagate globally. Most changes are visible within 15 to 30 minutes. You can check propagation status using online tools like whatsmydns.net.

Verify with MXToolbox

SPF: Check at MXToolbox SPF Lookup
DKIM: Check at MXToolbox DKIM Lookup with selector google
DMARC: Check at MXToolbox DMARC Lookup

Send a Test Email

Send an email from your Google Workspace account to an external address you control (a personal Gmail account works well). Then check the email headers to verify authentication:

Open the received email
Click the three-dot menu and select Show original
Look for these headers:

SPF: PASS
DKIM: PASS
DMARC: PASS

Troubleshooting

SPF Fails

Problem	Solution
Multiple SPF records	You can only have one SPF record per domain. Combine them into one.
Missing include statement	Make sure `_spf.google.com` is in your SPF record.
Too many DNS lookups	If you exceed 10 lookups, SPF will fail with a permerror. Remove unnecessary includes or use SPF flattening.

DKIM Fails

Problem	Solution
Record not found	Verify the selector matches what is in Google Admin (default is “google”). The full record name should be `google._domainkey.yourdomain.com`.
Truncated value	2048-bit DKIM keys are long. Some DNS providers split TXT records. Make sure the entire value was copied correctly.
Authentication not started	Return to Google Admin and click “Start authentication” after adding the DNS record.

DMARC Reports Not Arriving

Problem	Solution
Wrong record location	DMARC records must be at `_dmarc.yourdomain.com`, not at the root.
Invalid email in rua	Make sure the rua address is formatted correctly with `mailto:` prefix.
Reports take time	Most providers send aggregate reports once per day. Wait 24 to 48 hours for the first report.

Next Steps

With SPF, DKIM, and DMARC in monitoring mode (p=none), you are now collecting data. Here is what comes next:

Monitor for 2 to 4 Weeks

Let reports accumulate so you can see the full picture of who is sending email as your domain. Look for:

All sending sources (IP addresses and identified providers)
Pass/fail rates for SPF, DKIM, and DMARC
Any unauthorized senders you need to investigate

Authorize Legitimate Senders

For each sending source, decide whether it is legitimate (marketing platforms, CRM systems, other services that send email on your behalf). Authorize legitimate senders and investigate unknown ones.

Progress to Enforcement

Once your pass rate is consistently above 95% and you have authorized all legitimate senders, you are ready to move toward enforcement. The progression is:

p=none (monitoring)
p=quarantine (suspicious mail goes to spam)
p=reject (unauthorized mail is blocked)

Quick Reference

Final DNS Records

SPF (TXT record at @):

v=spf1 include:_spf.google.com -all

DKIM (TXT record at google._domainkey):

(Value generated in Google Admin console)

DMARC (TXT record at _dmarc):

v=DMARC1; p=reject; rua=mailto:[email protected]