Set up DMARC - Google Workspace Admin Help (2024)

Table of Contents
On this page Step 1: Turn on SPF & DKIM Step 2: Check if DMARC is already set up Step 3: Set up a group or mailbox for reports Step 4: Ensure any third-party services are authenticated Step 5: Prepare your DMARC record DMARC record tag definitions and values DMARC alignment Step 6: Add your DMARC record Add or update your record Step 7: Verify your DMARC record Related topics Was this helpful? Need more help? Try these next steps: Help prevent spoofing, phishing, and spam

Gmail users: If you’re getting spam or phishing messages in Gmail, go here instead. If you’re having trouble sending or receiving emails in Gmail, go here instead.

Set up DMARC - Google Workspace Admin Help (1)

As an administrator, once you have SPF and DKIM set up, you can set up Domain-based Message Authentication, Reporting, and Conformance (DMARC). DMARC lets you tell receiving mail servers what to do when they get a message that doesn't pass SPF or DKIM authentication checks. You can also get reports that help you identify possible authentication issues and malicious activity for messages sent from your domain.

What is DMARC?

DMARC helps protect users from forged email messages,
and lets you manage messages that don't pass SPF or DKIM.

On this page

  • Step 2: Check if DMARC is already set up
  • Step 3: Set up a group or mailbox for reports
  • Step 4: Ensure any third-party services are authenticated
  • Step 5: Prepareyour DMARC record
  • Step 6: Add your DMARC record
  • Step 7: Verify your DMARC record
  • Related topics

Step 1: Turn on SPF & DKIM

Before you can use DMARC, you must turn on SPF and DKIM for your domain. If you haven't set up SPF and DKIM, go to Help prevent spoofing, phishing, and spam.

SPF, DKIM, and DMARC are applied per domain. If you manage more than one domain, you must enable SPF, DKIM, and DMARC separately for each domain.

Important:

  • If you don't set up SPF and DKIM before enabling DMARC, messages sent from your domain will probablyhave delivery issues.
  • Allow 48 hours after setting up SPF and DKIM before setting up DMARC.

Step 2: Check if DMARC is already set up

If you're using Google Workspace, use the Google Admin Toolbox to check if DMARC is set up. Otherwise, follow the steps for checking at your domain provider.

Check using the Google Admin Toolbox:

  1. Go to the Google Admin Toolbox.
  2. Go to Verify DNS issuesSet up DMARC - Google Workspace Admin Help (2)Check MX.
  3. Enter your domain name in the Domain name field, then click RUN CHECKS!
  4. The results indicate whether your domain has a DMARC record:
    • DMARC is not set up—Your domain doesn’t have a DMARC record yet.
    • Formatting of DMARC policies—Your domain has an existing DMARC record.

Check at your domain provider:

  1. Sign into the management console for your domain provider.
  2. Locate the page or dashboard where you update your domain’s DNS TXT records.
  3. Check the DNSTXT records for your domain. If your domain has a DMARC record, there's a TXT record entry that starts with v=DMARC.

Proceed based on the results:

See Also
What Is Anti-Spoofing?What Is Antispoofing? | Definition from TechTargetCFTC Whistleblower Alert: Blow the Whistle on Spoofing in the Commodities and Derivatives Markets14.2.6. Anti-spoofing rules

  • If DMARC is already set up, you should review your DMARC reports to make sure DMARC is effectively authenticating messages and they are being delivered as expected.
  • If DMARC is not set up, proceed to Set up a group or mailbox for reports(on this page).

Step 3: Set up a group or mailbox for reports

The number of DMARC reports you receive by email can vary, and depends on how much email your domain sends. You can receive many reports every day. Large organizations might get up to hundreds or even thousands of reports daily.

Google recommends that you create a group or a dedicated mailbox to receive and manage DMARC reports.

DMARC reports tell you which messages sent from your domain are authenticated by SPF and DKIM and if any messages are regularly failing authentication. You can also use reports to review who is sending mail for your domain, and get alerted to potential spammers. Monitoring DMARC reports is especially helpful during the rollout phase. See Recommended DMARC rollout.

Step 4: Ensure any third-party services are authenticated

If you use a third-party service to send mail for your organization, you must ensure that messages sent by third-party services are authenticated and pass SPF and DKIM checks:

  • Contact your third-party provider to make sure DKIM is correctly set up.
  • Make sure the provider’s envelope sender domain matches your domain. Add the IP address of the provider’s sending mail servers to the SPF record for your domain.
  • Route outgoing mail from the provider through Google using the SMTP relay service setting.

Step 5: Prepare your DMARC record

Your DMARC policy is defined in a line of text values calleda DMARC record. The record defines:

  • How strictly DMARC should check messages
  • Recommended actions forthe receiving server, when it gets messages that fail authentication checks

Example of a DMARC policy record (replace example.com with your domain):

v=DMARC1; p=reject; rua=mailto:postmaster@example.com, mailto:dmarc@example.com; pct=100; adkim=s; aspf=s.

The v and p tags must be listed first. Other tags can be listed in any order.

When you start using DMARC, we recommend setting the policy option (p) to none. As you learn how messages from your domain are authenticated by receiving servers, update your policy. Over time, change the receiver policy to quarantine (orreject).SeeRecommended DMARC rollout.

DMARC record tag definitions and values

Tag Description and values
v

(Required) DMARC version. Must be DMARC1.
p (Required) Instructs the receiving mail server what to do with messages that don’t pass authentication.
  • none—Take no action on the message and deliver it to the intended recipient. Log messages in a daily report. The report is sent to the email address specified with the rua option in the record.
  • quarantine—Mark the messages as spam and send it to the recipient's spam folder. Recipients can review spam messages to identify legitimate messages.
  • reject—Reject the message. With this option, the receiving server usually sends a bounce message to the sending server.

BIMI note: If your domain uses BIMI, the DMARCp option must be set toquarantine or reject. BIMI doesn't support DMARC policieswith thep option set tonone.
pct

(Optional) Specifies the percent of unauthenticated messages that are subject to the DMARC policy. When you gradually deploy DMARC, you might start with a small percentage of your messages. As more messages from your domain pass authentication with receiving servers, update your record with a higher percentage, until you reach 100 percent.

Must be a whole number from1 to100. If you don’t use this option in the record, your DMARC policy applies to 100% of messages sent from your domain.

BIMI note: If your domain uses BIMI, your DMARC policy must haveapct value of100. BIMI doesn't supportDMARC policieswith thepctvalue set to less than 100.
rua

(Optional) Get DMARC reports sent to an email address.The email address must include mailto:.
For example: mailto:dmarc-reports@example.com (replace example.com with yourdomain).

  • To sendDMARC reports to multiple emails, separate each email address with a comma and add the mailto: prefix before eachaddress. For example: mailto:dmarc-reports@example.com, mailto:dmarc-admin@example.com (replace example.com with yourdomain).
  • This option can potentially result in ahigh volume of report emails. We don’t recommend using your own email address. Instead, consider using a dedicated mailbox, a group, or a third-party service that specializes in DMARC reports.
ruf

Not supported. Gmail doesn’t support the ruf tag, which is used to send failure reports. Failure reports are also called forensic reports.
sp (Optional) Sets the policy for messages from subdomains of your primary domain. Use this option if you want to use a different DMARC policy for your subdomains.
  • noneTake no action on the message and deliver it to the intended recipient. Log messages in a daily report. The report is sent to the email address specified with the rua option in the policy.
  • quarantineMark the messages as spam and send it to the recipient's spam folder. Recipients can review spam messages to identify legitimate messages.
  • rejectReject the message. With this option, the receiving server should send a bounce messageto the sending server.

If you don’t use this option in the record, subdomains inherit the DMARC policy set for the parent domain.
adkim (Optional) Sets the alignment policy for DKIM, which defines how strictly message information must match DKIM signatures. Learn how alignment works.
  • sStrict alignment. The sender domain name must exactly match the corresponding d=domainnamein the DKIM mail headers.
  • rRelaxed alignment (default). Allows partial matches. Any valid subdomain of d=domain in the DKIM mail headers is accepted.
aspf (Optional) Sets the alignment policy for SPF, which specifies how strictly message information must match SPF signatures. Learn how alignment works.
  • sStrict alignment. The message From: header must exactly match the domain name in the SMTP MAIL FROM command.
  • rRelaxed alignment (default). Allows partial matches. Any valid subdomain of domain name is accepted.

DMARC alignment

DMARC passes or fails a message based on how closely the domain in theFrom: header matches the sending domain specified by either SPF or DKIM. This is called alignment.

You can choose from two alignment modes: strict or relaxed. You set the alignment mode for SPF and DKIM in the DMARC record using the aspf and adkim DMARC record tags.

Authentication method Strict alignment Relaxed alignment
SPF An exact match between thedomain in the Envelope-Sender (also called Return-Path or bounce) addressand the domain in the header From: address. The domain in the header From: address must match or be a subdomain of the domain in the Envelope-Sender (also called Return-Path or bounce) address.
DKIM An exact match between the relevant DKIM domain, and the domain in the header From: address. The domain in the header From: address must match or be a subdomain of the domain specified in the DKIM signature d= tag.

In certain cases, Google recommends that you consider changing to strict alignment for increased protection against spoofing:

  • Mail is sent for your domain from a subdomain outside your control.
  • You have subdomains that are managed by another entity.

Important: Relaxed alignment typically provides sufficient spoofing protection. Strict alignment can result in messages from associated subdomains to be rejectedor sent to spam.

See Also
Customer Community

To pass DMARC, a message must pass at least one of these checks:

  • SPF authentication and SPF alignment
  • DKIM authentication and DKIM alignment

A message fails the DMARC check if the message fails both:

  • SPF (or SPF alignment)
  • DKIM (or DKIM alignment)

Step 6: Add your DMARC record

After preparing the text of your DMARC record, add or update the DMARC DNS TXT record at your domain provider. Anytime you change your DMARC policy and update your record, you must also update the DMARC TXT record at your domain provider.

Add or update your record

Important: Make sure you set up DKIMand SPFbefore setting up DMARC. DKIM and SPF should be authenticating messages for at least 48 hours before turning on DMARC.

  1. Have the text file or line for your DMARC recordready.
  2. Sign in to your domain host,typically where you purchased your domain name. If you’re not sure who your domain host is, seeidentify your domain registrar.
  3. Go to the page where you update DNS TXT records for your domain. For help finding this page, check the documentation for your domain.

  4. Add or update the TXT record with this information:

    Field name Value to enter
    Type The record type is TXT.
    Host The domain (or subdomain), can also be called Name, Hostname, or Alias. If the Host is the same domain (not subdomain) you are adding the TXT record to, specify the @ symbol.
    Value

    The string that makes up the TXT record:

    • for SPF, see Prepare your SPF record
    • for DKIM, see Generate a DKIM key pair
    • for DMARC, see Prepare your DMARC record
    • for BIMI, see Add a BIMI TXT record
    TTL (only SPF & BIMI)

    The Time To Live value determines the number of seconds before subsequent changes to the record go into effect.

    You can set this value to 1 hour or 3600 seconds.

    If your domain doesn't let you modify the value for this field, use the current value.

    Note:Some domain hosts automatically add the domainname. After you add or update the TXT record, verify the domain name in the DMARCrecord to make sure it's formatted correctly

  5. Save your changes.
  6. Ifyou are setting up DMARC for more than one domain, complete these steps for each domain. Each domain can have a different policy and different report options, as defined in the record.

Step 7: Verify your DMARC record

Important: The domains used in the steps below are examples only. Replace these example domains with your own domains.

Some domain hosts automatically add your domain name to the end of the TXT record name. This can cause the DMARC TXT record name to be incorrectly formatted.For example, if you enter_dmarc.example.com and your domain host automatically adds your domain name, the TXT record name will be incorrectly formatted as _dmarc.example.com.example.com.

After adding the DMARC TXT record according to the steps inAdd or update your record, check the TXT record name to verify it's formatted correctly.

In the Google Admin Toolbox, you can use the Dig feature to see and verify your DMARC TXT record:

  1. Go to the Google AdminToolbox and select the Dig feature.
  2. In the Name field, enter _dmarc. followed by your complete domain name. For example, if your domain name is example.com, enter _dmarc.example.com.
  3. Below the Name field, click TXT.
  4. Verify your DMARC TXT record name in the results. Look for the line of text that starts with _dmarc.

Related topics

  • Troubleshoot DMARC issues
  • Recommended DMARC rollout
  • Turn off DMARC
  • About DMARC reports
  • About TXT records
  • DMARC RFC 7489


Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companieswith which they are associated.

Was this helpful?

How can we improve it?

Need more help?

Try these next steps:

Post to the help community Get answers from community members Contact us Tell us more and we’ll help you get there

Start your free 14-day trial today

Professional email, online storage, shared calendars, video meetings and more. Start your free Google Workspace trial today.

Set up DMARC - Google Workspace Admin Help (2024)
Top Articles
The Differences Between Cold, Warm, and Hot Storage
Hashing vs Encryption — Simplifying the Differences - Comodo SSL Resources
English Bulldog Puppies For Sale Under 1000 In Florida
Katie Pavlich Bikini Photos
Gamevault Agent
Pieology Nutrition Calculator Mobile
Hocus Pocus Showtimes Near Harkins Theatres Yuma Palms 14
Hendersonville (Tennessee) – Travel guide at Wikivoyage
Compare the Samsung Galaxy S24 - 256GB - Cobalt Violet vs Apple iPhone 16 Pro - 128GB - Desert Titanium | AT&T
Vardis Olive Garden (Georgioupolis, Kreta) ✈️ inkl. Flug buchen
Craigslist Dog Kennels For Sale
Things To Do In Atlanta Tomorrow Night
Non Sequitur
Crossword Nexus Solver
How To Cut Eelgrass Grounded
Pac Man Deviantart
Alexander Funeral Home Gallatin Obituaries
Energy Healing Conference Utah
Geometry Review Quiz 5 Answer Key
Hobby Stores Near Me Now
Icivics The Electoral Process Answer Key
Allybearloves
Bible Gateway passage: Revelation 3 - New Living Translation
Yisd Home Access Center
Home
Shadbase Get Out Of Jail
Gina Wilson Angle Addition Postulate
Celina Powell Lil Meech Video: A Controversial Encounter Shakes Social Media - Video Reddit Trend
Walmart Pharmacy Near Me Open
Marquette Gas Prices
A Christmas Horse - Alison Senxation
Ou Football Brainiacs
Access a Shared Resource | Computing for Arts + Sciences
Vera Bradley Factory Outlet Sunbury Products
Pixel Combat Unblocked
Movies - EPIC Theatres
Cvs Sport Physicals
Mercedes W204 Belt Diagram
Mia Malkova Bio, Net Worth, Age & More - Magzica
'Conan Exiles' 3.0 Guide: How To Unlock Spells And Sorcery
Teenbeautyfitness
Where Can I Cash A Huntington National Bank Check
Topos De Bolos Engraçados
Sand Castle Parents Guide
Gregory (Five Nights at Freddy's)
Grand Valley State University Library Hours
Holzer Athena Portal
Hello – Cornerstone Chapel
Stoughton Commuter Rail Schedule
Nfsd Web Portal
Selly Medaline
Latest Posts
Walt Disney (DIS) - Total debt
International Financial Management, Importance, Concepts
Article information

Author: Frankie Dare

Last Updated:

Views: 6548

Rating: 4.2 / 5 (73 voted)

Reviews: 88% of readers found this page helpful

Author information

Name: Frankie Dare

Birthday: 2000-01-27

Address: Suite 313 45115 Caridad Freeway, Port Barabaraville, MS 66713

Phone: +3769542039359

Job: Sales Manager

Hobby: Baton twirling, Stand-up comedy, Leather crafting, Rugby, tabletop games, Jigsaw puzzles, Air sports

Introduction: My name is Frankie Dare, I am a funny, beautiful, proud, fair, pleasant, cheerful, enthusiastic person who loves writing and wants to share my knowledge and understanding with you.