In almost every audit I run, I check DMARC. And in most of them, one of two things is true: it is either missing entirely, or it is set to do nothing. Both mean the same thing in practice: anyone on the internet can send an email that looks exactly like it came from your domain, and there is nothing to stop it.
This isn't hypothetical. It's one of the most common ways businesses get their clients defrauded. A supplier's domain is spoofed. An invoice lands in a client's inbox with the right logo, the right signature, and a different bank account. The client pays it. Nobody realises until it's too late.
DMARC is not complicated to set up. But understanding what it actually does — and why the order matters — will save you from implementing it in a way that quietly breaks your email.
First: the three records that work together
DMARC doesn't work in isolation. It works alongside two other DNS records: SPF and DKIM. You need to understand all three before you touch any of them.
1 SPF — who's allowed to send email as you
SPF (Sender Policy Framework) is a DNS record that lists which servers are authorised to send email on behalf of your domain. When someone receives an email purportedly from your domain, their mail server checks your SPF record: is this coming from somewhere you've approved?
For Google Workspace, your SPF record should look like this:
v=spf1 include:_spf.google.com ~all
The ~all at the end means "soft fail" — emails from unauthorised servers are accepted but flagged as suspicious. Once you're confident everything legitimate is included, you harden this to -all (hard fail), which means unauthorised emails are rejected outright.
2 DKIM — a digital signature on every email
DKIM (DomainKeys Identified Mail) adds a cryptographic signature to every email you send. The receiving server checks that signature against a public key stored in your DNS. If the signature matches, the email is verified as genuinely from your domain and untampered in transit.
Google Workspace generates your DKIM key for you. You activate it and add the DNS record it provides.
Go to Google Admin Console → Apps → Google Workspace → Gmail → Authenticate email. Select your domain, click Generate new record. Add the TXT record it gives you to your DNS, then click Start Authentication. Allow up to 48 hours to propagate.
3 DMARC — what to do when checks fail
DMARC (Domain-based Message Authentication, Reporting, and Conformance) is the record that tells receiving mail servers what to do when an email fails SPF or DKIM. Without DMARC, even if you have SPF and DKIM configured, a spoofed email can still land in your client's inbox — the receiving server has no instruction to block it.
DMARC has three possible policies:
p=none
Monitor only
Emails are delivered regardless. You receive reports on failures. A starting point — not protection.
p=quarantine
Quarantine
Emails that fail go to spam. Better — but spoofed emails still reach the recipient.
p=reject
Reject
Emails that fail are refused entirely. This is where you want to end up.
Most businesses I audit have either no DMARC record, or a DMARC record set to p=none. Neither offers real protection. p=reject is the target.
Why you should not go straight to p=reject
This is the part most guides skip, and it's the part that causes businesses to accidentally break their own email.
If you jump straight to p=reject without first confirming that your SPF and DKIM are correctly configured for every service sending email on your behalf, you may start rejecting your own legitimate emails. This happens when a CRM, invoicing tool, or mailing platform isn't included in your SPF record. Set DMARC to reject before fixing that, and those emails get blocked silently.
The correct approach is staged:
- Start with p=none and an rua reporting address to receive aggregate reports
- Check the reports for two to four weeks — look for any legitimate services failing authentication
- Fix anything that's failing — add missing services to your SPF, confirm DKIM is passing
- Move to p=quarantine once confident everything legitimate passes
- Move to p=reject once quarantine has been stable for another two to four weeks
If you're a small business on Google Workspace with no third-party email tools, you can often move through this faster. But the staged approach is the safe one regardless.
"A DMARC record set to p=none is like a burglar alarm that logs break-ins but doesn't stop anyone getting through the door."
How to set up DMARC on Google Workspace
DMARC is set as a TXT record in your DNS — wherever your domain DNS is managed (Cloudflare, GoDaddy, Hostinger, etc). You're not doing anything in the Google Admin Console for DMARC itself.
Create a new TXT record with the host set to _dmarc. Start with this value — it monitors without blocking anything:
v=DMARC1; p=none; rua=mailto:support@yourcompany.com
Replace support@yourcompany.com with an email address you actually check. This is where DMARC aggregate reports will arrive.
After a few days you'll start receiving reports. They arrive as raw XML — use a free tool like dmarcian.com or MXToolbox DMARC Analyser to read them in a sensible format. You're looking for any legitimate email sources that are failing — those need fixing before you tighten the policy.
Once you've confirmed only legitimate email is passing, update to p=quarantine. After another two to four weeks of stability, move to p=reject. Your final record:
v=DMARC1; p=reject; rua=mailto:support@yourcompany.com
How to check what you have right now
Before doing anything, check your current state. Go to MXToolbox, enter your domain, and run the DMARC, SPF, and DKIM lookups. The results will tell you what's there and whether it's configured correctly.
A missing DMARC record and a p=none DMARC record look very different in a tool like MXToolbox — but for practical protection purposes, they're nearly the same. What you want to see is p=reject.
The uncomfortable thing about p=none
A lot of businesses have a DMARC record. When I check it in an audit, it says p=none. The business owner often says "oh good, we've got DMARC." They haven't — not really. They've told the world they're aware of DMARC but haven't done anything to enforce it.
p=none is a starting point, not a destination. If your DMARC has been set to p=none for more than a month, the monitoring phase is over. Move it to p=quarantine.
Summary — the three records in order
- SPF: Add v=spf1 include:_spf.google.com ~all as a TXT record on your domain. Harden to -all once you're sure no other services send on your behalf.
- DKIM: Activate in Google Admin Console → Gmail → Authenticate email. Add the TXT record it generates to your DNS.
- DMARC: Start with p=none, monitor for two to four weeks, move to p=quarantine, then p=reject.
Do them in that order. Don't skip ahead. The whole point of DMARC is the enforcement policy at the end — everything before it is just making sure you don't accidentally block your own email when you get there.
Want to know where your email authentication stands?
GetBulwark reviews SPF, DKIM, and DMARC as part of the free 20-point manual review — along with 17 other checks across your Google Workspace. 45 minutes, written PDF report, no obligation.
Book your free auditIf you do one thing today: go to MXToolbox, check your DMARC record, and find out where you actually are. If it's missing, add p=none with a reporting address and start from there. If it's already on p=none and has been for a while, move it to p=quarantine. If it's on quarantine and everything looks fine, move it to p=reject.
It takes less than an hour. And once it's done, your domain can't be used to send phishing emails to your clients.
