DMARC for Gmail: Requirements, Setup, and Sending Best Practices

Gmail is the world's largest email provider, and Google has made DMARC a core part of how it filters incoming mail. If you send email to Gmail recipients — whether from a marketing platform, a transactional email service, or your own business domain — Gmail's DMARC enforcement directly affects whether your messages reach the inbox.

This guide is specifically about sending email that lands in Gmail inboxes. If you use Google Workspace as your email provider and want to set up DMARC for your own domain, see our DMARC for Google Workspace guide instead.

What Gmail's DMARC Enforcement Means for You

Starting in 2024, Google began enforcing stricter email authentication requirements for all senders who deliver mail to Gmail addresses. This was not a suggestion or best practice — it is an active policy that Gmail applies when deciding whether to accept, spam, or reject your messages.

Here is what Gmail now requires from every sender:

SPF or DKIM must pass. Every message you send to a Gmail address must pass at least one of these authentication checks. If neither passes, Gmail is more likely to send your email to spam or reject it outright.

A DMARC record should be published. While Gmail does not yet reject all mail from domains without DMARC, having a published DMARC record significantly improves your domain's reputation with Gmail. Google has signaled repeatedly that DMARC adoption is part of its long-term authentication roadmap.

The From header must align. Gmail checks that the domain in your visible "From" address matches the domain that passed SPF or DKIM. This alignment is exactly what DMARC enforces.

If you send more than 5,000 messages per day to Gmail addresses, these requirements become mandatory. Gmail will reject messages from bulk senders who do not meet them. But even if you send fewer than 5,000, following these rules improves your deliverability.

Gmail's Bulk Sender Requirements

Google introduced specific rules for bulk senders — defined as anyone sending more than 5,000 messages per day to Gmail accounts. If you hit this threshold even once, Gmail classifies your domain as a bulk sender going forward.

Bulk senders must meet all of the following:

SPF and DKIM must both pass. Unlike the general requirement where one or the other is sufficient, bulk senders need both protocols configured and passing.

DMARC must be published with at least p=none. You need a DMARC record in your DNS. Even a monitoring-only policy (p=none) satisfies this requirement. The key is that the record exists and is valid.

The From domain must align with SPF or DKIM. Your visible "From" address must match the domain authenticated by SPF or DKIM. This is standard DMARC alignment.

One-click unsubscribe must be supported. For marketing and promotional messages, Gmail requires a one-click unsubscribe mechanism in the email headers. This is separate from DMARC but part of the same sender requirements.

Spam complaint rate must stay below 0.3%. If your spam complaint rate exceeds this threshold, Gmail will throttle or block your messages regardless of your authentication setup.

These requirements affect everyone from e-commerce stores sending order confirmations to marketing teams running email campaigns. If Gmail recipients are a meaningful part of your audience, compliance is not optional. For a deeper comparison of the authentication protocols Gmail checks, see SPF vs DKIM vs DMARC.

Setting Up DMARC for Your Custom Domain

If you use a custom domain to send email (whether through Google Workspace, another email provider, or a third-party sending service), here is how to set up DMARC to satisfy Gmail's requirements. Organizations using Google Workspace as their email platform can also see our DMARC for Google Workspace guide for workspace-specific tips.

Verify SPF is in place

Check that your domain has a valid SPF record listing all services that send email on your behalf. This includes your email provider, marketing platforms, and transactional email tools. Build your SPF record at spfcreator.com if you do not have one yet.

Verify DKIM is configured

Make sure at least one of your sending services is signing messages with DKIM, and that the public key is published in your DNS. Most email providers offer DKIM signing — you typically need to enable it in their settings and add a DNS record. Generate DKIM records at dkimcreator.com.

Generate your DMARC record

Create a DMARC record starting with a monitoring policy. A solid starting point is: v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com; pct=100;. This satisfies Gmail's requirement while letting you collect data before enforcing anything.

Add the DMARC record to your DNS

Log in to your DNS provider and add a TXT record with the name _dmarc and your DMARC string as the value. The full hostname will be _dmarc.yourdomain.com. Save and wait a few minutes for propagation.

Verify the record is live

Check your record at dmarcrecordchecker.com. Confirm it starts with v=DMARC1, shows your policy, and includes your reporting address.

What Happens When Emails to Gmail Fail DMARC

When Gmail receives a message from your domain that fails DMARC, what happens depends on your published policy:

With p=none: Gmail does not take action based on your DMARC policy. However, the failure still affects Gmail's internal reputation scoring for your domain. Consistent failures will hurt your deliverability over time even without an enforcement policy.

With p=quarantine: Gmail routes failing messages to the recipient's spam folder. The recipient can still find and read the message, but it will not appear in their primary inbox.

With p=reject: Gmail drops the message entirely. The recipient never sees it — not in their inbox, not in spam. This provides the strongest protection against spoofing but means any legitimate misconfigured email is also lost.

Gmail also applies its own filtering on top of your DMARC policy. Even messages that pass DMARC can end up in spam if Gmail's algorithms detect other spam signals. DMARC is one factor in deliverability, not the only factor.

Gmail sends DMARC aggregate reports for domains with a rua tag. These reports are valuable because Gmail handles a huge percentage of consumer email. Reviewing them shows you exactly how your messages are performing when delivered to Gmail addresses.

Common DMARC Issues Affecting Gmail Delivery

Email Forwarding Breaks SPF

When someone forwards your email from one Gmail account to another, the forwarding server's IP address replaces the original sender's IP in the SPF check. This causes SPF to fail. If your DMARC setup relies entirely on SPF alignment, forwarded messages will fail DMARC.

The fix is to make sure DKIM is also configured. DKIM signatures survive forwarding because they are embedded in the email headers and body. With DKIM passing, your messages will pass DMARC even when SPF fails due to forwarding.

Third-Party Senders Failing Alignment

If you use a marketing platform or transactional email service that sends as your domain, make sure their messages align with your From domain. This means configuring the service to use your domain for DKIM signing (not theirs) and ideally setting up a custom return path for SPF alignment.

Check your DMARC aggregate reports for any sending sources showing alignment failures. Each one is a potential deliverability problem with Gmail.

Using a gmail.com Address as Your From Address

If you use a @gmail.com address as the From address in a third-party email service, those messages will almost certainly fail DMARC. Google publishes a p=none DMARC record for gmail.com, but you cannot control SPF or DKIM alignment for a domain you do not own. Use your own custom domain for sending instead.

Moving Toward Stronger Enforcement

Once your reports confirm that all legitimate email is passing DMARC, progressively tighten your policy. Start with p=quarantine; pct=10; and gradually increase the percentage. After a few weeks at full quarantine with no issues, move to p=reject.

A p=reject policy gives you the strongest protection. It tells Gmail and every other receiving server to drop fraudulent messages entirely. For more details on the progression, see our DMARC policy levels guide.

Monitor Your DMARC Record

You've created your DMARC record — now make sure it keeps working. The Email Deliverability Suite watches your SPF, DKIM, DMARC, and MX records daily and alerts you when something breaks.

Never miss a DMARC issue

Monitor your SPF, DKIM, DMARC and MX records daily. Get alerts when something breaks.

Start Monitoring