DMARC Failure on Google Workspace — Common Causes and Fixes

Why Is DMARC Failing on Google Workspace?

The most common cause of DMARC failure on Google Workspace is that DKIM is not enabled for your custom domain. Google Workspace does not enable DKIM by default — you have to manually generate a key and add it to your DNS. Without it, DKIM either fails or signs with a Google domain that does not align with your From address.

The Top Causes (and Fixes)

1. DKIM Is Not Enabled (Most Common)

Google Workspace can send email without DKIM configured. When it does, it either skips DKIM entirely or signs with a default Google domain. Either way, DKIM alignment with your custom domain fails.

How to fix:

1. Go to Google Admin Console → Apps → Google Workspace → Gmail → Authenticate email
2. Select your domain
3. Click Generate New Record (choose 2048-bit if your DNS supports it)
4. Add the generated TXT record to your DNS:

google._domainkey.yourdomain.com  TXT  "v=DKIM1; k=rsa; p=MIIBIjANBgkq..."

1. Return to the Admin Console and click Start Authentication

After propagation (usually 5–30 minutes), Google will sign all outgoing email with your domain's DKIM key.

2. SPF Record Is Missing or Broken

Your SPF record must authorize Google's mail servers:

v=spf1 include:_spf.google.com ~all

Common mistakes:

• Using include:google.com instead of include:_spf.google.com
• Having two SPF TXT records (only one is allowed)
• Exceeding the 10 DNS lookup limit by including too many services

3. Sending from Aliases or "Send As" Addresses

If you use Gmail's "Send mail as" feature to send from a different address, Google may send the email through a different SMTP path. If that path does not have proper DKIM/SPF for the alias domain, DMARC fails.

Fix: In Gmail settings, configure the "Send mail as" to use Gmail's servers (not an external SMTP). This ensures Google signs the email with DKIM. Then make sure the alias domain also has proper SPF and DKIM records.

4. Google Groups and Mailing Lists

Google Groups modifies the email envelope when redistributing messages. This can break both SPF (new sending IP) and DKIM (modified headers). DMARC will fail for forwarded messages.

Fix: This is a known limitation. Google Groups uses ARC (Authenticated Received Chain) headers to preserve authentication information, and many receiving servers honor ARC. But there is no sender-side fix for all recipients. Monitor your DMARC reports to understand the impact.

5. Third-Party Apps Using Google SMTP Relay

Applications that send via Google's SMTP relay (smtp-relay.gmail.com) may not be properly authenticated. The relay supports DKIM signing if configured correctly.

Fix: In the Google Admin Console, configure the SMTP relay to require DKIM signing for your domain.

Complete Google Workspace DMARC Setup Checklist

1. SPF: Publish v=spf1 include:_spf.google.com ~all (or merge with existing record)
2. DKIM: Generate and publish the DKIM key from the Admin Console, then enable signing
3. DMARC: Publish a DMARC record starting with p=none:

_dmarc.yourdomain.com  TXT  "v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com"

1. Test: Send an email to an external address and check headers for dmarc=pass
2. Monitor: Review DMARC reports for 2–4 weeks to identify any failing sources
3. Enforce: Move to p=quarantine, then p=reject

How to Verify It Is Working

Send an email from Google Workspace to an external account (Gmail personal, Outlook, etc.). Check the raw headers:

Authentication-Results:
  spf=pass smtp.mailfrom=yourdomain.com;
  dkim=pass header.d=yourdomain.com header.s=google;
  dmarc=pass header.from=yourdomain.com;

If dkim=pass shows header.d=yourdomain.com, DKIM alignment is working. DMARC should pass.

FAQ

Does Google Workspace enable DKIM by default?

No. You must manually generate the DKIM key in the Admin Console and add the corresponding DNS record. Until you do this, Google either skips DKIM or signs with a default domain that will not align with your custom domain.

Should I use 1024-bit or 2048-bit DKIM keys?

Use 2048-bit if your DNS provider supports TXT records longer than 255 characters (most modern providers do). It provides stronger cryptographic security. If your DNS provider truncates long records, fall back to 1024-bit.

Why does my DMARC report show failures from Google IPs?

This typically means some emails from your domain are passing through Google's infrastructure but failing alignment. Common causes: Google Groups forwarding, "Send mail as" misconfiguration, or SMTP relay without DKIM. Check the source IP against Google's published IP ranges to confirm it is legitimate Google traffic.

Can I use Google Workspace and another email service on the same domain?

Yes. Merge both services into a single SPF record (e.g., include:_spf.google.com include:sendgrid.net) and set up DKIM for each service. DMARC alignment works per-message, so each service just needs its own DKIM key configured.