A step-by-step guide to setting up SPF, DKIM, and DMARC for organisations using Google Workspace (formerly G Suite). Google Workspace handles email sending, but you need to configure the DNS records that authenticate it.
⚠️ Google’s 2024 Sender Requirements
Since February 2024, Google requires all bulk senders (5,000+ messages/day to Gmail) to have SPF, DKIM, and DMARC properly configured. Even if you’re not a bulk sender, these are strongly recommended for deliverability.
Since February 2024, Google requires all bulk senders (5,000+ messages/day to Gmail) to have SPF, DKIM, and DMARC properly configured. Even if you’re not a bulk sender, these are strongly recommended for deliverability.
Step 1: Configure SPF
Add a TXT record to your domain’s DNS that authorises Google’s mail servers:
Type:TXT
Host/Name:
Value:
TTL:3600 (or default)
Host/Name:
@ (or leave blank — depends on your DNS provider)Value:
v=spf1 include:_spf.google.com -allTTL:3600 (or default)
If you also use other services:
Add their SPF includes too. For example, with SendGrid:
Add their SPF includes too. For example, with SendGrid:
v=spf1 include:_spf.google.com include:sendgrid.net -all
See the SPF Record Syntax Guide for the full list of common provider includes and the 10-lookup limit.
Step 2: Configure DKIM
Google Workspace generates a DKIM key pair for you. You need to retrieve the public key and add it to DNS.
Generate the DKIM Key in Google Admin
- Sign in to the Google Admin Console
- Navigate to Apps → Google Workspace → Gmail → Authenticate Email
- Select your domain
- Click “Generate new record”
- Choose your key length:
- 2048-bit (recommended) — more secure but the DNS value is longer
- 1024-bit — if your DNS provider has a character limit on TXT records
- The prefix selector is typically
google(you can leave the default) - Google will display a DNS hostname and a TXT record value
Add the DKIM Record to DNS
Type:TXT
Host/Name:
Value:The long
TTL:3600 (or default)
Host/Name:
google._domainkey (as shown in Admin Console)Value:The long
v=DKIM1; k=rsa; p=... string from the Admin ConsoleTTL:3600 (or default)
Activate DKIM Signing
- Wait for DNS propagation (up to 48 hours, usually much faster)
- Return to Admin Console → Gmail → Authenticate Email
- Click “Start authentication”
💡 Note: If you get a “DNS record not found” error, DNS hasn’t propagated yet. Wait a few hours and try again. You can verify propagation using our Domain Checker.
Step 3: Configure DMARC
With SPF and DKIM in place, add your DMARC record:
Type:TXT
Host/Name:
Value:
TTL:3600 (or default)
Host/Name:
_dmarcValue:
v=DMARC1; p=none; rua=mailto:your-selector@dmarccloud.com; adkim=r; aspf=rTTL:3600 (or default)
Use our DMARC Record Generator to build a record customised for your needs.
✓ Start with p=none
Always start with monitoring mode. Collect reports for 2–4 weeks, confirm everything’s working, then progress toward p=reject.
Always start with monitoring mode. Collect reports for 2–4 weeks, confirm everything’s working, then progress toward p=reject.
Verify Your Setup
After configuring all three records, verify everything is working:
- Use our Domain Checker to verify SPF, DKIM, and DMARC records are published correctly
- Send a test email to an external address (e.g., a personal Gmail account)
- In the received email, click the three dots → “Show original” to view the full headers
- Confirm you see:
SPF: PASSDKIM: PASSDMARC: PASS
- Wait 24–48 hours for your first DMARC aggregate report to arrive
Common Google Workspace Issues
“SPF record not found” despite adding it
Make sure you added the TXT record at the root domain (
Make sure you added the TXT record at the root domain (
@), not a subdomain. Also check you don’t have two SPF records — only one is allowed per domain.
DKIM key too long for DNS provider
Some DNS providers have a 255-character limit per TXT record string. If using a 2048-bit key, split the value into two strings (most providers handle this automatically). Alternatively, regenerate with a 1024-bit key.
Some DNS providers have a 255-character limit per TXT record string. If using a 2048-bit key, split the value into two strings (most providers handle this automatically). Alternatively, regenerate with a 1024-bit key.
DMARC fails for emails sent via Google Groups
Google Groups can rewrite the From: header when configured as a “collaborative inbox”. Ensure DKIM is properly configured — it usually survives the rewriting.
Google Groups can rewrite the From: header when configured as a “collaborative inbox”. Ensure DKIM is properly configured — it usually survives the rewriting.
Third-party apps sending via Gmail SMTP relay
If you’ve configured apps to send via smtp-relay.gmail.com, these emails are covered by Google’s SPF and your DKIM. No additional configuration needed, but verify with a test email.
If you’ve configured apps to send via smtp-relay.gmail.com, these emails are covered by Google’s SPF and your DKIM. No additional configuration needed, but verify with a test email.
Summary Checklist
- ☐ SPF TXT record added at
@withinclude:_spf.google.com - ☐ Only one SPF record exists for the domain
- ☐ DKIM key generated in Google Admin Console
- ☐ DKIM TXT record added at
google._domainkey - ☐ DKIM authentication activated in Admin Console
- ☐ DMARC TXT record added at
_dmarcwithp=none - ☐ Test email shows SPF PASS, DKIM PASS, DMARC PASS
- ☐ Aggregate reports arriving (check after 24–48 hours)
For more on the implementation process, see How to Implement DMARC. When you’re ready to enforce, follow the p=none to p=reject guide.