Fix guide

How to Fix DMARC Alignment for Google Workspace

Use this when Workspace mail fails DMARC: flip on real DKIM in Admin and publish the 2048-bit TXT — most teams skip that step.

Why Workspace trips DMARC

Admin can mint a proper google._domainkey TXT. If you never clicked through, you’re on a weak or missing key and alignment wobbles. Brush up on DMARC and DKIM if you need vocabulary.

Exact DNS record

After generating keys in Admin, publish:

google._domainkey.yourdomain.com → TXT → "v=DKIM1; k=rsa; p=[your-public-key]" (Key generated in Google Admin)

Step-by-step fix

Step 1 Google Admin → Apps → Gmail → Authenticate email

Step 2 Select your domain and click Generate new record

Step 3 Choose 2048-bit key length

Step 4 Copy the TXT record value and add it to your DNS at google._domainkey.yourdomain.com

Step 5 Return to Google Admin and click Start authentication

Step 6 Run DNS Preflight to confirm DKIM pass and alignment

Run your domain through DNS Preflight

Open DNS Preflight →

Related glossary: DMARC · DMARC alignment · DKIM · SPF record

FAQ

Does Google Workspace automatically set up DMARC alignment?

Yes — once you publish the DKIM TXT Admin gives you, and SPF lists include:_spf.google.com.

What DKIM key size should I use for Google Workspace?

Pick 2048-bit. 1024-bit is legacy and you’ll fight auditors.

My Google Workspace DKIM shows as pass but DMARC still fails — why?

Pass isn’t alignment — the signature’s d= domain must match your From: domain. DNS Preflight shows both.

How long does Google Workspace DKIM take to activate?

Give DNS up to 48 hours. Admin stays on “Authenticating” until the TXT lands everywhere.

Do I need to set up SPF separately for Google Workspace?

Yes — one line in SPF: include:_spf.google.com. That authorizes Google’s outbound IPs.

← All DMARC fix guides

Open DNS Preflight and re-check your zone →