Fixing Google Workspace Alias DMARC Failures
As an email administrator, you may encounter an issue in Google Workspace where you've configured your secondary domain as an alias — only to find that any emails sent from that alias domain are going straight to spam due to DMARC failure.
At first, it might seem that simply configuring DMARC should fix the problem. However, emails may still fail DMARC. The key to solving this is understanding where your email is coming from and configuring SPF, DKIM, and DMARC correctly.
Step 1: Check Your SPF Record
Sender Policy Framework (SPF) authorizes servers to send email from a domain.
If your SPF record does not list a sending server, the spam confidence level will increase, possibly causing emails to be quarantined or dropped entirely.
Common senders to account for include:
- Your email provider (Google Workspace, Office 365, etc.)
- Websites sending transactional emails
- On-premises mail servers
- Third-party apps or services
For this example, we’ll assume you only send emails from Google Workspace and your alias domain.
Default Google SPF record:
v=spf1 include:_spf.google.com ~all
This works for your primary domain, but your alias needs its own SPF configuration.
Step 2: Create SPF for the Secondary Domain
In your DNS host for the secondary domain, create a new TXT record:
Name: SPF
Value: v=spf1 include:_spf.google.com redirect=YourPrimaryDomain.com
Step 3: Update SPF in the Primary Domain
Locate your primary domain SPF record (it may look like this): v=spf1 include:_spf.google.com ~all
Update it to include your secondary domain:
v=spf1 include:_spf.google.com include:spf.SecondaryDomain.com ~all
This ensures the SPF check will validate emails from both domains.
Step 4: Enable DKIM in Google Workspace
Enable DKIM for both domains.
Google’s guide: Set up DKIM
Step 5: Configure DMARC for Both Domains
In your primary domain DNS host, create a TXT record:
Name: _dmarc
Value:
v=DMARC1; p=none; rua=mailto:username@primarydomain.com; pct=100; sp=none; adkim=r; aspf=r;
The key here is
sp=noneto ensure relaxed policy for subdomains.
In your secondary domain, use the same record but update the email address:
v=DMARC1; p=none; rua=mailto:username@secondarydomain.com; pct=100; sp=none; adkim=r; aspf=r;
Step 6: Verify and Test
- Use tools like MX Toolbox to check SPF, DKIM, and DMARC records.
- Ensure no trailing spaces in your DNS records.
- Wait for DNS propagation and test sending from the alias domain.
✅ Result
After configuration, emails sent from your alias domain should now pass DMARC, improving deliverability and keeping them out of spam folders.