Google Workspace email authentication requires four DNS records: SPF (include:_spf.google.com), DKIM (generated in Admin Console under Apps > Gmail > Authenticate email), DMARC (TXT at _dmarc), and optionally BIMI and MTA-STS. Google Workspace supports 2048-bit DKIM keys and handles DKIM signing automatically once the DNS record is published.
Email Authentication for Google Workspace: Complete Guide
SPF Setup
Add this TXT record to your domain's DNS:
Type: TXT
Host: @
Value: v=spf1 include:_spf.google.com ~all
If you also use other services (Mailchimp, SendGrid, etc.), include them:
v=spf1 include:_spf.google.com include:servers.mcsv.net include:sendgrid.net ~all
Watch the 10 DNS lookup limit. Google's include alone uses 3-4 lookups.
DKIM Setup
- Open Google Admin Console → Apps → Gmail → Authenticate email
- Select your domain
- Click Generate new record
- Choose 2048-bit key length (default is 1024 — change it)
- Set the prefix/selector (default:
google) - Copy the DNS record and add it to your domain
- Wait for DNS propagation (up to 48 hours, usually faster)
- Return to Admin Console and click Start Authentication
The DNS record will be a TXT record at google._domainkey.yourdomain.com.
Practitioner note: Always use 2048-bit DKIM keys with Google Workspace. The 1024-bit option exists for DNS providers with TXT record length limits, but most modern providers handle 2048-bit fine. If yours doesn't, it's time to switch DNS providers.
DMARC Setup
After SPF and DKIM are working, add your DMARC record:
Type: TXT
Host: _dmarc
Value: v=DMARC1; p=none; rua=mailto:[email protected]
Follow the advancement timeline to progress from p=none to p=reject.
MTA-STS (Optional but Recommended)
Google Workspace supports MTA-STS. Google's MX records already support TLS, so you're protecting against downgrade attacks.
Policy file at https://mta-sts.yourdomain.com/.well-known/mta-sts.txt:
version: STSv1
mode: enforce
mx: aspmx.l.google.com
mx: alt1.aspmx.l.google.com
mx: alt2.aspmx.l.google.com
mx: alt3.aspmx.l.google.com
mx: alt4.aspmx.l.google.com
max_age: 604800
List all your Google MX records. See MTA-STS hosting options.
BIMI (Optional)
Requires DMARC at enforcement plus an SVG Tiny PS logo. For Gmail display, you'll also need a VMC.
Verification Checklist
After setup, verify everything:
- Send a test email to mail-tester.com
- Check Google Admin Console → Apps → Gmail → Authenticate email (shows DKIM status)
- View email headers — look for
spf=pass,dkim=pass,dmarc=pass - Monitor Google Postmaster Tools for authentication rates
Practitioner note: The number one Google Workspace auth issue I see: people add the DKIM DNS record but forget to click "Start Authentication" in the Admin Console. The record exists in DNS but Google isn't signing anything. Always complete both steps.
Common Google Workspace Auth Issues
| Problem | Fix |
|---|---|
| SPF softfail | Confirm include:_spf.google.com is in your SPF record |
| DKIM not signing | Click "Start Authentication" in Admin Console |
| DMARC failing | Check alignment — the From domain must match |
| Too many DNS lookups | Flatten SPF or reduce includes |
If you want your entire Google Workspace authentication stack configured and verified in one session, schedule a consultation.
Sources
- Google: Set up SPF
- Google: Turn on DKIM
- Google: Set up DMARC
- Google: MTA-STS and TLS Reporting
v1.0 · April 2026
Frequently Asked Questions
What SPF record do I need for Google Workspace?
Add v=spf1 include:_spf.google.com ~all as a TXT record on your domain. If you use other sending services, include them before the ~all. Change ~all to -all after confirming everything works.
How do I enable DKIM for Google Workspace?
Go to Admin Console > Apps > Gmail > Authenticate email. Select your domain, choose 2048-bit key length, generate the record, add the CNAME or TXT record to DNS, then click Start Authentication in the Admin Console.
Does Google Workspace support DMARC?
Google Workspace fully supports DMARC. You publish a DMARC record in your DNS — Google handles alignment automatically. Google also sends DMARC aggregate reports to domains that request them.
Want this handled for you?
Free 30-minute strategy call. Walk away with a plan either way.