Back to The Rejected Folder
| 7 min read

Google DMARC check: verify your domain meets Gmail's requirements

Gmail now requires DMARC for bulk senders. Learn how to check if your domain passes Google's email authentication requirements, fix common issues, and monitor your DMARC status.

DT
Marc, Owner
Google DMARC check: verify your domain meets Gmail's requirements

If your emails to Gmail users are bouncing or landing in spam, DMARC is probably why. Google enforces email authentication requirements now, and domains that fail get filtered or rejected.

You can verify your configuration in seconds. But fair warning: most domains we check have at least one problem.

Why Google cares about DMARC

Gmail handles billions of emails daily. Phishing and spoofing got bad enough that Google implemented sender requirements in 2024, and they’re enforcing them.

According to Google’s Email Sender Guidelines, all senders must configure SPF or DKIM for their domain. Bulk senders (5,000+ messages per day to Gmail addresses) need SPF, DKIM, and DMARC, plus alignment between the authentication mechanisms and the visible From address.

If you’re not compliant, Gmail may mark your messages as spam, reject them with a 5.7.26 error, or throttle your sending. For businesses that rely on email, this breaks things fast.

How to run a Google DMARC check

Use our free Google DMARC checker to verify your domain. Enter your domain name, click Check domain, and you’ll see results for DMARC, SPF, DKIM, and BIMI. The tool shows whether each record exists, if it’s properly formatted, and what policy is active.

For Google’s requirements, here’s what matters:

DMARC record must exist. Any policy (p=none, p=quarantine, or p=reject) meets Google’s baseline, but p=none doesn’t actually protect you from spoofing.

SPF record must exist and pass. Google verifies that the sending IP is in your authorized list.

DKIM signature is required for bulk senders. Emails need a valid DKIM signature that aligns with your domain.

Alignment is where most domains trip up. SPF or DKIM must match the domain in your From header. We explain how this works in our guide on DMARC, SPF, DKIM alignment.

What Google actually checks

When Gmail receives an email claiming to be from your domain, it runs these checks in sequence.

First, Gmail looks up your SPF record and compares the sending IP against your authorized list. If the IP matches, SPF passes.

Second, Gmail verifies the DKIM signature (if present) against the public key in your DNS. If the signature is valid and hasn’t been tampered with, DKIM passes.

Third, Gmail checks your DMARC record at _dmarc.yourdomain.com. The DMARC check determines whether SPF or DKIM passed with alignment. Alignment means the domain authenticated by SPF or DKIM matches the domain in the visible From header.

If DMARC passes, the email is delivered normally. If DMARC fails, Gmail applies your DMARC policy: p=none does nothing (but still logs the failure), p=quarantine sends the message to spam, and p=reject blocks it entirely.

For bulk senders, Google requires that at least one of SPF or DKIM pass with alignment. In practice, you want both configured because SPF often breaks with email forwarding.

Common failures in Google DMARC checks

We’ve analyzed thousands of domains. The same problems keep showing up.

No DMARC record

The most basic failure. Without a DMARC record, you have no policy and no visibility into authentication. Gmail won’t reject your email for this alone (unless you’re a bulk sender), but anyone can spoof your domain.

To fix this, create a DMARC record using our DMARC generator. Start with p=none to monitor before enforcing.

DMARC exists but stays at p=none

A DMARC record satisfies Google’s technical requirement, but p=none means receivers won’t act on failures. Attackers can still spoof your domain.

Starting with p=none is reasonable. Staying there forever is not. Our enforcement playbook walks you through moving to actual protection.

SPF alignment failure

Your SPF record is valid and the sending IP passes the check, but DMARC still fails. Why? The SPF-authenticated domain doesn’t match your From header domain.

This happens constantly with third-party senders. When you use a service like SendGrid or Mailchimp, they send from their own infrastructure. The Return-Path (which SPF validates) uses their domain, not yours. Even though SPF passes, it doesn’t align with your From address.

The solution is DKIM. Configure your third-party senders to sign with your domain using DKIM. When the d= tag in the signature matches your From domain, alignment passes.

DKIM not configured

Many email platforms don’t enable DKIM by default. Microsoft 365, for example, requires you to publish CNAME records and toggle DKIM on in the admin portal. Our Microsoft 365 DMARC guide covers the complete setup.

Without DKIM, you’re relying solely on SPF alignment, which breaks whenever email is forwarded.

SPF exceeds lookup limit

SPF has a hard limit of 10 DNS lookups. Each include: mechanism triggers additional lookups. Add too many email services, and your SPF record returns a PermError, effectively failing all checks.

Check your current lookup count with our SPF generator. If you’re over the limit, audit your record and remove services you no longer use.

The bulk sender threshold

Google defines bulk senders as those sending 5,000 or more messages per day to Gmail addresses. This threshold applies to the total volume from your domain, not per email address.

Once you cross this threshold, the rules get stricter. The RFC 7489 DMARC specification defines how domain owners can request handling of unauthenticated messages. Google now mandates this for high-volume senders.

Bulk senders must have:

  • SPF record that passes checks
  • DKIM signing aligned with the From domain
  • DMARC record (any policy)
  • One-click unsubscribe for marketing messages
  • Spam complaint rate below 0.3%
  • Valid forward and reverse DNS records
  • TLS encryption

Miss any of these and your emails may bounce. The frustrating part: Google doesn’t tell you which requirement you’re failing.

How to fix Google DMARC failures

Here’s the fix sequence.

Step 1: verify current state

Run your domain through our Google DMARC checker. Note what’s missing or misconfigured.

Step 2: fix SPF first

Ensure you have a single SPF record that includes all legitimate sending sources. No duplicate records. Stay under 10 lookups.

Step 3: configure DKIM

Set up DKIM for every service that sends email as your domain. This includes your primary email platform (Google Workspace, Microsoft 365) and all third-party tools (marketing automation, helpdesk, CRM, transactional email).

Each service has its own DKIM setup process. Most require you to add DNS records (CNAME or TXT) and enable signing in their admin panel.

Step 4: create or update DMARC

If you don’t have a DMARC record, create one. If you’re stuck at p=none, plan your path to enforcement.

The record goes at _dmarc.yourdomain.com as a TXT record:

v=DMARC1; p=none; rua=mailto:[email protected];

Replace the reporting address with your DMARCTrust unique address to receive aggregate reports.

Step 5: monitor and iterate

A point-in-time check shows current configuration. It doesn’t tell you if your emails are actually passing in production, or who’s sending as your domain.

For that, you need ongoing DMARC monitoring. Gmail, Yahoo, Microsoft, and other receivers send aggregate reports. DMARCTrust parses them and shows you which senders pass or fail alignment.

Beyond the check: continuous monitoring

A single Google DMARC check tells you the current state. It doesn’t tell you when things break.

Things change. Someone adds a new marketing tool. A vendor switches their sending infrastructure. An IT admin edits the SPF record without realizing what it does. Without monitoring, you find out when Gmail starts bouncing your CEO’s emails.

DMARCTrust processes aggregate reports automatically. You see every IP sending as your domain, their SPF and DKIM status, alignment rates, and trends. When something breaks, you know right away.

The enforcement path

Google’s requirement is technically satisfied with p=none. But monitoring without action doesn’t protect you.

The goal is p=reject, where spoofed emails get blocked. Getting there safely means staged enforcement:

  1. Monitor with p=none for 2-4 weeks
  2. Map every legitimate sender using sender inventory techniques
  3. Configure DKIM for third-party senders that fail alignment
  4. Move to p=quarantine; pct=10 (quarantine 10% of failures)
  5. Increase to p=quarantine; pct=100 (all failures go to spam)
  6. Finally, p=reject (block unauthenticated email)

Most domains can complete this in 4-8 weeks. Complex setups with many third-party senders take longer.

Check your domain now

Go to our Google DMARC checker and enter your domain. You’ll see whether you pass Google’s requirements and what needs fixing.

Missing records? Our free generators create properly formatted DMARC and SPF records.

For ongoing monitoring, sign up for DMARCTrust. Add your domain, get your unique reporting address, update your DMARC record. Reports start arriving within 48 hours.

Google checks your DMARC. You should too.

Read Next

View all posts
ESPs, subdomains, and the "can't get DKIM to align w/ DMARC" rabbit hole
dmarc ·

ESPs, subdomains, and the "can't get DKIM to align w/ DMARC" rabbit hole

A recurring forum storyline: you set up an ESP, authentication tools say it's fine, yet DMARC alignment is still broken. This usually comes down to how the ESP signs DKIM (d=), whether you're using a custom sending domain, and whether you should isolate with a sending subdomain.

DT
DMARCTrust
4 min read