Review the information in this article before you set up Domain-based Message Authentication, Reporting, and Conformance (DMARC) for your domain.
We're here to help
DMARC has been around for a few years, and it’s an effective way to protect your domain from spoofing. So we recommend you always enable DMARC for your organization.
We’ve tried to make setting up DMARC as easy as possible, but some steps might get technical. Please read carefully, and we’ll help you through each step. By testing your configuration and continuously monitoring your DMARC reports, you can successfully implement DMARC.
Prepare to set up DMARC (everyone)
Set up SPF and DKIM for your domain
Before you can use DMARC for your domain, you should turn on Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) for your domain. Using a DMARC policy requires that messages sent from your domain are authenticated by receiving servers with SPF and DKIM.
SPF, DKIM, and DMARC are applied per domain. If you manage more than one domain, you must enable SPF, DKIM, and DMARC separately for each domain.
- If you don't set up SPF and DKIM before enabling DMARC, messages sent from your domain will probably have delivery issues.
- Allow 48 hours after setting up SPF and DKIM before setting up DMARC.
For detailed steps to set up SPF and DKIM, go to Help prevent spoofing, phishing, and spam.
Set up a group or mailbox for reports
The number of DMARC reports you receive by email can vary, and depends on how much email your domain sends. You can receive many reports every day. Large organizations might get up to hundreds or even thousands of reports daily.
We recommend you create a group or a dedicated mailbox to receive and manage DMARC reports.
Get your domain host sign-in information
DMARC is enabled at your domain host provider, not in your Google Admin console. So you'll need the sign-in information for your domain host account.
Before you set up DMARC for your domain, you can optionally check if your domain has an existing DMARC DNS TXT record. Mail providers and domain providers don’t always turn on DMARC by default.
If you already have a DMARC record for your domain, we recommend you review your DMARC reports. Make sure that messages sent from your organization pass authentication by receiving servers, and are delivered to recipients. Learn about using DMARC reports.
Important: Enable DMARC for your domain in your domain provider settings, in the DNS TXT records. You can’t check or enable your DMARC record in the Admin console.
You can verify your current DMARC record with the Google Admin Toolbox, or by checking your domain’s DNS TXT records at your domain provider.
To use the Google Admin Toolbox to check for a TXT record for DMARC:
- Go to the Google Admin Toolbox.
- Go to Verify DNS issuesCheck MX.
- Enter your domain name in the Domain name field, then click RUN CHECKS!
- The results indicate whether your domain has a DMARC record:
- DMARC is not set up—Your domain doesn’t have a DMARC record yet.
- Formatting of DMARC policies—Your domain has an existing DMARC record.
To check at your domain provider for a TXT record for DMARC:
- Sign into the management console for your domain provider.
- Locate the page or dashboard where you update your domain’s DNS TXT records.
- Check the DNS TXT records for your domain. If your domain has a DMARC record, there's a TXT record entry that starts with v=DMARC.
Prepare to set up DMARC (advanced)
Prepare to set up DMARC for an organization with a large user base, on-premise mail systems, or advanced business requirements.
Make sure third-party mail is authenticated
For DMARC to effectively manage suspicious email, messages should be sent from your own domain. However you might use a third-party service to send mail for organization, for example you might use a service to manage your marketing email.
Valid messages sent from third-party email providers for your domain might not pass SPF or DKIM checks. Messages that don't pass these checks are subject to the action defined in your DMARC policy. They could be sent to spam, or rejected.
To help ensure messages sent by third-party providers are authenticated:
- Contact your third-party provider to make sure DKIM is correctly set up.
- Make sure the provider’s envelope sender domain matches your domain. Add the IP address of the provider’s sending mail servers to the SPF record for your domain.
Route outgoing mail from the provider through Google using the SMTP relay service setting.