Source Guide: Google Workspace
This guide describes the process for configuring Google Workspace to send DMARC-compliant messages. You will need to configure this source, and others that send on your behalf, before advancing your DMARC policies to a more restrictive state (eg. quarantine and/or reject).
To bring this source into DMARC compliance, you will need access to Google’s administrative account and the domain’s DNS management console.
From time to time, these instructions change with very little advance notice. Please always refer to documentation published by Google for the most complete and accurate information.
Google Workspace provides a collection of products that includes Gmail, Contacts, Calendar, Meet and Chat for communication, Drive for storage, and Google Docs suite for content creation. The most common usage of this source is as a web-based email service with your personal domain name. Google Workspace supports DMARC compliance through SPF and DKIM alignment.
To configure SPF, add a DNS TXT record at your domain’s DNS provider.
- Sign in to the management console of your domain’s DNS provider
- Locate the page where you manage DNS records for your domain
- Add “include:_spf.google.com” to your domain’s SPF TXT record
Here’s an example of an SPF TXT record authorizing Google:
v=spf1 include:_spf.google.com ~all
Reference: Google’s SPF directions
To configure DKIM:
- Access Google’s Gmail administration panel. Navigate to “Settings for Gmail” > “Authenticate email”
- Generate a new DKIM record.
- Copy the DKIM record value and publish them to your domain’s DNS provider.
When creating the DKIM key, you will be prompted to choose the DKIM key bit strength. We recommend choosing a bit strength of 2048 as longer keys are more secure. However, not all domain DNS providers support this key size. Confirm with your domain DNS provider or administrator if they support this DKIM bit size.
You will also be prompted to choose a DKIM prefix selector. The default value is google, and we recommend you leave it as that value.
Note: It is necessary to configure DKIM for Google Calendar invites to pass DMARC. If you are having issues with Google Calendar, see this article.
Reference: Google’s DKIM directions
If you have a dmarcian account, it may take a few days to see these changes reflected in the dmarcian platform. You can look in the Detail Viewer (shown below) to check SPF and DKIM alignment required for DMARC.
We’re Here to Help
With a team of email security experts and a mission of making email and the internet more trustworthy through domain security, dmarcian is here to help assess an organization’s domain catalog and implement and manage DMARC for the long haul.
Want to continue the conversation? Head over to the dmarcian Forum.