| |

SPF, DKIM, and DMARC for Google Workspace: A Complete Setup Guide

SPF, DKIM, and DMARC are not optional extras for Google Workspace — they are how receiving servers decide whether mail from your domain is trustworthy. Get them wrong and even perfect copy lands in spam.

What each record actually does

  • SPF lists which servers may send mail for your domain.
  • DKIM cryptographically signs messages so receivers can detect tampering.
  • DMARC tells receivers what to do when SPF/DKIM fail, and where to send reports.

SPF for Google Workspace

Publish a single TXT record on the root domain. A clean starting point:

v=spf1 include:_spf.google.com ~all

Rules that save you later:

  • Only one SPF record per domain name — merge includes instead of adding a second TXT.
  • Stay under the 10-DNS-lookup limit. Too many third-party includes will fail SPF even when Google is correct.
  • Use ~all while testing, then move to -all once every legitimate sender is listed.

DKIM in Google Admin

  1. Admin Console → Apps → Google Workspace → Gmail → Authenticate email.
  2. Select the domain → Generate new record (2048-bit when available).
  3. Publish the TXT host Google shows (often google._domainkey).
  4. Click Start authentication after DNS propagates.

Rotate keys if a vendor ever had access to your DNS zone or if you inherited a domain with unknown history.

DMARC without breaking mail

Day one monitoring record:

v=DMARC1; p=none; rua=mailto:[email protected]; fo=1

After a week of clean reports:

v=DMARC1; p=quarantine; pct=25; rua=mailto:[email protected]

Then raise pct and move to p=reject when aligned volume is stable.

Alignment: the detail most tutorials skip

DMARC requires the visible From domain to align with SPF or DKIM. If a marketing tool sends as [email protected] but signs as vendor.com without relaxed alignment, DMARC fails. Either:

  • Send from a subdomain the vendor authenticates, or
  • Configure the vendor to DKIM-sign as your domain.

How MailJuke helps

When you connect or register a domain in MailJuke, SPF, DKIM, and DMARC are part of the setup path — so authentication is live with your first inboxes, not a weekend project after the fact.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *