dmarciq email trust
Start monitoring
Guide • Google Workspace

Google Workspace DMARC rollout with SPF & DKIM guardrails

Use this guide to configure SPF, DKIM and DMARC for Google Workspace, keep lookup counts low and onboard third-party senders without surprises.

4-stage project plan Includes stakeholder checklist

Before you start

  • Super Admin access to Google Workspace
  • DNS access to publish SPF/DKIM/DMARC records
  • dmarciq domain monitoring enabled
Schedule onboarding

Workspace configuration walkthrough

1. Publish baseline records

Stage 1
  1. Set SPF TXT to v=spf1 include:_spf.google.com ~all and review for additional include: entries.
  2. Create DMARC TXT with v=DMARC1; p=none; rua=mailto:reports@dmarciq.app; ruf=mailto:forensics@dmarciq.app.
  3. Confirm DNS propagation with dig or the dmarciq DNS validator.
Screenshot — dmarciq DNS validator
dmarciq DNS validator

2. Enable DKIM signing

Stage 2
  1. In Admin Console → Apps → Google Workspace → Gmail → Authenticate email, generate DKIM record with selector google.
  2. Publish TXT record google._domainkey with the provided key.
  3. Return after propagation to click Start authentication.
Screenshot — Google DKIM interface
Google DKIM interface

3. Tackle third-party senders

Stage 3
  1. Review dmarciq reports for source=other domains, prioritising high-volume or finance-related services.
  2. Use the included CSV template to collect SPF/DKIM configuration details from each vendor.
  3. Configure SRS on forwarding services and activate BIMI once DMARC is at enforcement.
Screenshot — Sender inventory CSV
Sender inventory CSV

4. Enforce and monitor

Stage 4
  1. Update DMARC policy to pct=50; p=quarantine for one reporting cycle, then pct=100.
  2. Confirm unauthenticated volume < 1% before moving to p=reject.
  3. Set up dmarciq alerts for new senders and forwarder detections for ongoing assurance.
Screenshot — Enforcement readiness tracker
Enforcement readiness tracker

Troubleshooting

SPF record too long

Use dmarciq’s flattening recommendations to replace redundant include: entries with subnets.

DKIM key rejected

Ensure DNS record type is TXT, remove quotation marks and republish with 2048-bit selector.

Reports missing

Whitelist agari, google.com and other report senders in your spam filter.

Forwarding issues

Enable ARC in Google Workspace routing and leverage dmarciq’s forwarder detection to maintain visibility.

Checklist

Download rollout checklist