Adding DMARC, SPF, and DKIM records in Google Cloud DNS

First, a name clash to clear up

This guide is for Google Cloud DNS, the managed-zone service inside the Google Cloud console. It is not Google Domains (the consumer registrar, now part of Squarespace) and not Google Workspace. The giveaway is your nameservers: Cloud DNS zones use four servers of the form ns-cloud-a1.googledomains.com through ns-cloud-d4.googledomains.com. Confirm:

dig +short NS yourdomain.com

If the answers contain ns-cloud-, follow the steps below. Note the hostname still ends in googledomains.com even though the registrar of that name is gone; the nameserver infrastructure is unrelated.

Step 1: Open the managed zone

1. In the Google Cloud console, open Network services, then Cloud DNS.
2. Click the name of the managed zone for your domain.
3. On the Zone details page, click Add standard to open the Create record set form.

Step 2: Create the record set

In the DNS name field, enter only the subdomain label, or leave it blank for the apex. Do not type @; Cloud DNS would create a literal @ record. Choose TXT as the resource record type, set a TTL, and enter the value. Wrap any value that contains spaces in double quotes so the whole thing is stored as one string.

DMARC

DNS name:  _dmarc
Type:      TXT
TTL:       5 minutes
Value:     "v=DMARC1; p=none; rua=mailto:you@yourdomain.com"

Start at p=none, then move past p=none once the reports are clean.

SPF

DNS name:  (leave blank for the apex)
Type:      TXT
TTL:       5 minutes
Value:     "v=spf1 include:_spf.yourprovider.com ~all"

One v=spf1 record only. If the apex already has a TXT record set with an SPF string, edit it rather than creating a second.

DKIM (the Add item split)

This is the part that catches people on Cloud DNS. A DNS string cannot exceed 255 characters, and Cloud DNS does not split a long DKIM key for you. Paste the whole key as one value and you get an unhelpful invalid record data error. Instead, break the key into pieces of 255 characters or fewer and add each piece as its own value with the Add item button on the Create record set form:

DNS name:  selector._domainkey
Type:      TXT
TTL:       5 minutes
Value 1:   "v=DKIM1; k=rsa; p=MIIBIjANBgkq...first 255 chars"
Value 2:   "...next chunk of the key"

Each chunk goes in its own quoted item via Add item, not jammed into one field. The pieces concatenate back into the full key at lookup time. Our DKIM verifier confirms the result parses.

MTA-STS pointer

DNS name:  _mta-sts
Type:      TXT
TTL:       5 minutes
Value:     "v=STSv1; id=20260623000000"

Pointer only. The policy file is served over HTTPS at mta-sts.yourdomain.com, which trustyourinbox can host. TLS-RPT (_smtp._tls) is the same shape. When the form is complete, click Create.

Cloud DNS quirks that bite

• Typing @ for the apex. Leave the DNS name field blank instead.
• Pasting a whole long DKIM key. Split it into 255-character chunks via Add item, or you get invalid record data.
• Editing the wrong zone. Records only resolve once your registrar delegates the domain to the four ns-cloud- nameservers shown under Registrar setup. A zone that is not authoritative changes nothing public.
• Touching the NS or SOA records. Cloud DNS creates those automatically. Leave them alone.

The role you need

To add or edit record sets you need the roles/dns.admin (DNS Administrator) role on the project or zone. There is no dns.editor role, despite what some guides claim; the read-only counterpart is roles/dns.reader. For tighter scoping, a custom role with dns.resourceRecordSets.* plus dns.changes.create works.

Step 3: Verify it published

dig +short TXT _dmarc.yourdomain.com
dig +short TXT yourdomain.com | grep spf1
dig +short TXT selector._domainkey.yourdomain.com

Or paste the hostname into dns.google with type TXT. For a split DKIM key, the resolver stitches the chunks back together, so you should see the full key as one continuous value.

Tell trustyourinbox to recheck

Each per-domain protocol tab has a Recheck button next to the current record. Click it once the change resolves and we re-run the lookup and refresh the dashboard.