Google Workspace Email Authentication: SPF, DKIM and DMARC

Learn how to configure Google Workspace email authentication with MX records, SPF, DKIM and DMARC, and avoid common DNS mistakes.

By CheckDomainHealth Editorial Team Reviewed by Dionis Ceban Updated Jun 28, 2026 8 min read Beginner

Introduction

Google Workspace uses DNS records to route inbound email and authenticate outbound email for your domain. MX records route incoming mail to Gmail, while SPF, DKIM and DMARC help receiving mail servers verify that outgoing messages are authorized.

A correct Google Workspace setup usually includes Google MX records, an SPF record that authorizes Google’s sending infrastructure, DKIM signing enabled in Google Admin, and a DMARC policy published at _dmarc.yourdomain.com. If any part is missing or added in the wrong DNS zone, Gmail may still work, but authentication or delivery trust can suffer.

Quick answer

Quick answer

For Google Workspace, configure MX records for Gmail inbound mail, add SPF with include:_spf.google.com if Google sends mail for your domain, generate and publish DKIM from Google Admin, then add a DMARC record starting with p=none for monitoring. Always use the current values shown in Google Admin and your DNS provider.

Google Workspace DNS

A typical Google Workspace email setup uses several DNS records:

MX records

Route inbound email to Gmail.

SPF

Authorizes Google servers to send email for the domain.

DKIM

Lets Google sign outgoing mail with your domain.

DMARC

Tells receivers how to handle messages that fail SPF and DKIM alignment.

MX controls incoming mail routing. SPF, DKIM and DMARC help authenticate outgoing mail.

MX records

MX records tell the internet where to deliver incoming email for your domain. For Google Workspace, the MX records should match Google’s current instructions.

If old hosting, cPanel, Plesk, Zoho, Microsoft 365 or another mail provider’s MX records remain active, incoming mail may route to the wrong place.

Check

Confirm Google Workspace MX routing is correct.

MX records match Google

Use current Google Workspace MX instructions.

Old MX removed

Remove previous provider MX records.

Priorities correct

Use Google’s recommended priority values.

Correct DNS zone

Edit the active nameserver DNS zone.

Test delivery

Confirm test messages arrive in Gmail.

Do not change MX records until Google Workspace mailboxes are ready.

SPF

If Google Workspace sends mail for your domain, SPF should authorize Google’s sending infrastructure.

Common Google Workspace SPF
v=spf1 include:_spf.google.com ~all

If you also send mail from other services, such as a CRM, website form, newsletter platform or billing system, do not create separate SPF records. Merge all legitimate senders into one SPF record.

Combined SPF example
v=spf1 include:_spf.google.com include:mailservice.example ~all

Use only providers that actually send mail for your domain. Too many includes can exceed SPF’s 10 DNS lookup limit.

DKIM

DKIM for Google Workspace is generated and enabled inside Google Admin. Google provides a selector and a TXT value that must be published in your DNS zone.

Typical DKIM hostname format
google._domainkey.example.com

The exact selector and value should come from Google Admin.

  1. 1. Open Google Admin DKIM settings

    Find DKIM authentication for the domain.

  2. 2. Generate a DKIM record

    Create the DKIM key for your domain in Google Admin.

  3. 3. Copy the selector and TXT value

    Use the exact values Google provides.

  4. 4. Add the TXT record at the active DNS provider

    Publish at selector._domainkey.yourdomain.com.

  5. 5. Wait until DNS is visible

    Allow DNS propagation before enabling signing.

  6. 6. Start/enable authentication in Google Admin

    Turn on DKIM signing after DNS is detected.

  7. 7. Send a test message

    Confirm DKIM passes on real outgoing mail.

Do not invent the DKIM key. Use the value generated by Google Admin.

DMARC

After SPF and DKIM are configured, add a DMARC record at _dmarc.example.com.

Monitoring mode starter
v=DMARC1; p=none; rua=mailto:dmarc@example.com

p=none lets you collect reports without asking receivers to quarantine or reject mail. Move to quarantine or reject only after confirming legitimate Google Workspace and third-party senders pass DMARC alignment.

DMARC does not replace SPF or DKIM. It depends on SPF and DKIM results and alignment.

Setup order

  1. Step 1: Confirm active DNS provider

    Check nameservers so you know where DNS records must be added.

  2. Step 2: Set Google MX records

    Route inbound mail to Gmail using Google Workspace instructions.

  3. Step 3: Add SPF

    Authorize Google with include:_spf.google.com and merge any other real sending providers.

  4. Step 4: Enable DKIM

    Generate the DKIM record in Google Admin, publish it in DNS, then enable signing.

  5. Step 5: Add DMARC

    Start with p=none and a reporting address.

  6. Step 6: Test real messages

    Send mail to external providers and inspect SPF, DKIM and DMARC results.

Why this matters

Why this matters

This matters because Google Workspace can receive and send mail even when authentication is incomplete, but missing SPF, DKIM or DMARC can reduce trust and make troubleshooting harder. Proper authentication helps receivers confirm that Google is authorized to send mail for your domain and that messages are aligned with your visible From domain.

Google Workspace authentication is especially important if your domain also uses newsletters, CRMs, billing systems or website forms.

How to check it

Use CheckDomainHealth tools to inspect MX, SPF, DKIM and DMARC records for your domain.

When checking Google Workspace, review

These six checks help confirm email authentication is complete.

MX records

Confirm inbound mail routes to Google Workspace.

SPF

Confirm the SPF record includes include:_spf.google.com if Google sends mail.

DKIM selector

Confirm the Google DKIM selector exists and returns the full public key.

DKIM signing

Confirm Google is signing real outgoing messages.

DMARC

Confirm a DMARC record exists at _dmarc.yourdomain.com.

Third-party senders

Confirm any non-Google senders are also authenticated.

Check Google Workspace DNS

Use SPF, DKIM, DMARC and MX tools to verify your Google Workspace email setup.

Run SPF Check →

Common problems

Old MX records still active

High

Inbound mail may route to an old hosting or mail provider instead of Gmail.

Next step: Replace old MX records with Google Workspace MX records.

SPF record missing Google include

High

Google may send mail for the domain, but SPF does not authorize Google.

Next step: Add include:_spf.google.com to the single SPF record.

Multiple SPF records

High

One SPF record was added for Google and another for a different provider.

Next step: Merge all legitimate senders into one SPF TXT record.

DKIM record not found

High

The Google DKIM selector is missing or published at the wrong hostname.

Next step: Publish the exact DKIM TXT record generated in Google Admin.

DKIM not enabled in Google Admin

Medium

The DNS record exists, but Google has not started signing messages.

Next step: Return to Google Admin and enable/start DKIM authentication.

DMARC missing

Medium

SPF and DKIM may exist, but no DMARC policy is published.

Next step: Add a starter DMARC record with p=none.

Third-party sender fails DMARC

Medium

Google is authenticated, but a CRM, newsletter tool or website form fails SPF/DKIM alignment.

Next step: Configure DKIM/SPF for each third-party sender.

DNS record added at wrong provider

High

Records were added in a DNS zone that is not authoritative for the domain.

Next step: Check active nameservers and edit the live DNS provider.

How to fix it

  1. Step 1: Check active nameservers

    Confirm where DNS is hosted before editing records.

  2. Step 2: Verify MX records

    Use MX Lookup to confirm Gmail is the active inbound mail destination.

  3. Step 3: Fix SPF

    Publish one SPF record that includes Google and any other real sending services.

  4. Step 4: Generate DKIM in Google Admin

    Copy the selector and TXT value from Google Admin and publish it in DNS.

  5. Step 5: Enable DKIM signing

    After DNS is visible, start authentication in Google Admin.

  6. Step 6: Add DMARC monitoring

    Publish a p=none DMARC record and collect reports.

  7. Step 7: Test external delivery

    Send messages to external mailboxes and check message headers for SPF, DKIM and DMARC results.

  8. Step 8: Review third-party senders

    Authenticate newsletters, CRMs, billing platforms, website forms and transactional tools separately.

DNS examples

SPF example
v=spf1 include:_spf.google.com ~all
Combined SPF example
v=spf1 include:_spf.google.com include:mailservice.example ~all
DKIM hostname example
google._domainkey.example.com
DKIM TXT value example
v=DKIM1; k=rsa; p=PUBLIC_KEY_FROM_GOOGLE_ADMIN
DMARC starter example
v=DMARC1; p=none; rua=mailto:dmarc@example.com
Check commands
dig example.com MX
dig example.com TXT
dig google._domainkey.example.com TXT
dig _dmarc.example.com TXT

These examples are illustrative. Use the current MX records and DKIM values shown in Google Admin and Google Workspace documentation.

Other senders

Many domains use Google Workspace for normal mailbox email and other services for newsletters, invoices, CRM messages, support tickets or website forms.

  • Does it need an SPF include?
  • Does it support custom DKIM?
  • Does it align with DMARC?
  • Does it use your domain in the visible From address?
  • Does it appear in DMARC reports?

Do not add a second SPF record for each sender. Merge all legitimate senders into one SPF record.

Frequently asked questions

What SPF record does Google Workspace use?

If Google Workspace sends mail for your domain, the SPF record usually includes include:_spf.google.com. If you use other senders, merge them into the same SPF record.

Do I need DKIM for Google Workspace?

Yes, DKIM is strongly recommended. Generate the DKIM record in Google Admin, publish it in DNS, then enable signing.

Where do I add Google Workspace DKIM?

Add the DKIM TXT record at the selector hostname shown in Google Admin, commonly in the format selector._domainkey.yourdomain.com.

Do I need DMARC for Google Workspace?

Yes, DMARC is recommended after SPF and DKIM are configured. Start with p=none for monitoring.

Can I have multiple SPF records for Google and another provider?

No. Use one SPF record and include all legitimate senders in that record.

Why does DKIM still fail after adding the record?

Common causes include wrong DNS provider, wrong selector, incomplete TXT value, DNS delay or DKIM not enabled in Google Admin.

Does Google Workspace authentication cover newsletters or CRMs?

No. Each third-party sender must be authenticated separately with SPF, DKIM and DMARC alignment where supported.

Use these free tools to verify your configuration after applying changes.

Browse all Email Authentication guides →

Need help applying this fix?

Send us your domain, report link or issue details. CheckDomainHealth will review the request and route it to the right technical team if hands-on support is needed.

Get Help Run Domain Health Check

Was this guide helpful?

Your feedback helps us improve our guides for everyone.