For Google Workspace email authentication: SPF record is v=spf1 include:_spf.google.com ~all (add as TXT record on your domain). DKIM is enabled in Google Admin Console → Apps → Google Workspace → Gmail → Authenticate Email → Generate New Record, then add the TXT record to DNS. DMARC is v=DMARC1; p=none; rua=mailto:[email protected] added as TXT on _dmarc.yourdomain.com. All three take 1-48 hours to propagate.
Google Workspace Email Authentication: Complete SPF, DKIM, DMARC Setup
Step 1: SPF Record
SPF tells receiving servers that Google Workspace is authorized to send email for your domain.
Add the DNS Record
| Type | Host/Name | Value |
|---|---|---|
| TXT | @ (or your domain) | v=spf1 include:_spf.google.com ~all |
If you have other sending services, include them all in one record:
v=spf1 include:_spf.google.com include:sendgrid.net -all
Rules:
- Only ONE SPF record per domain (merge everything into one)
- Google Workspace alone costs ~4 DNS lookups of your 10-lookup limit
- Use
-all(hardfail) for maximum protection once verified
Verify SPF
Use MXToolbox SPF Lookup — enter your domain. Should show pass for Google's IP ranges.
Step 2: DKIM
DKIM adds a digital signature to every email sent from Google Workspace, proving the message is legitimate and unaltered.
Generate the DKIM Key
- Go to Google Admin Console
- Navigate to Apps → Google Workspace → Gmail
- Click Authenticate Email
- Select your domain
- Click Generate New Record
- DKIM key bit length: Select 2048 (recommended)
- Prefix selector: Leave as
google(default) or customize - Click Generate
- Google displays the DNS record to add
Add the DNS Record
| Type | Host/Name | Value |
|---|---|---|
| TXT | google._domainkey | (the long key Google generated) |
Note: The TXT value is very long (especially for 2048-bit). Some DNS providers require splitting it into multiple strings — most handle this automatically. If your provider has a 255-character TXT limit, use 1024-bit instead.
Activate DKIM
After adding the DNS record and waiting for propagation (1-48 hours):
- Return to Google Admin → Apps → Gmail → Authenticate Email
- Click Start Authentication
- Status should change to "Authenticating email"
Verify DKIM
Send an email from Google Workspace. Check the original message headers:
DKIM-Signature: v=1; a=rsa-sha256; d=yourdomain.com; s=google; ...
The Authentication-Results header should show dkim=pass.
Step 3: DMARC
DMARC ties SPF and DKIM together and tells receiving servers what to do when authentication fails.
Add the DNS Record
| Type | Host/Name | Value |
|---|---|---|
| TXT | _dmarc | v=DMARC1; p=none; rua=mailto:[email protected] |
Start with p=none (monitor only). This collects data without affecting delivery.
Advancement Path
- Weeks 1-4:
p=none— collect and review aggregate reports - Weeks 5-8:
p=quarantine; pct=25— quarantine 25% of failures - Weeks 9-12:
p=quarantine; pct=100— quarantine all failures - Week 13+:
p=reject— reject all unauthenticated email
See our complete DMARC advancement guide for detailed instructions.
Step 4: Verification
Send a test email to a personal Gmail address. View the original message:
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of [email protected] designates ... as permitted sender)
dkim=pass (test mode) header.d=yourdomain.com header.s=google
dmarc=pass (p=NONE) header.from=yourdomain.com
All three should show pass. If any fail:
- SPF fail: Check your SPF TXT record is published and correct
- DKIM fail: Verify the DNS record matches what Admin Console generated, and that you clicked "Start Authentication"
- DMARC fail: Verify the
_dmarcTXT record is published, and that SPF or DKIM aligns
Common Issues
"DKIM key not found": DNS hasn't propagated yet. Wait 4-24 hours. Or the TXT record hostname is wrong — should be google._domainkey.yourdomain.com, not just google._domainkey.
"SPF permerror": Too many DNS lookups. If you have multiple services in your SPF record, count your lookups. See our multi-sender SPF guide.
"DMARC fail but SPF and DKIM pass individually": Alignment issue. The domain in SPF (envelope sender) or DKIM (d= value) doesn't match your From: header domain. Common when using third-party services.
Practitioner note: Google Workspace's DKIM setup is buried in the Admin Console and not intuitive. Most Google Workspace admins never enable DKIM because they don't know it exists. If you're on Google Workspace and haven't explicitly set up DKIM, it's not signing your email.
Practitioner note: If you use Google Workspace + other sending services, the SPF lookup limit is your biggest risk. Google alone uses 4 of your 10 lookups. Add two more services and you're at the limit. Plan your SPF architecture before adding services.
If you want authentication configured correctly across Google Workspace and your other sending services, schedule a consultation — I handle multi-service authentication setup daily.
Sources
- Google: Set up SPF
- Google: Turn on DKIM
- Google: Set up DMARC
v1.0 · March 2026
Frequently Asked Questions
Does Google Workspace set up SPF and DKIM automatically?
No. SPF requires you to add a DNS TXT record. DKIM requires you to generate a key in Admin Console AND add the DNS record. Google Workspace does not configure your domain's DNS for you. DMARC is entirely manual.
What if I also use other services with Google Workspace?
Add all services to your SPF record: v=spf1 include:_spf.google.com include:sendgrid.net include:mailgun.org -all. Watch the 10 DNS lookup limit. Configure DKIM separately for each service.
Should I use ~all or -all in my SPF record?
Google's documentation recommends ~all (softfail). For maximum security, use -all (hardfail) once you're confident all legitimate senders are included. Start with ~all, switch to -all after verifying nothing breaks.
How do I verify my authentication is working?
Send an email from Google Workspace to a Gmail address. Open the email → three dots → Show Original. Check Authentication-Results header for spf=pass, dkim=pass, dmarc=pass.
Can I use a 2048-bit DKIM key with Google Workspace?
Yes, and you should. When generating the DKIM key in Admin Console, select 2048-bit. If your DNS provider has TXT record length limits, use 1024-bit as a fallback. 2048-bit is more secure.
Want this handled for you?
Free 30-minute strategy call. Walk away with a plan either way.