E
Email Deliverability

How to Set Up SPF, DKIM, and DMARC for Google Workspace

Step-by-step guide to configuring SPF, DKIM, and DMARC for Google Workspace. Fix authentication issues and improve deliverability for your business email.

Email Authentication

Google Workspace handles email for millions of businesses, but setting up authentication correctly requires configuring DNS records outside of Google's admin console. Many administrators skip these steps or configure them partially, leading to emails landing in spam — even when sending to other Gmail users.

This guide walks through setting up SPF, DKIM, and DMARC for Google Workspace correctly.

Before You Start

You'll need access to:

  • Google Workspace Admin Console (admin.google.com)
  • Your domain's DNS management (wherever you registered your domain — GoDaddy, Cloudflare, Namecheap, etc.)

Authentication changes take time to propagate through DNS. Allow 24–48 hours for full propagation after making changes, though most updates take effect within an hour.

Step 1: Set Up SPF for Google Workspace

SPF (Sender Policy Framework) tells receiving servers which mail servers are authorized to send email for your domain.

The SPF Record

Add a TXT record to your domain's DNS:

TypeHost/NameValue TXT@ (or blank)v=spf1 include:_spf.google.com ~all

Important details:

  • You can only have one SPF record per domain. If you already have an SPF record, add include:_spf.google.com to the existing record instead of creating a second one.
  • If you use other services that send email (marketing tools, CRM, support desk), their SPF includes need to be in the same record.
  • The ~all at the end means soft fail for unauthorized senders. Once you're confident everything is configured, you can change to -all (hard fail).

Example with Multiple Senders

If you use Google Workspace plus SendGrid and HubSpot:

v=spf1 include:_spf.google.com include:sendgrid.net include:spf.hubspot.com ~all

Watch the 10-lookup limit. Each include: triggers DNS lookups, and SPF allows a maximum of 10. Google's include alone uses about 3–4.

Check your SPF record to verify it's valid and within limits.

Step 2: Set Up DKIM for Google Workspace

DKIM (DomainKeys Identified Mail) adds a cryptographic signature to your emails, proving they haven't been altered in transit.

Generate the DKIM Key

1

Open the Admin Console

Go to admin.google.com → Apps → Google Workspace → Gmail → Authenticate email.

2

Select your domain

Click on your domain name. If you see "Status: Not authenticated," you need to set up DKIM.

3

Generate a new record

Click "Generate new record." Choose 2048-bit key length (recommended) and the default google selector prefix.

4

Copy the DNS record

Google will display a TXT record hostname and value. Copy both.

Add the DNS Record

Add the DKIM record to your DNS:

TypeHost/NameValue TXTgoogle._domainkey(the long key value Google generated)

The hostname is typically google._domainkey.yourdomain.com. Some DNS providers want just google._domainkey without the domain suffix — check your provider's documentation.

Start Authentication

After adding the DNS record and allowing time for propagation:

  1. Return to the Admin Console → Gmail → Authenticate email
  2. Click "Start authentication"
  3. Status should change to "Authenticating email"

The DKIM key value is very long (often 300+ characters). Some DNS providers require you to split it into multiple quoted strings. If your record isn't validating, check that the full key was entered without truncation.

Step 3: Set Up DMARC

DMARC (Domain-based Message Authentication, Reporting, and Conformance) tells receiving servers what to do when SPF or DKIM checks fail, and sends you reports about authentication results.

Start with Monitoring

Add a TXT record for DMARC:

TypeHost/NameValue TXT_dmarcv=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com

Replace dmarc@yourdomain.com with an email address where you want to receive aggregate reports.

The p=none policy means you're monitoring only — no action is taken on failing emails. This is the right starting point. You want to see what's passing and failing before you start blocking.

Progress Your DMARC Policy

After monitoring for 2–4 weeks and confirming all legitimate email passes authentication:

  1. Move to p=quarantine — Failing emails go to spam instead of the inbox
  2. Eventually move to p=reject — Failing emails are blocked entirely

See our DMARC policy progression guide for a detailed timeline.

Monitor your authentication automatically

Track SPF, DKIM, DMARC, and blacklist status daily. Get alerts when records change or checks fail.

Verifying Your Setup

After configuring all three records, verify everything is working.

Check DNS Records

Use our free deliverability checker to verify:

  • SPF record is valid and includes Google
  • DKIM record exists and contains a valid public key
  • DMARC record is published and properly formatted

Send a Test Email

Send an email from Google Workspace to a personal Gmail account. Open the email, click the three dots → "Show original." Look for:

CheckExpected Result SPFPASS DKIMPASS DMARCPASS

If any show FAIL, review the corresponding DNS record.

Check Google Workspace Security

In the Admin Console, go to Security → Email authentication. This dashboard shows:

  • DKIM authentication status per domain
  • Any configuration warnings

Common Issues and Fixes

"SPF record not found" After Adding It

  • DNS propagation can take up to 48 hours (usually faster)
  • Verify the record was added to the correct domain (not a subdomain)
  • Check you don't have two SPF records — only one is allowed

DKIM Showing "Not authenticated"

  • Confirm the DNS record hostname exactly matches what Google specified
  • Check the key value wasn't truncated (it's very long)
  • Wait for DNS propagation, then click "Start authentication" again in the Admin Console

DMARC Alignment Failures

DMARC requires alignment — the domain in SPF/DKIM must match your From address. If you send from you@yourdomain.com, SPF and DKIM must authenticate for yourdomain.com, not a subdomain or different domain.

Common alignment issues:

  • Sending through a service that uses its own domain for the envelope sender
  • DKIM signing with a different domain than the From address
  • Using email aliases that don't match the authenticated domain

See DMARC alignment explained for troubleshooting.

Multiple Domains in Google Workspace

If you have multiple domains in your Workspace account, each domain needs its own:

  • SPF record with include:_spf.google.com
  • DKIM key (generate separately for each domain in the Admin Console)
  • DMARC record

Google Workspace Email Routing Pitfalls

Content Compliance Rules

Google Workspace's content compliance and routing rules can interfere with DKIM signatures. If you have rules that modify message headers or content after sending, DKIM may break because the message was altered after signing.

Review Admin Console → Apps → Gmail → Compliance to ensure rules aren't modifying outbound email in ways that break signatures.

Third-Party Relay

If you route email through a third-party service before delivery, that service needs to preserve DKIM signatures and may need its own SPF authorization. Common scenarios include email security gateways and archiving services.

Related Articles