Google Workspace SPF and DKIM setup

What you are setting up

Google Workspace sends your mail from Google's servers. Two things have to be true for that mail to survive DMARC at the receiving end: SPF has to authorize Google's servers to send as you, and DKIM has to sign each message with your domain so the signature aligns with the address in the From: header.

Workspace is one of the more forgiving setups: once DKIM is on, Google signs with d=yourdomain.com, so your mail aligns on DKIM automatically. There is exactly one catch, and it is the thing that bites almost everyone: publishing the DKIM record is not the same as turning DKIM on. More on that below.

Publish SPF

Add this TXT record at the root of your domain:

Type:  TXT
Host:  @          (the root of your domain)
Value: v=spf1 include:_spf.google.com ~all

The ~all at the end is a softfail, and it is what Google recommends, not -all. The include:_spf.google.commechanism expands to Google's full set of sending IPs, so you never hardcode them.

If you already publish an SPF record, do not add a second one. A domain may have only one SPF record; two is itself a failure. Merge the Google include into your existing record, and keep an eye on the total: SPF allows at most ten DNS lookups, and every include: counts toward it. Our SPF builder merges the include safely, and counting SPF lookups explains the limit.

Turn on DKIM (the two-step part)

DKIM for Workspace lives in the Admin console, not your DNS host. Signed in as a super administrator, go to Apps > Google Workspace > Gmail > Authenticate email and select your domain.

If you only just turned on Gmail for the organization, Google makes you wait 24 to 72 hours before the key is available. Once it is, generate a key (pick 2048-bit if your DNS host supports it; longer keys are stronger). Google hands you a TXT record to publish at the default google selector:

Type:  TXT
Host:  google._domainkey
Value: v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFA... (long key)

Now the part people miss. At generation time the console shows a warning: do not click Start Authentication yet. Publish the TXT record at your DNS host first, wait for it to resolve, and then return to the console and click Start authentication. Until you click it, the record is in DNS but Google is not actually signing anything.

One more snag with 2048-bit keys: the public key is longer than the 255-character limit for a single TXT string, so it has to be split into multiple quoted strings inside the one record. Some DNS hosts do this for you; others need you to add the quotes by hand. If your host rejects the long value, that is why.

Add DMARC

There is nothing Google-specific here: DMARC is a standard _dmarcTXT record you add at your DNS host, not in the Admin console. Google's own advice is to let SPF and DKIM authenticate for about 48 hours first, then start in monitor-only mode and ramp up:

Type:  TXT
Host:  _dmarc
Value: v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com

Build the record with our DMARC builder, then move past p=none to quarantine and reject once your reports are clean.

The Google Workspace gotcha

The single most common Workspace failure is DKIM published but never activated: the google._domainkey TXT record is sitting in DNS, but nobody clicked Start authentication, so Google is not signing. The mail then leans entirely on SPF, which works until the first time a message is forwarded, at which point SPF breaks and the mail fails DMARC. In the Admin console, the status should read that Gmail is authenticating email, not still offering you a Start authentication button.

A related red herring: after you publish the record, the Authenticate email page can keep showing “you must update the DNS records for this domain” for up to 48 hours even when the record is correct. If the TXT resolves when you check it yourself, give it time rather than re-cutting the key.

Confirm it worked

• Send a test and read the headers. Mail yourself, open the original message, and confirm it is DKIM-signed with d=yourdomain.com and that dmarc=pass. Our header analyzer reads it back in plain English.
• Re-check the records. Run a free DMARC audit to confirm the SPF and DKIM records resolve and parse the way Google intended.
• Watch the reports. Over the next day or two, Google Workspace should show up as a passing, aligned source in your DMARC aggregate reports. In trustyourinbox it is labeled as a known sender, so you can tell it apart from anything else sending as you.