Google Workspace DMARC Not Working – Fix DMARC for Gmail Sending (2026)

Learn the bigger picture in our Email Authentication Explained guide and compare SPF vs DKIM vs DMARC to understand how these protocols work together.

One-Minute Fix

Publish one valid DMARC record at _dmarc.yourdomain, enable DKIM signing in Google Admin, and make sure SPF/DKIM align with the visible From domain before tightening policy.

v=DMARC1; p=none; rua=mailto:dmarc@example.com; adkim=r; aspf=r

Start with monitoring while you verify Google Workspace sender alignment. Move to stricter policy only after headers consistently show aligned SPF or DKIM pass.

Free live DNS check. No signup required.

Wrong vs correct setup

From: billing@example.com
DKIM-Signature: d=gmail.com; s=google;
_dmarc.example.com TXT "v=DMARC1; p=reject;"

From: billing@example.com
DKIM-Signature: d=example.com; s=google;
_dmarc.example.com TXT "v=DMARC1; p=none; rua=mailto:dmarc@example.com; adkim=r; aspf=r"

Why this happens

DMARC checks alignment, not just whether mail was sent from Google infrastructure. If DKIM is not enabled correctly in Google Admin, or SPF/DKIM align to the wrong domain, DMARC fails. This is common during domain onboarding, key rotation, or policy tightening without header validation. Misaligned authentication paths often show up as DMARC alignment failures or a reporting address that never receives data.

Why this is a problem

When Google Workspace traffic fails DMARC, mailbox providers can treat messages as less trustworthy or apply policy actions such as quarantine/reject. Business-critical mail can be filtered more aggressively, and spoofing protection remains weak if policy is kept soft indefinitely. Over time that can mean critical mail is treated like generic bulk, especially when multiple DMARC records or a misconfigured fo= tag confuse evaluation.

How this affects deliverability

A stable Google Workspace DMARC setup improves sender trust and helps providers distinguish legitimate mail from impersonation. Broken alignment reduces that trust signal, increases spam-folder risk, and complicates enforcement decisions. Over time, well-tuned DMARC aggregate reports and a clear policy stance are what help inbox providers separate your legitimate traffic from spoofing attempts.

Common causes

• DKIM signing was not fully enabled in Google Admin for the sending domain.
• SPF or DKIM passed technically but aligned to a different domain.
• DMARC policy was tightened before sender alignment was fully validated.
• Recent DNS updates for DMARC or DKIM were not fully propagated.

What we checked

We checked whether a DMARC record exists, whether policy tags are valid, and whether Google Workspace mail can provide an aligned SPF or DKIM pass for the visible From domain.

Live DNS lookup. No login. No saved domains. No tracking.

FAQ

Next steps

• Check a real Google Workspace message header for SPF/DKIM alignment.
• Enable or re-verify DKIM signing in Google Admin for the sending domain.
• Publish or correct _dmarc with p=none and a working rua mailbox.
• Review DMARC reports and fix failing sources first.
• Increase policy from none to quarantine/reject only after stable alignment.
• Review the full troubleshooting guidance in the DMARC Hub.
• Explore sender authorization issues in the SPF Hub.
• Check signing and selector issues in the DKIM Hub.

Related fixes

• DMARC alignment failed
• DMARC policy: none vs quarantine vs reject
• DMARC aggregate reports explained
• DMARC record examples
• DMARC generator

Explore more issues

• DMARC record examples
• DMARC aggregate reports explained
• DMARC generator
• No DMARC record found
• Microsoft 365 DMARC not working
• SendGrid DMARC fail