Google Workspace SPF, DKIM, and DMARC Setup
A practical guide to setting up SPF, DKIM, and DMARC for Google Workspace, including what to publish in DNS and what to verify after setup.
Tools For This Topic
What you are trying to achieve
For Google Workspace, a good email authentication setup usually means three things: Google is authorised to send mail for the domain, outbound mail is signed with DKIM, and DMARC is published so receivers know how to treat failing mail.
You are not just adding records because a checklist says so. You are building a setup that supports deliverability, spoofing protection, and clearer reporting.
Set up SPF for Google Workspace
A common starting SPF record for a Google Workspace-only environment is based on include:_spf.google.com. If other systems also send mail for the domain, those authorisations must be included carefully in the same SPF policy.
v=spf1 include:_spf.google.com -allOnly one SPF record should exist for the domain. If old provider records are left behind, SPF can fail with PermError.
Set up DKIM in Google Workspace
Google Workspace generates a DKIM selector and public key in the admin console. You publish that selector in DNS, then enable DKIM signing in Google after the record is live.
The selector is often google, but you should always use the exact selector Google gives you rather than assuming.
google._domainkey.example.com TXT "v=DKIM1; k=rsa; p=PUBLICKEY"A common mistake is publishing the record but forgetting to enable signing in Google Workspace afterward.
Set up DMARC after SPF and DKIM are working
DMARC should be added once SPF and DKIM are in place and you understand who is sending mail for the domain. A common safe starting point is a monitoring policy with p=none and an aggregate reporting address.
_dmarc.example.com TXT "v=DMARC1; p=none; rua=mailto:dmarc@example.com"From there, you can tighten the policy over time if legitimate mail is consistently aligned.
Watch for mixed-provider setups
Google Workspace setups often become messy when another system also sends mail for the same domain. Marketing platforms, CRMs, and help desks may need their own SPF authorisations or aligned DKIM configuration.
If you ignore those extra senders, DMARC may look correct in DNS while real mail still fails in production.
What to verify after setup
- MX records point where you expect for Google Workspace
- The SPF policy includes Google's sending infrastructure and only one SPF record exists
- The DKIM selector resolves in DNS and Google is actively signing mail
- The DMARC record is valid and the reporting address is intentional
- A real test message shows aligned pass results where expected
A practical Google Workspace workflow
- Confirm the intended Google Workspace MX design
- Publish one valid SPF policy
- Generate and publish the Google DKIM selector
- Enable DKIM signing in Google Workspace
- Publish a DMARC record starting with monitoring
- Send a test message and inspect the resulting authentication headers
Use These DNS Pro Tools
If you want to validate this topic in practice, these DNS Pro tools are the fastest next step.
Related Tools
Related Articles
Microsoft 365 SPF, DKIM, and DMARC Setup
A practical guide to setting up SPF, DKIM, and DMARC for Microsoft 365, including the DNS records to publish and the checks to run after setup.
How to Check Google Workspace DNS
A practical guide to checking Google Workspace DNS records, including MX, SPF, DKIM, DMARC, and the signs of a mixed or incomplete setup.
DNS Records Required for Google Workspace (Complete Setup Guide)
Complete guide to Google Workspace DNS records including MX, SPF, DKIM, DMARC, and domain verification. Includes real record examples and setup best practices.