Introduction
A practical setup guide for getting DMARC running on a Google Workspace tenant — applicable for the tenant admin running a single-domain rollout. Companion to the MSP-focused version.
SPF setup
Standard Workspace SPF:
“text v=spf1 include:_spf.google.com ~all “
For additional senders, add includes carefully, watching the 10-lookup limit.
DKIM setup
- Admin console → Apps → Google Workspace → Gmail → Authenticate email.
- Generate new record with 2048-bit key.
- Workspace provides a TXT record to publish at
google._domainkey.yourdomain.com. - Publish in DNS, wait 24-48 hours.
- Click "Start authentication."
DMARC setup
Publish at _dmarc.yourdomain.com:
“text v=DMARC1; p=none; rua=mailto:[email protected] “
Start at p=none; advance through the policy phases.
Step-by-step approach
- Audit current state.
- SPF, DKIM, DMARC in order.
- Wait 24-48h after DKIM record publication.
- Monitor reports.
- Move to enforcement.
Best practices
- Plan for the 48-hour DKIM wait. Don't enable signing prematurely.
- Pair with MTA-STS for transport.
- Use Workspace's security health page for ongoing checks.
- Document selector and rotation history.
- Watch SPF budget.
Recommended next step
For Workspace tenants without DMARC, the setup is straightforward. Enable DKIM today; DMARC follows after propagation.
FAQ
Why does Workspace DKIM take 48 hours?
Propagation + Google verification. Build into your timeline.
Does this work for Workspace Business vs. Enterprise?
Same setup; some advanced features differ by tier.
Can I use multiple DKIM selectors?
Default is google. Custom selectors require advanced configuration.
What about Workspace's recommended ~all SPF?
Acceptable. DMARC's policy layer is the enforcement.
Does this support Workspace Multi-Domain?
Each domain needs separate authentication setup.
Final thoughts
Workspace DMARC is a clean setup once you accept the 48-hour DKIM wait. Configure once; monitor steady-state.