DMARC Creator for Google Workspace — Email Authentication Made Simple

Your organization runs on Google Workspace. Your team sends and receives email through Gmail every day. Google handles the infrastructure, the spam filtering, the storage. But there is one thing Google does not handle for you: publishing a DMARC record for your domain.

Without a DMARC record, anyone on the internet can send email that looks like it comes from your organization. Your clients, vendors, and employees have no way to tell the difference between a real message from your domain and a spoofed one. DMARC Creator helps Google Workspace admins generate and publish the right DMARC record in minutes, not hours.

What Google Workspace Gives You by Default

Google Workspace includes built-in support for SPF and DKIM, but neither is fully configured out of the box. Understanding what Google sets up automatically and what you need to do yourself is the first step.

SPF is partially covered. When you set up Google Workspace and follow the standard DNS instructions, you likely added an SPF record that includes include:_spf.google.com. This tells receiving servers that Google's mail servers are authorized to send email for your domain. If you did not add this SPF record during setup, your email may already be experiencing delivery issues. You can build or verify your SPF record at spfcreator.com.

DKIM needs to be turned on. Google Workspace supports DKIM signing, but it is not enabled by default. You need to go into the Google Admin console at admin.google.com, navigate to Apps, then Google Workspace, then Gmail, then Authenticate email, and generate a DKIM key for your domain. Until you do this, your outgoing messages are not DKIM-signed, which means your DMARC alignment relies entirely on SPF. That is more fragile because SPF breaks when emails are forwarded. To understand how these protocols differ, see our comparison of SPF, DKIM, and DMARC. Generate DKIM records for additional services at dkimcreator.com.

DMARC is entirely your responsibility. Google does not create a DMARC record for your domain. You need to generate one and publish it as a TXT record in your DNS. Our step-by-step DMARC setup guide walks through the full process. This is the gap that DMARC Creator fills.

Why Google Workspace Admins Need DMARC

If your organization uses Google Workspace, you are already invested in Google's email ecosystem. DMARC is the final layer that ties your authentication together and gives you control over what happens when someone tries to impersonate your domain.

How DMARC Creator Helps Google Workspace Admins

DMARC records have a specific syntax with multiple tags and values. Getting the format wrong means the record is ignored entirely and your domain remains unprotected. DMARC Creator takes the guesswork out of the process.

You tell it your domain, choose your initial policy (start with p=none), specify where you want aggregate reports sent, and the tool generates a correctly formatted DMARC record ready to paste into your DNS. No need to memorize tag names or worry about syntax errors.

For Google Workspace organizations, the typical workflow looks like this:

The Recommended Policy Progression

Jumping straight to a reject policy is risky, even for Google Workspace domains that primarily send through Gmail. Most organizations have at least one or two additional services sending email as their domain, and those services need to be properly authenticated first.

Start with p=none. This policy tells receiving servers to take no action on failing messages but to send you reports. You get full visibility with zero risk. Run this for at least two weeks. For a deeper explanation of what each level does, see our guide to DMARC policy levels.

Move to p=quarantine. Once your reports show that all legitimate email passes DMARC, switch to quarantine. Failing messages will be sent to the recipient's spam folder instead of the inbox. Start with pct=25 to phase it in gradually, then increase to pct=100 over a week or two.

Graduate to p=reject. This is the goal. With p=reject, receiving servers drop any message from your domain that fails DMARC. Spoofed emails never reach anyone. Google specifically recommends this as the end state for Workspace customers.

Google Workspace and Third-Party Sending Services

Many Google Workspace organizations also send email through services beyond Gmail. If your marketing team uses Mailchimp, your sales team uses HubSpot, or your support team uses Zendesk, each of those services sends email as your domain and needs to be included in your authentication setup.

For SPF, each service adds an include: entry to your record. Be mindful of the 10-lookup limit in SPF, since multiple services can consume that budget quickly.

For DKIM, each service provides its own signing configuration. This usually involves publishing a CNAME or TXT record in your DNS under a unique selector, like hubspot._domainkey.yourdomain.com. Each service handles this differently, so check their documentation.

The key point is that your DMARC record covers all email from your domain, regardless of which service sent it. Before you move to enforcement, every service sending as your domain needs both SPF and DKIM properly configured. If even one service is missing, its messages will fail DMARC once you enforce.

For a detailed step-by-step walkthrough of configuring DMARC for Google Workspace, including DNS examples for common providers, see our guide on how to set up DMARC for Google Workspace.

Monitor Your DMARC Record

You've created your DMARC record — now make sure it keeps working. The Email Deliverability Suite watches your SPF, DKIM, DMARC, and MX records daily and alerts you when something breaks.