How to Set Up SPF, DKIM, and DMARC for Google Workspace (Gmail)

Aymane S. Aymane S.

Setting up SPF, DKIM, and DMARC for Google Workspace is essential for ensuring email security and protecting against phishing attacks. In this tutorial, we’ll walk through the necessary steps to set up these protocols, securing your domain and improv

Filter Emails from unknown senders

Take control of your Inbox

4.7 based on 1,011 user reviews
Get Started for Free
Table of Contents

Prerequisites

Before you start, ensure you have:

  • Google Workspace Super Admin access: Necessary for generating DKIM and configuring email authentication.
  • DNS management access: You need to be able to add TXT records in your domain provider.
  • Verified domain: Your domain should be verified in Google Workspace.

Step-by-Step Instructions

Step 1: Set Up SPF

  1. Log into your DNS provider: Access the DNS management section.
  2. Check for an existing SPF TXT record:
    - If none, create a TXT record:
    • Name: @ (or your domain)
    • Value: v=spf1 include:_spf.google.com ~all
    • If one exists, append include:_spf.google.com before ~all. Ensure only one SPF record exists.

Guide to setting up DKIM, SPF, and DMARC for Google Workspace Gmail with DNS configuration steps.

Step 2: Enable DKIM Signing

  1. Access the Admin Console:
    - Go to Apps > Google Workspace > Gmail > Authenticate email.
  2. Generate a DKIM record:
    - Choose your domain and click Generate New Record. Select 2048-bit key.
  3. Add DKIM to DNS:
    - Copy the DKIM record details (Host: google._domainkey).
    - Add a TXT record to your DNS:
    • Name: google._domainkey
    • Value: Paste the public key.
  4. Authenticate: Once DNS propagates, return to the Admin Console and click Start Authentication.

Step 3: Publish DMARC Policy

  1. Wait for SPF & DKIM: Ensure they are active (recommend 48 hours).
  2. Add DMARC TXT record:
    - Name: _dmarc (or _dmarc.yourdomain.com)
    - Value:
    v=DMARC1; p=none; rua=mailto:reports@yourdomain.com; pct=100; aspf=s; adkim=s
    - Start with p=none for monitoring, gradually changing to quarantine or reject.

Diagram showing steps to set up DMARC policy for Google Workspace Gmail.

Step 4: Testing & Verification

  • DNS Propagation: Allow 24–48 hours.
  • Test Emails: Send test emails to verify SPF, DKIM, and DMARC are passing.
  • Check Headers: Verify dmarc=pass and use online tools to confirm record correctness.

Troubleshooting

  • Duplicate SPF Records: Ensure only one exists. Merge entries if needed.
  • DKIM Issues: Verify DNS entry, wait for propagation, or check for typos.
  • DMARC Reports: Ensure rua email is correct and policy allows time for analysis.

Conclusion

By following these steps, you've successfully configured SPF, DKIM, and DMARC for your Google Workspace to enhance email security. To further optimize your email management, consider checking out KeepKnown, which can help filter and manage your inbox efficiently. For more tips, explore our related guides below.

Frequently Asked Questions

What is SPF, DKIM, and DMARC?
SPF, DKIM, and DMARC are email authentication protocols that prevent unauthorized use of your domain in email spoofing attacks.
Is it necessary to set up all three protocols?
Yes, configuring SPF, DKIM, and DMARC together provides the best defense against email phishing and spoofing.
How long does DNS propagation take?
Typically, DNS propagation can take from a few minutes to 48 hours. Plan accordingly for testing and activation.
What should I do if my emails are still marked as spam?
Check configuration, verify all records are correct, and ensure no third-party services disrupt authentication.