← Back to Blog Email Security

How to Set Up SPF, DKIM, and DMARC for Google Workspace (2026 Guide)

By Steve · Google Workspace Consultant · 8 min read

If your business runs on Google Workspace and you haven't configured SPF, DKIM, and DMARC, your emails are vulnerable. Bad actors can spoof your domain, send phishing emails that look like they came from you, and damage your sender reputation — all without ever touching your account. This guide walks you through exactly how to fix that.

What Are SPF, DKIM, and DMARC?

Think of these three protocols as a three-layer lock on your business email. Each one does something different, but together they make it nearly impossible for anyone to impersonate your domain.

→
SPF (Sender Policy Framework): Tells receiving mail servers which IP addresses are allowed to send email on behalf of your domain. Unauthorized senders get flagged.
→
DKIM (DomainKeys Identified Mail): Adds a cryptographic signature to every email you send so receiving servers can verify the message wasn't tampered with in transit.
→
DMARC (Domain-based Message Authentication): The policy layer. It tells receiving servers what to do when SPF or DKIM checks fail — monitor, quarantine, or reject.

Real-world impact: Without DMARC, anyone can send emails from your domain to your clients. They won't know it's fake. This is one of the most common ways small businesses lose client trust overnight.

Step 1: Set Up SPF

// DNS TXT Record
Name: @
Value: v=spf1 include:_spf.google.com ~all
TTL: 3600

The ~all means "soft fail" — unauthorized senders get flagged but not outright rejected. Once verified, switch to -all for strict enforcement.

⚠️ You can only have one SPF record per domain. If you use Mailchimp, HubSpot, etc., combine them all into one record.

Step 2: Enable DKIM in Google Workspace

1. Log in to admin.google.com
2. Go to Apps → Google Workspace → Gmail → Authenticate email
3. Select your domain and click Generate new record
4. Copy the TXT record (it starts with "v=DKIM1")
5. Add that TXT record in your DNS provider
6. Wait 24–48 hours, then return and click Start authentication

Step 3: Add a DMARC Policy

Start with a monitor-only policy so you can observe before enforcing:

// DNS TXT Record
Name: _dmarc
Value: v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com
TTL: 3600

After 2–4 weeks of reviewing reports, escalate your policy:

p=none

Monitor

Collect data only

p=quarantine

Quarantine

Suspicious mail → spam

p=reject

Reject

Block unauthorized email

Common Mistakes to Avoid

✗ Multiple SPF records: You can only have one. Combine all services into a single record.
✗ Jumping straight to p=reject: Always start with p=none and monitor first or you risk blocking legitimate email.
✗ Forgetting subdomains: If you send from subdomains, they need their own DMARC coverage.
✗ No rua address: Without an aggregate report address you can't see who's spoofing you.

Not Sure If Your Setup Is Correct?

A misconfigured record can silently break email deliverability for weeks. Book a free consult and I'll audit your full Google Workspace email security — at no charge.

Book a Free Consult →