How to Set Up Google Postmaster Tools

Gmail data starts after DNS proof

Google Postmaster Tools can show how Gmail sees your sending domain, but the charts stay blank until Google can verify the domain and see enough mail to personal Gmail accounts.

Start at Google Postmaster Tools with a Google account. Add the domain Google uses to authenticate your outgoing mail. Google names the DKIM d= domain or the SPF Return-Path domain. If those domains match, Google can use mail authenticated by SPF, DKIM, or both for dashboard data. In a clean setup, that authentication domain also aligns with the visible From domain your readers see.

• Add the primary sending domain first. Add subdomains later if you want separate charts for them.
• Copy Google's DNS verification value exactly into your DNS host.
• Wait for DNS to update. Google says verification is often quick, but DNS hosts can lag.
• Return to Postmaster Tools and click verify.
• Add teammates only after the domain is verified. They need a Google or Google Workspace account.

You can skip verification while setting up the domain, but Postmaster Tools will not show data until the domain is verified. Use Google's own setup page if the screen changes: Set up Postmaster Tools.

Fix authentication before reading reputation

Postmaster Tools shows Gmail-side signals. It does not repair the DNS or signing problems that often cause those signals to turn bad. Check SPF, DKIM, DMARC, MX, and blocklists before you blame the message copy.

SPF is a TXT record that lists which services may send mail for a domain. Publish one SPF record only. Include each real sender your business uses, such as Google Workspace, Microsoft 365, your help desk, or your email platform. RFC 7208 says SPF evaluation must stop with a permerror after more than 10 DNS-querying terms, including include, a, mx, ptr, exists, and redirect. Nested includes count.

The end of the SPF record matters. ~all is a soft fail. It says unlisted senders are probably wrong. -all is a hard fail. It says unlisted senders should fail. Many teams use ~all while finding every real sender, then move to -all after reports show nothing valid is missing.

DKIM adds a cryptographic signature to outgoing mail. The matching public key lives in DNS under a selector, often like selector1._domainkey.example.com. If you change email providers, add the new provider's selector and turn on signing in that provider. Publishing a key is not enough. The provider must sign the mail.

DMARC checks whether SPF or DKIM passes and aligns with the visible From domain. A common starting record is v=DMARC1; p=none; rua=mailto:dmarc@example.com. Use p=none while you read aggregate reports and find all legitimate senders. Move to p=quarantine or p=reject after real mail is passing. RFC 7489 describes none, quarantine, reject, alignment, and aggregate reporting, and newer DMARC RFCs have updated parts of the standard.

• SPF: one TXT record, all real senders included, under 10 DNS-querying terms.
• DKIM: each sender signs mail with a selector you control in DNS.
• DMARC: publish at _dmarc.example.com, collect rua reports, then enforce.
• MX: make sure inbound mail points to the right host so replies and bounce handling work.
• Blocklists: check them, but confirm DNS and authentication first because those fixes are under your control.

Google's sender guidelines say all senders to personal Gmail accounts need SPF or DKIM, and bulk senders need SPF, DKIM, and DMARC. Google also says unauthenticated mail can be marked as spam or rejected. Microsoft's DMARC guidance explains the same core idea for Microsoft 365: SPF or DKIM must pass and align for DMARC to pass. The core standards are RFC 7208 for SPF, RFC 6376 for DKIM, and RFC 7489 for DMARC.

Read the Gmail dashboards in order

Postmaster Tools is a Gmail signal, not an inbox-placement guarantee. Gmail and Outlook still score authentication, reputation, complaints, engagement, content, infrastructure, and local policy for each message.

Open the authentication dashboard first. If SPF, DKIM, or DMARC is failing, fix that before changing subject lines or sending volume. Then review spam rate and domain reputation. A sudden drop often means a DNS record changed, a new sender started without DKIM, a list source got worse, or a campaign drove complaints.

If Gmail shows little or no data, setup may still be fine. Google says dashboard data can be missing when daily volume is too low. Low-volume domains can verify correctly and still have sparse charts.

• If authentication is red, fix DNS and signing first.
• If spam rate jumped, pause the sending source that changed most recently.
• If domain reputation fell, reduce risky volume and send to people who expect your mail.
• If delivery errors rise, check bounces, TLS, DNS, and provider status.
• If charts are empty, confirm verification and wait for enough Gmail traffic.

For a quick outside check, run your domain through the free InboxRadar scorecard. It reads live SPF, DKIM, DMARC, and MX records and points to the highest-impact fix.