How to Set Up SPF, DKIM & DMARC for Google Workspace (Step by Step)

Google Workspace handles your mailboxes, but it does not authenticate your domain for you out of the box. You have to publish three DNS records yourself — SPF, DKIM, and DMARC — or your mail starts life looking untrustworthy to every other provider. Since Google and Yahoo began requiring authentication for senders, skipping this isn’t an option. Here’s the exact setup, start to finish.

You’ll be adding records at your DNS host — wherever your domain is registered (Cloudflare, GoDaddy, Namecheap, Google Domains, etc.), not inside Gmail. Changes can take anywhere from a few minutes to a few hours to propagate.

Step 1: SPF — authorize Google to send for you

Add a single TXT record at your domain’s apex (the “root,” often shown as @) with this value:

v=spf1 include:_spf.google.com ~all

That tells receivers Google’s servers are allowed to send mail for your domain. Two rules that bite people:

• You may only have one SPF record. If you already have an v=spf1 record for another tool, don’t add a second — merge the includes into one: v=spf1 include:_spf.google.com include:sendgrid.net ~all. Two SPF records silently break authentication entirely.
• Add an include for every sending service — your marketing tool, your support desk, your transactional sender — not just Google.

Step 2: DKIM — turn on Google’s signature

DKIM is the one step that lives partly inside Google. In the Google Admin console, go to Apps → Google Workspace → Gmail → Authenticate email. Generate a DKIM key (choose 2048-bit), and Google gives you a DNS record to publish — a TXT record at the selector google._domainkey.yourdomain.com.

Add that record at your DNS host, then come back to the Admin console and click Start authentication. This is the most commonly botched step: people generate the key and click start, but never publish the DNS record — so signing silently fails. (Curious why the selector matters? here’s what a DKIM selector actually is.)

Step 3: DMARC — set the policy and get reports

Finally, add a TXT record at _dmarc.yourdomain.com. Start in monitor-only mode so you change nothing about delivery while you watch:

v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com

The p=none policy means “don’t block anything yet, just report.” The rua= address is where the daily reports go. Leave it here for a few weeks, confirm all your legitimate mail passes, then tighten to p=quarantine and eventually p=reject. Jumping straight to p=reject before everything aligns is the fastest way to block your own email — and the reports tell you exactly when it’s safe to tighten.

Step 4: confirm all three actually pass

Publishing records isn’t the same as passing. Typos, propagation delays, a forgotten DKIM activation, or a duplicate SPF record all look fine in your DNS dashboard but fail in the real world. Verify the finished setup by running your domain through the free email checker — it confirms SPF, DKIM, and DMARC all pass, detects the Google selector automatically, and flags anything misconfigured before it costs you delivery.

Set it once, then keep watching

Google Workspace authentication isn’t a one-time chore. A teammate adds a new sending tool and forgets to update SPF; Google rotates a DKIM key during a migration; a DNS edit goes wrong. Any of these can drop you out of compliance overnight, silently. That’s why Zeqo Mail re-checks your domain every day and alerts you the moment something breaks — so you hear about it before your customers, prospects, or password-reset emails do. And if you’re also doing outreach, read why cold email still lands in spam even with authentication in place.