Publish a DMARC policy for your domain to instruct receiving mail servers how to handle messages that fail SPF and DKIM authentication.
TXT
_dmarc
v=DMARC1; p=none; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=1
Start with p=none to monitor, then move to p=quarantine and finally p=reject.
DMARC builds on SPF and DKIM. Verify both are set up and passing for your Google Workspace domain before adding DMARC.
Start with p=none (monitoring only) to collect reports without affecting mail delivery. This lets you identify all legitimate senders before enforcing.
Add a TXT record in your DNS with the host _dmarc and your chosen DMARC policy. Replace the email address with your own reporting address.
v=DMARC1; p=none; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=1Aggregate reports (rua) will be sent in XML format. Use a DMARC report analyzer to read them and identify any legitimate senders that are failing authentication.
Once all legitimate senders pass, move to p=quarantine (with pct=10 initially), then increase to pct=100, and finally to p=reject.
v=DMARC1; p=reject; rua=mailto:[email protected]; fo=1(no DMARC record)v=DMARC1; p=none; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=1After adding your DNS records, use our free DMARC checker to verify everything is configured correctly. DNS changes typically propagate within minutes, but can take up to 48 hours.
Start with v=DMARC1; p=none; rua=mailto:[email protected] to monitor authentication results. After confirming all legitimate email passes, gradually move to p=quarantine and then p=reject.
Yes. Google Workspace emails align on both SPF (envelope sender matches header from) and DKIM (d= domain matches header from) when properly configured.
Monitor with p=none for at least 2-4 weeks. Review aggregate reports to ensure all legitimate sending services are properly authenticated before moving to quarantine or reject.