Fix guide
How to Fix DMARC Alignment for Google Workspace
Google Workspace automatically handles DMARC alignment when DKIM is enabled in Google Admin. The most common failure is DKIM not being turned on — Google signs email with a temporary key until you generate and publish your own 2048-bit DKIM key.
Why alignment fails
Google Workspace uses a default DKIM key (google._domainkey) that is automatically published. However, if you haven't generated a custom key in Google Admin, alignment may use a weaker default or fail entirely. See DMARC and DKIM in the glossary.
Exact DNS record
After generating keys in Admin, publish:
Step-by-step fix
Verify alignment and DNS in your browser
Open DNS Preflight →FAQ
Does Google Workspace automatically set up DMARC alignment?
DKIM alignment is automatic once you generate and publish your DKIM key in Google Admin. SPF alignment works automatically if you include:_spf.google.com in your SPF record.
What DKIM key size should I use for Google Workspace?
Always choose 2048-bit. 1024-bit keys are considered weak and Google now recommends against them.
My Google Workspace DKIM shows as pass but DMARC still fails — why?
Check DMARC alignment specifically — DKIM pass alone is not enough. The d= tag in the DKIM signature must match your From: domain. Run DNS Preflight to check alignment directly.
How long does Google Workspace DKIM take to activate?
DNS propagation takes up to 48 hours. Google Admin will show "Authenticating" until the record is verified.
Do I need to set up SPF separately for Google Workspace?
Yes. Add include:_spf.google.com to your SPF TXT record. This allows Google's servers to pass SPF checks independently of DKIM.