Brand Protection

    Google and Yahoo! DMARC Requirements – What You Need to Know

    Guidance on how to setup DMARC in Google Workspace (New Email Send Requirements in 2024). Protect your business from spoofing by setting up DMARC in Google Workspace.

    by Andrew Williams

    Key Points

    • As of February 2024, senders with over 5,000 daily emails to Google and Yahoo! accounts will have to implement an active DMARC policy. Implementing the DMARC email authentication protocol in Google Workspace can safeguard your brand.
    • Senders will also need to set SPF and DKIM records per domain and ensure alignment, as well as use ARC authentication for forwarded messages.
    • DMARC policies can be set to reject, quarantine, or simply deliver email messages that fail authentication; policies can be set separately for all your organization’s domain names.
    • Reports provide feedback on the use — and potential abuse — of your domains.

    New Email Send Requirements in 2024 

    Google and Yahoo! are changing the rules that apply to senders with over 5,000 daily emails going to Google and Yahoo! accounts.  As of February 2024, senders will need to implement an active DMARC policy.

    In addition, senders hoping to continue to reach over 5,000 Google and Yahoo! email inboxes daily will be required to set SPF and DKIM records per domain and use ARC authentication for forwarded messages.


    Emails that fail authentication will be rejected or marked as spam, compromising email delivery for customer communications sent by organizations that do not meet Google’s and Yahoo!’s new rules. 

    What Prompted this Change?

    Google and Yahoo! want to reduce the ability for attackers to hide amongst bulk senders who don’t often secure their email systems. They are looking to achieve this by focusing on email validation to reduce potential bad actors from reaching their customers’ inboxes and unwanted spam.

    There are additional benefits to this as well. Domains that have DMARC in place have improved inbox placement, meaning emails are less likely to be flagged as spam or rejected outright.

    What Are the Enforcement Dates?

    • Yahoo! gradually began enforcing guidelines in February 2024.
    • Google implemented a gradual enforcement process in February 2024 with temporary errors and will follow up with rejection of non-compliant email traffic starting in April 2024.
    • Bulk senders must implement one-click unsubscribe in all commercial, promotional messages by June 1, 2024.

    Get Help from Mimecast

    Mimecast can assist organizations that may have trouble meeting these new standards. A SaaS solution, Mimecast’s DMARC Analyzer empowers customers to easily manage complex deployment projects and provides 360° visibility and governance. It provides fast and simple enforcement using intuitive self-service tools, including integrated project management, delivering low risk enforcement. Explore the DMARC resource kit to learn more.

    Technical Information to Know About DMARC and DMARC Policies

    What Is a DMARC Record?

    A Domain-based Message Authentication, Reporting and Conformance (DMARC) record spells out for a receiving email server what to do if a Gmail message from your brand’s domain fails authentication.

    DMARC works with two email authentication methods: Sender Policy Framework (SPF) and Domain Keys Identified Mail (DKIM). SPF allows you to specify which IP addresses in your domain are authorized to send email. DKIM adds a digital signature to outgoing messages. The receiving server uses SPF to authenticate the message as coming from a trusted source and DKIM to verify the message has not been altered en route.

    Google Workspace DMARC Policies

    A DMARC record needs to specify a policy for the action the receiving server should take if the incoming email fails SPF or DKIM authentication. There are three Gmail DMARC policy options:

    • None: Deliver the message normally.
    • Quarantine: Send the message to the recipient’s spam folder or to quarantine if a quarantine option is configured.
    • Reject: Do not deliver the message. Often the receiving server will inform the sender of the message failure.

    Google Workspace recommends using the “none” setting at first, and then carefully reviewing the reports. Then, as you identify illegitimate versus legitimate users of your domain — marketing partners, for example, that send email on your behalf —  Google suggests changing the policy to quarantine, then finally to reject. Regardless of the action taken, you can set the DMARC record to request the receiving email server send a report indicating which of your domain’s email servers are sending email and the percentage of messages passing or failing authentication.

    Steps to Set Up a Google Workspace DMARC Record[i]

    DMARC is set up as a DNS TXT record on your domain host. The record contains flags specifying parameters for the receiving server. Each parameter is a tag-value pair. For example, to set the policy to reject, the tag-value pair would be “p=reject”.

    Following these steps will get your DMARC record set up and published:

    1. Configure both SPF and DKIM, then allow 48 hours before publishing the DMARC record.

    2. Create the DMARC record as a line of text with tag-value pairs separated by semicolons. The accompanying table lists sample tags and possible values. Be aware that these tags and values might vary from host to host. The and p tags are required and must be first. The remaining tags are optional.



    vVersion. This must be DMARC1.
    pPolicy for messages that fail authentication. Possible values are rejectquarantine or none.
    spPolicy for subdomains. Possible values are rejectquarantine or none. The default is to apply the same policy as the domain.
    pctThe percentage of invalid messages that should be acted on. Value must be 1-100, with 100 as the default.
    aspfThe alignment policy for SPF. Can be s (strict) or r (relaxed). Relaxed is the default.
    adkimThe alignment policy for DKIM. Can be s (strict) or r (relaxed). Relaxed is the default.
    ruaThe email address (preceded by mailto:) to which DMARC reports should be sent.

    3. From the management console of your domain host, locate the place where you can update the DNS record. Enter the name of your DMARC TXT record as “dmarc” followed by a period and your domain name. Some hosts will automatically append the domain name. Upload the record and save the changes. Repeat this process for each of your domains.

    Third-Party Solutions for DMARC Setup

    If the Google Workspace DMARC process seems a little daunting, the good news is that security service providers like Mimecast offer cloud-based DMARC tools. Such tools simplify DMARC implementation — for example, by providing setup wizards for creating DMARC records for all your domains. Other tools validate DMARC records and create user-friendly reports and charts for analyzing messages that failed authentication, as well as forensic reports for finding the source of malicious email messages.

    The Bottom Line About Google and Yahoo! DMAR Requirements

    As online brand impersonation continues to grow, sites like Google and Yahoo! will implement stricter standards for senders, especially those that send thousands of emails per day. Mimecast stands ready to help with DMARC Analyzer and the expertise needed to meet new DMARC guidelines.

    Learn more about how you can comply with critical DMARC and Google Workspace regulation starting in February 2024. 



    [i] See Google DMARC instructions


    Subscribe to Cyber Resilience Insights for more articles like these

    Get all the latest news and cybersecurity industry analysis delivered right to your inbox

    Sign up successful

    Thank you for signing up to receive updates from our blog

    We will be in touch!

    Back to Top