Before you set up DMARC

Review the information in this article before you set up DMARC for your domain.

This might not be easy

DMARC has been around for a few years, and it’s an effective way to protect your domain from spoofing. So we recommend you always enable DMARC for your organization.

We’ve tried to make setting up DMARC as easy as possible, but some steps might get technical. Please read carefully, and we’ll help you through each step. By testing your configuration and continuously monitoring your DMARC reports, you can successfully implement DMARC.

Set up SPF and DKIM for your domain

Before you can use DMARC for your domain, you should turn on Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) for your domain. Using a DMARC policy requires that messages sent from your domain are authenticated by receiving servers with SPF and DKIM.

SPF, DKIM, and DMARC are applied per domain. If you manage more than one domain, you must enable SPF, DKIM, and DMARC separately for each domain.

Important:

  • If you don't set up SPF and DKIM before enabling DMARC, messages sent from your domain will probably have delivery issues.
  • Allow 48 hours after setting up SPF and DKIM before setting up DMARC.

For detailed steps to set up SPF and DKIM, go to Help prevent spoofing, phishing, and spam.

Set up a group or mailbox for reports

The number of DMARC reports you receive by email can vary, and depends on how much email your domain sends. You can receive many reports every day. Large organizations might get up to hundreds or even thousands of reports daily

We recommend you create a group or a dedicated mailbox to receive and manage DMARC reports.

Get your domain host sign-in information 

DMARC is enabled at your domain host provider, not in your Google Admin console. So you'll need the sign-in information for your domain host account.

Check for an existing DMARC record (optional)

Before you set up DMARC for your domain, you can optionally check if your domain has an existing DMARC DNS TXT record. Mail providers and domain providers don’t always turn on DMARC by default.

If you already have a DMARC record for your domain, we recommend you review your DMARC reports. Make sure that messages sent from your organization pass authentication by receiving servers, and are delivered to recipients. Learn about using DMARC reports.

Important: Enable DMARC for your domain in your domain provider settings, in the DNS TXT records. You can’t check or enable your DMARC record in the Admin console.

You can verify your current DMARC record with the G Suite Toolbox, or by checking your domain’s DNS TXT records at your domain provider.

Use the G Suite Toolbox

  1. Go to the G Suite Toolbox.
  2. Go to Verify DNS issuesand thenCheck MX.
  3. Enter your domain name in the Domain name field, then click RUN CHECKS!
  4. The results indicate whether your domain has a DMARC record:
    • DMARC is not set up—Your domain doesn’t have a DMARC record yet.
    • Formatting of DMARC policies—Your domain has an existing DMARC record.

Check your domain’s DNS TXT records

  1. Sign into the management console for your domain provider.
  2. Locate the page or dashboard where you update your domain’s DNS records.
  3. Check the DNS TXT records for your domain. If your domain has a DMARC record, there's a TXT record entry that starts with v=DMARC.

Make sure third-party mail is authenticated

For DMARC to effectively manage suspicious email, messages should be sent from your own domain. However you might use a third-party service to send mail for organization, for example you might use a service to manage your marketing email.

Valid messages sent from third-party email providers for your domain might not pass SPF or DKIM checks. Messages that don't pass these checks are subject to the action defined in your DMARC policy. They could be sent to spam, or rejected.

To help ensure messages sent by third-party providers are authenticated:

  • Contact your third-party provider to make sure DKIM is correctly set up.
  • Make sure the provider’s envelope sender domain matches your domain. Add the IP address of the provider’s sending mail servers to the SPF record for your domain.
Route outgoing mail from the provider through Google using the SMTP relay service setting.
Was this helpful?
How can we improve it?