Guide to set-up SPF, DKIM and DMARC Records for Google Workspace
Setting-up the right records for your Gmail to improve your email deliverability.
Mar 28, 2025
📩 Boost Your Email Deliverability: A Step-by-Step Guide
In this tutorial, we’ll walk you through setting up SPF, DKIM, and DMARC records, essential steps to improve your email deliverability and ensure your outreach campaigns land in inboxes, not spam.
We know this might sound a bit technical, but don’t worry! 😊 We’ve created a clear, step-by-step guide with images, making the process simple and stress-free. The best part? It only takes around 15 minutes to complete.
So, let’s dive in and get everything set up! 🚀
✅ Add an SPF record to my domain for my email
SPF helps prevent your outgoing email from being marked as spam by receiving email servers. Set up SPF by adding an SPF DNS TXT record (SPF record) to your domain.
An SPF record is a line of text that you add to your domain, following your domain provider’s instructions. The line of text uses special syntax and lists all the servers that send email for your domain. Here’s an example SPF record:
v=spf1 include:_spf.google.com ~all
When receiving servers get email messages from your domain, they check the SPF record to verify that the messages came from authorized servers.
Step 1: Figure out what the value of your SPF record is
The value of your SPF record varies, depending on what products you have and where your DNS is hosted:
SPF records always start with the v=spf1 tag.
Use the include: tag in front of each sender domain (or IP address) in your SPF record. An SPF record can have up to 10 include: tags.
The ~all tag tells receiving servers to mark messages as spam if they’re from servers that aren’t listed in the SPF record. Google recommends you use ~all in your SPF record.
Sender | Use this SPF record |
|---|---|
Google Workspace | v=spf1 include:_spf.google.com ~all |
⚠️ Your domain can only have one SPF record. If multiple SPF records are found on your domain or if the SPF record is not added correctly, your email might not be delivered.
Step 2: Add an SPF record to your domain
Sign in to your Domain Host.
Go to the page where you update DNS TXT records for your domain.
Add the TXT record with this information:
Field name
Value to enter
Type
The record type is TXT.
Name, Hostname, or Alias
If the host is the same domain (not subdomain) you are adding the TXT record to, enter the @ symbol.
Otherwise, the value should be example.com (replace example.com with the domain name).
Value
If you send email with Google Workspace only, enter: v=spf1 include:_spf.google.com ~all
TTL
Leave it as Default
Select Save.
Most DNS changes take effect within an hour but could take up to 48 hours to update globally. If you're missing an SPF record, using an incorrect SPF record, or using more than one SPF record, you'll see an alert. (If you have more than 5 domains, you might not see these alerts, so make sure to double check your SPF record.)
✅ Enable and add DKIM to my domain for Google Workspace
Adding DomainKeys Identified Mail (or DKIM) to your DNS settings signs your emails so that anything sent from your organization is trusted by receiving email systems. It's another way to tell your recipients that it's really you sending the messages, and not someone impersonating you. You'll need to create DKIM keys, add the records to your DNS and then enable it.
⚠️ You need admin permissions to create and add DKIM records to your organization.
Step 1: Create your DKIM keys
If you are using Google Workspace, you must be signed in as a super administrator for this task.
Important: In Google Workspace, after you turn on Gmail for your organization, you must wait 24–72 hours before you can get your DKIM key in the Admin console. If you try to generate a key before this time, you might get an error that the DKIM record was not created.
Sign in with an administrator account to the Google Admin console. If you aren’t using an administrator account, you can’t access the Admin console.
Go to Menu Apps > Google Workspace > Gmail.
Click Authenticate email.
In the Selected domain menu, select the domain where you want to set up DKIM.
Click the Generate New Record button.
In the Generate new record box, select your DKIM key settings:
DKIM key bit length options:
2048—If your domain provider supports 2048-bit keys, select this option. Longer keys are more secure than shorter keys. If you previously used a 1024-bit key, you can switch to a 2048-bit key if your domain provider supports them.
1024—If your domain host doesn't support 2048-bit keys, select this option.
Prefix selector options:
The default prefix selector is google. If you are using Google Workspace, this is the recommended option.
If your domain already uses a DKIM key with the prefix google, enter a different prefix in this field. Read more about DKIM selectors.
Click Generate. On the Authenticate email page, the TXT record value is updated and this message appears: DKIM authentication settings updated.
Important: The Authenticate email page in your Google Admin console might continue to display this message for up to 48 hours: You must update the DNS records for this domain. If you've correctly added your DKIM key at your domain provider, you can ignore this message.
Copy the DKIM values shown in the Authenticate email window. You’ll add it at your domain provider in the next step:
DNS Host name (TXT record name)—This text is the name for the DKIM TXT record. You'll add this name to your domain provider's TXT record in the Host field. |
TXT record value—This text is the DKIM key. You'll add this key to your domain provider's TXT record in the TXT Value field. |
Important: Do not click Start Authentication yet. You'll do that later.
Step 2: Add the records to your DNS
Once you have generated your DKIM key pair, add the public DKIM key to your domain by creating a DKIM TXT record.
Sign in to your domain host.
Go to the page where you update DNS TXT records for your domain.
Add the TXT record with this information:
Field name | Value to enter |
Type | The record type is TXT. |
Host (Name, Hostname, Alias) | The string that makes up the TXT record name. For example: google_domainkey (replace domainkey with your DKIM key). |
Value | The string that makes up the TXT record value. It should start with something like: v=DKIM1. |
Save your changes.
After adding a DKIM key, it can take up to 48 hours for DKIM authentication to start working.
Step 3: Enable DKIM
Sign in with an administrator account to the Google Admin console. If you aren’t using an administrator account, you can’t access the Admin console.
Go to Menu Apps > Google Workspace > Gmail.
Click Authenticate email.
In the Selected domain menu, select the domain where you want to turn on DKIM.
Click Start authentication. When DKIM setup is complete and working correctly, the status at the top of the page changes to: Authenticating email with DKIM.
Send an email message to someone who is using Gmail or Google Workspace. (You can't verify DKIM is on by sending yourself a test message.)
Open the message in the recipient's inbox and find the entire message header.
Note: Steps to view the message header differ for different email applications. To show message headers in Gmail, next to Reply, click More, Show original.
In the message header, look for Authentication-Results. Receiving services use different formats for incoming message headers, however the DKIM results should say something like DKIM=pass or DKIM=OK.
✅ Add a DMARC record to my domain for Google Workspace
Domain-based Message Authentication, Reporting and Conformance (DMARC) helps protect your email address from being misused by third parties. It works by verifying your IP address against the owner of your domain, ensuring that an email you send is actually from you.
⚠️ Before you can add DMARC to your domain, you must add SPF and enable DKIM.
Define how suspicious email is handled by DMARC
The value of the DMARC TXT record includes a “p=” parameter. The p stands for “policy.” When an email appears to be from your domain but doesn’t contain the correct information, you can use 1 of 3 policies to define how that email gets handled:
p=none: The receiving email server performs no action against unauthenticated email but instead sends a report to an email listed in the mailto: address on the DMARC record.
p=reject: The receiving email server denies and blocks unauthenticated email.
(Recommended) p=quarantine: The receiving email server quarantines unauthenticated email (for example, sending them to a junk or spam folder instead of an inbox). This is the policy we use in the steps below.
Add a DMARC TXT record to your domain
Important: Make sure you set up DKIM and SPF before setting up DMARC. DKIM and SPF should be authenticating messages for at least 48 hours before turning on DMARC.
Have the text file or line for your DMARC record ready.
Sign in to your domain host, typically where you purchased your domain name.
Go to the page where you update DNS TXT records for your domain.
Add or update the TXT record with this information:
Field name
Value to enter
Type
The record type is TXT.
Host (Name, Hostname, Alias)
This value should be _dmarc.example.com (replace example.com with your domain name).
Value
The string that makes up the TXT record. For example: v=DMARC1; p=none; rua=mailto:postmaster@example.com, mailto:dmarc@example.com; pct=100; adkim=s; aspf=s.
Save your changes.
If you are setting up DMARC for more than one domain, complete these steps for each domain. Each domain can have a different policy and different report options, as defined in the record.
To verify that DMARC is set up for your domain, use one of the many free tools available on the internet. For example MxToolbox
Most DNS changes take effect within an hour but could take up to 48 hours to update globally.
Awesome! 🎉 You've now set up everything you need to start warming up your email accounts and reaching out to your next clients.