If your organization uses Google Workspace (formerly G Suite) for email, properly configuring SPF, DKIM, and DMARC is essential to prevent spoofing, improve deliverability, and meet the authentication requirements now enforced by major email providers.
This guide walks through each protocol step by step.
SPF Configuration
SPF tells receiving mail servers which IP addresses are authorized to send email on behalf of your domain. For Google Workspace, you need to add a TXT record to your domain's DNS.
DNS Record:
Type: TXT
Host: @
Value: v=spf1 include:_spf.google.com ~all
If you already have an SPF record with other services, add include:_spf.google.com to your existing record rather than creating a second one. A domain can only have one SPF record.
For example, if you also use Mailchimp:
v=spf1 include:_spf.google.com include:servers.mcsv.net ~all
Note: Google's SPF include typically consumes 3–4 of your 10 allowed DNS lookups due to nested includes. Use the SenderClarity SPF Checker to verify your total lookup count after adding this record.
DKIM Configuration
DKIM adds a cryptographic signature to your outgoing emails, allowing recipients to verify the message hasn't been tampered with and genuinely originated from your domain.
To enable DKIM in Google Workspace:
- Sign in to the Google Admin console (admin.google.com).
- Navigate to Apps → Google Workspace → Gmail → Authenticate email.
- Select your domain.
- Click Generate new record. Google will provide a TXT record value.
- Choose a DKIM key length — 2048-bit is recommended if your DNS provider supports it.
- Add the TXT record to your DNS:
Type: TXT
Host: google._domainkey
Value: v=DKIM1; k=rsa; p=MIIBIjANBgkqh... (your unique key)
- Return to the Admin console and click Start authentication.
It can take up to 48 hours for DNS changes to propagate. Google will show the status as "Authenticating email" once active.
DMARC Configuration
DMARC ties SPF and DKIM together and tells receiving servers what to do when authentication fails. It also enables aggregate reporting so you can monitor who is sending email as your domain.
Start with monitoring mode:
Type: TXT
Host: _dmarc
Value: v=DMARC1; p=none; rua=mailto:your-address@reports.senderclarity.com; fo=1
This collects reports without affecting mail delivery, giving you visibility into all sources sending as your domain.
After reviewing reports and confirming all legitimate senders pass authentication, progressively tighten your policy:
p=quarantine; pct=25— quarantine 25% of failing messagesp=quarantine; pct=100— quarantine all failing messagesp=reject— reject all failing messages (full protection)
Verification
After configuring all three records, verify your setup:
- Check your SPF record →
- Send a test email and inspect the headers for
spf=pass,dkim=pass, anddmarc=pass - Monitor your DMARC reports in SenderClarity for any unexpected failures
Common Issues
SPF permerror: If you see a permanent error, you may have exceeded the 10 DNS lookup limit. Google's include alone uses 3–4 lookups. Check your total with the SPF Checker.
DKIM not signing: After enabling DKIM in the Admin console, allow up to 48 hours. If it still shows as inactive, verify the DNS record matches exactly what Google provided, including the selector (google._domainkey).
DMARC reports show SPF failures from Google: Ensure your SPF record includes _spf.google.com (not google.com or gmail.com). Also check that messages are being sent from your domain and not a personal Gmail address.
SPF Lookup Impact
| Include | Estimated Lookups |
|---|---|
_spf.google.com |
3–4 |
Google's SPF record nests several sub-includes (_netblocks.google.com, _netblocks2.google.com, etc.), which is why a single include consumes multiple lookups. This count can change as Google updates their infrastructure.