Google Workspace Email Authentication: SPF, DKIM and DMARC
Learn how to configure Google Workspace email authentication with MX records, SPF, DKIM and DMARC, and avoid common DNS mistakes.
Introduction
Google Workspace uses DNS records to route inbound email and authenticate outbound email for your domain. MX records route incoming mail to Gmail, while SPF, DKIM and DMARC help receiving mail servers verify that outgoing messages are authorized.
A correct Google Workspace setup usually includes Google MX records, an SPF record that authorizes Google’s sending infrastructure, DKIM signing enabled in Google Admin, and a DMARC policy published at _dmarc.yourdomain.com. If any part is missing or added in the wrong DNS zone, Gmail may still work, but authentication or delivery trust can suffer.
Quick answer
For Google Workspace, configure MX records for Gmail inbound mail, add SPF with include:_spf.google.com if Google sends mail for your domain, generate and publish DKIM from Google Admin, then add a DMARC record starting with p=none for monitoring. Always use the current values shown in Google Admin and your DNS provider.
Google Workspace DNS
A typical Google Workspace email setup uses several DNS records:
MX records
Route inbound email to Gmail.
SPF
Authorizes Google servers to send email for the domain.
DKIM
Lets Google sign outgoing mail with your domain.
DMARC
Tells receivers how to handle messages that fail SPF and DKIM alignment.
MX controls incoming mail routing. SPF, DKIM and DMARC help authenticate outgoing mail.
MX records
MX records tell the internet where to deliver incoming email for your domain. For Google Workspace, the MX records should match Google’s current instructions.
If old hosting, cPanel, Plesk, Zoho, Microsoft 365 or another mail provider’s MX records remain active, incoming mail may route to the wrong place.
Check
Confirm Google Workspace MX routing is correct.
MX records match Google
Use current Google Workspace MX instructions.
Old MX removed
Remove previous provider MX records.
Priorities correct
Use Google’s recommended priority values.
Correct DNS zone
Edit the active nameserver DNS zone.
Test delivery
Confirm test messages arrive in Gmail.
Do not change MX records until Google Workspace mailboxes are ready.
SPF
If Google Workspace sends mail for your domain, SPF should authorize Google’s sending infrastructure.
v=spf1 include:_spf.google.com ~all
If you also send mail from other services, such as a CRM, website form, newsletter platform or billing system, do not create separate SPF records. Merge all legitimate senders into one SPF record.
v=spf1 include:_spf.google.com include:mailservice.example ~all
Use only providers that actually send mail for your domain. Too many includes can exceed SPF’s 10 DNS lookup limit.
DKIM
DKIM for Google Workspace is generated and enabled inside Google Admin. Google provides a selector and a TXT value that must be published in your DNS zone.
google._domainkey.example.com
The exact selector and value should come from Google Admin.
-
1. Open Google Admin DKIM settings
Find DKIM authentication for the domain.
-
2. Generate a DKIM record
Create the DKIM key for your domain in Google Admin.
-
3. Copy the selector and TXT value
Use the exact values Google provides.
-
4. Add the TXT record at the active DNS provider
Publish at selector._domainkey.yourdomain.com.
-
5. Wait until DNS is visible
Allow DNS propagation before enabling signing.
-
6. Start/enable authentication in Google Admin
Turn on DKIM signing after DNS is detected.
-
7. Send a test message
Confirm DKIM passes on real outgoing mail.
Do not invent the DKIM key. Use the value generated by Google Admin.
DMARC
After SPF and DKIM are configured, add a DMARC record at _dmarc.example.com.
v=DMARC1; p=none; rua=mailto:dmarc@example.com
p=none lets you collect reports without asking receivers to quarantine or reject mail. Move to quarantine or reject only after confirming legitimate Google Workspace and third-party senders pass DMARC alignment.
DMARC does not replace SPF or DKIM. It depends on SPF and DKIM results and alignment.
Setup order
-
Step 1: Confirm active DNS provider
Check nameservers so you know where DNS records must be added.
-
Step 2: Set Google MX records
Route inbound mail to Gmail using Google Workspace instructions.
-
Step 3: Add SPF
Authorize Google with include:_spf.google.com and merge any other real sending providers.
-
Step 4: Enable DKIM
Generate the DKIM record in Google Admin, publish it in DNS, then enable signing.
-
Step 5: Add DMARC
Start with p=none and a reporting address.
-
Step 6: Test real messages
Send mail to external providers and inspect SPF, DKIM and DMARC results.
Why this matters
This matters because Google Workspace can receive and send mail even when authentication is incomplete, but missing SPF, DKIM or DMARC can reduce trust and make troubleshooting harder. Proper authentication helps receivers confirm that Google is authorized to send mail for your domain and that messages are aligned with your visible From domain.
Google Workspace authentication is especially important if your domain also uses newsletters, CRMs, billing systems or website forms.
How to check it
Use CheckDomainHealth tools to inspect MX, SPF, DKIM and DMARC records for your domain.
When checking Google Workspace, review
These six checks help confirm email authentication is complete.
MX records
Confirm inbound mail routes to Google Workspace.
SPF
Confirm the SPF record includes include:_spf.google.com if Google sends mail.
DKIM selector
Confirm the Google DKIM selector exists and returns the full public key.
DKIM signing
Confirm Google is signing real outgoing messages.
DMARC
Confirm a DMARC record exists at _dmarc.yourdomain.com.
Third-party senders
Confirm any non-Google senders are also authenticated.
Check Google Workspace DNS
Use SPF, DKIM, DMARC and MX tools to verify your Google Workspace email setup.
Common problems
Old MX records still active
HighInbound mail may route to an old hosting or mail provider instead of Gmail.
Next step: Replace old MX records with Google Workspace MX records.
SPF record missing Google include
HighGoogle may send mail for the domain, but SPF does not authorize Google.
Next step: Add include:_spf.google.com to the single SPF record.
Multiple SPF records
HighOne SPF record was added for Google and another for a different provider.
Next step: Merge all legitimate senders into one SPF TXT record.
DKIM record not found
HighThe Google DKIM selector is missing or published at the wrong hostname.
Next step: Publish the exact DKIM TXT record generated in Google Admin.
DKIM not enabled in Google Admin
MediumThe DNS record exists, but Google has not started signing messages.
Next step: Return to Google Admin and enable/start DKIM authentication.
DMARC missing
MediumSPF and DKIM may exist, but no DMARC policy is published.
Next step: Add a starter DMARC record with p=none.
Third-party sender fails DMARC
MediumGoogle is authenticated, but a CRM, newsletter tool or website form fails SPF/DKIM alignment.
Next step: Configure DKIM/SPF for each third-party sender.
DNS record added at wrong provider
HighRecords were added in a DNS zone that is not authoritative for the domain.
Next step: Check active nameservers and edit the live DNS provider.
How to fix it
-
Step 1: Check active nameservers
Confirm where DNS is hosted before editing records.
-
Step 2: Verify MX records
Use MX Lookup to confirm Gmail is the active inbound mail destination.
-
Step 3: Fix SPF
Publish one SPF record that includes Google and any other real sending services.
-
Step 4: Generate DKIM in Google Admin
Copy the selector and TXT value from Google Admin and publish it in DNS.
-
Step 5: Enable DKIM signing
After DNS is visible, start authentication in Google Admin.
-
Step 6: Add DMARC monitoring
Publish a p=none DMARC record and collect reports.
-
Step 7: Test external delivery
Send messages to external mailboxes and check message headers for SPF, DKIM and DMARC results.
-
Step 8: Review third-party senders
Authenticate newsletters, CRMs, billing platforms, website forms and transactional tools separately.
DNS examples
v=spf1 include:_spf.google.com ~all
v=spf1 include:_spf.google.com include:mailservice.example ~all
google._domainkey.example.com
v=DKIM1; k=rsa; p=PUBLIC_KEY_FROM_GOOGLE_ADMIN
v=DMARC1; p=none; rua=mailto:dmarc@example.com
dig example.com MX
dig example.com TXT
dig google._domainkey.example.com TXT
dig _dmarc.example.com TXT
These examples are illustrative. Use the current MX records and DKIM values shown in Google Admin and Google Workspace documentation.
Other senders
Many domains use Google Workspace for normal mailbox email and other services for newsletters, invoices, CRM messages, support tickets or website forms.
- Does it need an SPF include?
- Does it support custom DKIM?
- Does it align with DMARC?
- Does it use your domain in the visible From address?
- Does it appear in DMARC reports?
Do not add a second SPF record for each sender. Merge all legitimate senders into one SPF record.
Frequently asked questions
What SPF record does Google Workspace use?
If Google Workspace sends mail for your domain, the SPF record usually includes include:_spf.google.com. If you use other senders, merge them into the same SPF record.
Do I need DKIM for Google Workspace?
Yes, DKIM is strongly recommended. Generate the DKIM record in Google Admin, publish it in DNS, then enable signing.
Where do I add Google Workspace DKIM?
Add the DKIM TXT record at the selector hostname shown in Google Admin, commonly in the format selector._domainkey.yourdomain.com.
Do I need DMARC for Google Workspace?
Yes, DMARC is recommended after SPF and DKIM are configured. Start with p=none for monitoring.
Can I have multiple SPF records for Google and another provider?
No. Use one SPF record and include all legitimate senders in that record.
Why does DKIM still fail after adding the record?
Common causes include wrong DNS provider, wrong selector, incomplete TXT value, DNS delay or DKIM not enabled in Google Admin.
Does Google Workspace authentication cover newsletters or CRMs?
No. Each third-party sender must be authenticated separately with SPF, DKIM and DMARC alignment where supported.
Related tools
Use these free tools to verify your configuration after applying changes.
Related guides
Browse all Email Authentication guides →Need help applying this fix?
Send us your domain, report link or issue details. CheckDomainHealth will review the request and route it to the right technical team if hands-on support is needed.
Was this guide helpful?
Your feedback helps us improve our guides for everyone.
Thanks for your feedback!