Add the correct SPF record to authorize Google Workspace to send email on behalf of your domain. This prevents spoofing and improves deliverability.
TXT
@
v=spf1 include:_spf.google.com ~all
If you have other senders, add their include mechanisms before ~all.
Log in to the control panel where your domain's DNS records are managed (e.g., Cloudflare, GoDaddy, Namecheap).
Find the DNS settings or DNS zone editor for your domain.
Look for a TXT record that starts with v=spf1. You should only have one SPF record per domain. If one exists, you will modify it rather than creating a new one.
dig TXT yourdomain.com +short | grep spfAdd a new TXT record (or edit the existing one) with the host set to @ and the value below. If you already have an SPF record with other includes, add include:_spf.google.com before the ~all or -all.
v=spf1 include:_spf.google.com ~allWait a few minutes for DNS propagation, then verify the record is published. You can use dig or a DNS lookup tool.
dig TXT yourdomain.com +shortv=spf1 ~allv=spf1 include:_spf.google.com ~allAfter adding your DNS records, use our free SPF checker to verify everything is configured correctly. DNS changes typically propagate within minutes, but can take up to 48 hours.
You need a TXT record at @ with the value v=spf1 include:_spf.google.com ~all. This authorizes Google's mail servers to send email on behalf of your domain.
Yes. Using -all (hardfail) is stricter and will cause non-authorized emails to be rejected outright. Start with ~all and move to -all once you have confirmed all senders are included.
Add include:_spf.google.com to your existing SPF record. For example: v=spf1 include:_spf.google.com include:otherprovider.com ~all. Do not create a second SPF record.