Google's business email and productivity suite, formerly G Suite. This guide covers the complete email authentication stack for Google Workspace: SPF, DKIM, and DMARC. Each section gives you the exact DNS records, step-by-step instructions, common pitfalls, and how to verify your setup.
Add the correct SPF record to authorize Google Workspace to send email on behalf of your domain. This prevents spoofing and improves deliverability.
TXT
@
v=spf1 include:_spf.google.com ~all
If you have other senders, add their include mechanisms before ~all.
Log in to the control panel where your domain's DNS records are managed (e.g., Cloudflare, GoDaddy, Namecheap).
Find the DNS settings or DNS zone editor for your domain.
Look for a TXT record that starts with v=spf1. You should only have one SPF record per domain. If one exists, you will modify it rather than creating a new one.
dig TXT yourdomain.com +short | grep spfAdd a new TXT record (or edit the existing one) with the host set to @ and the value below. If you already have an SPF record with other includes, add include:_spf.google.com before the ~all or -all.
v=spf1 include:_spf.google.com ~allWait a few minutes for DNS propagation, then verify the record is published. You can use dig or a DNS lookup tool.
dig TXT yourdomain.com +shortv=spf1 ~allv=spf1 include:_spf.google.com ~allYou need a TXT record at @ with the value v=spf1 include:_spf.google.com ~all. This authorizes Google's mail servers to send email on behalf of your domain.
Yes. Using -all (hardfail) is stricter and will cause non-authorized emails to be rejected outright. Start with ~all and move to -all once you have confirmed all senders are included.
Add include:_spf.google.com to your existing SPF record. For example: v=spf1 include:_spf.google.com include:otherprovider.com ~all. Do not create a second SPF record.
Enable DKIM signing in the Google Admin Console and publish the public key in your DNS to cryptographically authenticate outgoing email.
TXT
google._domainkey
v=DKIM1; k=rsa; p=YOUR_PUBLIC_KEY_FROM_ADMIN_CONSOLE
The actual public key value is generated in your Google Admin Console. The default selector is "google".
Go to admin.google.com and sign in with your administrator account.
Go to Apps > Google Workspace > Gmail > Authenticate email. Select your domain from the list.
Click "Generate new record". Choose a DKIM key bit length of 2048 (recommended). The default prefix selector is "google". Click Generate.
Copy the generated TXT record value and create a new TXT record in your DNS with the host name google._domainkey and the value provided by Google.
Host: google._domainkey
Type: TXT
Value: v=DKIM1; k=rsa; p=MIIBIjANBgkqh...(your key)Return to the Google Admin Console and click "Start authentication". Google will verify the DNS record. It may take up to 48 hours for DNS propagation, but typically works within minutes.
The default DKIM selector for Google Workspace is "google". This means the DNS record is published at google._domainkey.yourdomain.com. You can customize the selector during key generation.
After adding the DNS record and clicking "Start authentication" in the Admin Console, DKIM signing typically activates within a few minutes. DNS propagation can take up to 48 hours in some cases.
Use 2048-bit keys for stronger security. Only use 1024-bit if your DNS provider cannot handle the longer TXT record value.
Publish a DMARC policy for your domain to instruct receiving mail servers how to handle messages that fail SPF and DKIM authentication.
TXT
_dmarc
v=DMARC1; p=none; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=1
Start with p=none to monitor, then move to p=quarantine and finally p=reject.
DMARC builds on SPF and DKIM. Verify both are set up and passing for your Google Workspace domain before adding DMARC.
Start with p=none (monitoring only) to collect reports without affecting mail delivery. This lets you identify all legitimate senders before enforcing.
Add a TXT record in your DNS with the host _dmarc and your chosen DMARC policy. Replace the email address with your own reporting address.
v=DMARC1; p=none; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=1Aggregate reports (rua) will be sent in XML format. Use a DMARC report analyzer to read them and identify any legitimate senders that are failing authentication.
Once all legitimate senders pass, move to p=quarantine (with pct=10 initially), then increase to pct=100, and finally to p=reject.
v=DMARC1; p=reject; rua=mailto:[email protected]; fo=1(no DMARC record)v=DMARC1; p=none; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=1Start with v=DMARC1; p=none; rua=mailto:[email protected] to monitor authentication results. After confirming all legitimate email passes, gradually move to p=quarantine and then p=reject.
Yes. Google Workspace emails align on both SPF (envelope sender matches header from) and DKIM (d= domain matches header from) when properly configured.
Monitor with p=none for at least 2-4 weeks. Review aggregate reports to ensure all legitimate sending services are properly authenticated before moving to quarantine or reject.
Once your SPF, DKIM, and DMARC records are in place, run a full domain scan to confirm everything is configured correctly. DNS changes typically propagate within minutes but can take up to 48 hours.