Google WorkspaceSPF, DKIM & DMARC Setup
Google Workspace hosts your domain's mailboxes on Gmail. Google and Yahoo both require SPF or DKIM (and DMARC for bulk senders) since February 2024 — a Workspace domain without them will see mail land in spam.
Already set up? Check what your domain publishes right now — SPF, DKIM (google), DMARC, MX, BIMI, and MTA-STS in one scan.
Run a free domain check →1. SPF record
Publish as a TXT record on your root domain. If you also send from other services (e.g. a newsletter tool), add their include before ~all — a domain may only have ONE SPF record.
TXT record
v=spf1 include:_spf.google.com ~all2. DKIM (selector: google)
Admin console → Apps → Google Workspace → Gmail → Authenticate email → Generate new record (choose 2048-bit). Publish the shown TXT record at google._domainkey.yourdomain.com, then click 'Start authentication'.
3. MX records
| Host | Priority |
|---|---|
| smtp.google.com | 1 |
Newer Workspace setups use this single MX record. Older domains may still use the classic five aspmx.l.google.com records — both work; don't mix the two schemes.
Verify with the MX Record Lookup tool.
4. DMARC record
Start with p=none and a rua reporting address to observe traffic for 2–4 weeks, then tighten to p=quarantine and finally p=reject once reports show only legitimate sources.
TXT record at _dmarc.yourdomain.com
v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.comGoogle Workspace authentication FAQ
Why is my Google Workspace mail going to spam despite SPF passing?
SPF alone is no longer enough. Gmail's own sender guidelines require aligned DKIM for reliable delivery, and DMARC for anyone sending over ~5,000 messages/day. Enable DKIM in the Admin console and publish at least a p=none DMARC record.
Which DKIM key length should I choose?
2048-bit. Google supports 1024-bit for DNS providers that can't handle long TXT values, but most providers accept split TXT strings, and 2048-bit is the current best practice.
Do I need both the old aspmx.l.google.com MX records and smtp.google.com?
No — use one scheme or the other. New setups should use the single smtp.google.com record with priority 1. Mixing both schemes causes unpredictable routing.
Official documentation: Google Workspace email authentication docs ↗
Verify your setup
DNS Email Diagnostics
SPF, DKIM, DMARC, MX, BIMI & MTA-STS in one check
MX Record Lookup
See exactly which mail servers your domain publishes
BIMI Validator
Show your logo in Gmail & Yahoo once DMARC is enforced
Deliverability Monitoring
Daily checks + email alerts when a record changes or breaks