DMARCdrift
DMARCdrift
Vendor setup

Configure Google Workspace for DMARC alignment

Step-by-step DKIM setup and SPF include for Google Workspace, plus what its aggregate reports look like in your DMARCdrift dashboard.

Google Workspace passes DMARC through DKIM by default once DKIM signing is enabled and the key is published. SPF provides a secondary path, but DKIM is the reliable one because it survives forwarding.

Enable DKIM signing in Google Admin

DKIM signing must be explicitly enabled per domain. Google generates a 2048-bit key pair; you publish the public key as a TXT record, and Google signs outbound mail with the private key.

  1. Go to Google Admin > Apps > Google Workspace > Gmail > Authenticate email.
  2. Select your domain from the domain list.
  3. Click Generate new record. Google creates a key for the selector google by default. You can use a custom selector if needed.
  4. Copy the TXT record value shown. It will look like:
v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0...
  1. Publish the record at google._domainkey.yourdomain.com in your DNS provider.
  2. After DNS propagates (usually under an hour), return to Google Admin and click Start authentication.

Google won't sign outbound mail until you click Start authentication. Publishing the DNS record alone is not enough.

Verify DKIM is active

Use the DKIM check tool to confirm the record is live and the selector is correct. Google Admin also shows a status indicator once authentication is started.

You can verify that outbound mail is signed by checking the headers of a message sent from your Google Workspace account. Look for a DKIM-Signature header with d=yourdomain.com.

SPF: add the Google include

If you don't already have an SPF record, create one:

yourdomain.com  TXT  "v=spf1 include:_spf.google.com ~all"

If you already have an SPF record, add include:_spf.google.com to the existing record:

"v=spf1 include:_spf.google.com include:other-provider.com ~all"

This allows Google's sending IPs to pass SPF for your domain. SPF alone won't produce DMARC alignment for forwarded mail, but it's a useful backup path.

One record per domain: DNS allows only one SPF TXT record at the apex. Adding a second SPF record instead of editing the first breaks SPF evaluation. Check your existing records before creating a new one.

What DMARC alignment looks like for Google Workspace

With DKIM signing active, mail from Google Workspace passes DMARC via DKIM alignment: the d= domain in the DKIM signature matches the From: domain.

In your DMARCdrift reports, Google Workspace traffic typically appears as:

  • Source identifier: mail-yw1-f201.google.com or similar (the sending IP's PTR hostname), grouped under Google's IP ranges
  • DKIM result: pass, with d=yourdomain.com
  • SPF result: pass (if your SPF record includes _spf.google.com) or neutral
  • DMARC result: pass

What Google aggregate reports cover

Google sends aggregate reports from noreply-dmarc-support@google.com as gzipped XML attachments. They cover all mail Google received claiming to be from your domain, from any sender, not just mail you sent through Google.

This means Google's reports will show:

  • Your Google Workspace mail (should be passing DMARC)
  • Any other services sending on your domain that Gmail recipients received
  • Spoofed or unauthorized senders that targeted Gmail addresses

Google reports typically arrive within 24-48 hours of the day they cover. Volume varies: a domain sending low volumes may not appear in a given day's report if Google saw no qualifying traffic during that period.


Next: Microsoft 365 setup: DKIM signing, SPF include, and connector considerations.

See also: DKIM alignment: how DKIM signing domain matching works. When reports start arriving: timing and what to check if Google's reports aren't showing up.

Ask AI about this page:ClaudeChatGPT