For DMARC policy to work three steps needs to be taken.
Important: Before creating a DMARC record for your G Suite domain, you must first set up DKIM authentication. If you fail to set up DKIM first, email from services such as Google Calendar will fail mail authentication and will not be delivered to users.
1) Implementing SPF record:
This is done at the time of G Suite setup and implementation. Your domain SPF should point to Gmail servers and the value is "v=spf1 include:_spf.google.com ~all".
2) Generating DKIM and Updating it in DNS:
To generate the domain key (DKIM) used to sign mail please follow below steps:
- Sign in to the Google Admin console.
- Click Apps > G Suite > Gmail > Authenticate email.
- Select the domain for which you want to generate a domain key.
The name of your primary domain appears by default. To generate a domain key for a different domain, select it from the drop-down list.
- Click Generate new record.
- If your registrar doesn't support 2048-bit keys, change the key length from 2048 to 1024.
- Optionally, update the text used as the DKIM selector prefix.
The selector prefix is used to distinguish the domain key that G Suite uses from any other domain keys you may have. In most cases, you'll select the default prefix "google". The only reason to change the prefix is if your domain already uses a DKIM domain key with the selector prefix "google".
- Click Generate.
The text box displays the information you need in order to create the DNS record that recipients query in order to retrieve the public domain key.
Next: Update DNS records
3) Updating DMARC record in DNS:
Once SPF and DKIM for our domain is in place, we are good to implement DMARC for our domain. DMARC is a public DNS record and does't requires any changes to be done in G Suite Admin panel. You can just update the below record in the DNS panel of your domain and it's done.
Please update the below DMARC as TXT record in your domain DNS panel.
Host Name : "_dmarc"
TXT Value : "v=DMARC1; p=reject; aspf=s"