Email Authentication Setup for Google Workspace

Last updated: February 12, 2026

SPF, DMARC, and DKIM Configuration Guide

Overview

Email authentication helps protect your domain from spoofing, phishing, and spam. Three key protocols work together to verify that emails claiming to be from your domain are legitimate:

  • SPF (Sender Policy Framework)

  • DKIM (DomainKeys Identified Mail)

  • DMARC (Domain-based Message Authentication, Reporting, and Conformance)

Setting up all three protocols is essential for optimal email deliverability and security.

SPF (Sender Policy Framework)

What It Does

SPF allows you to specify which mail servers are authorized to send email on behalf of your domain. Recipients can check the SPF record to verify that incoming mail comes from an authorized server.

Purpose

  • Prevents spammers from sending messages with forged "From" addresses from your domain

  • Improves email deliverability by reducing the likelihood your emails are marked as spam

  • Protects your domain reputation

High-Level Setup Steps

  1. Access your domain's DNS settings through your domain registrar or DNS provider

  2. Create or update a TXT record for your domain with Google's SPF information

  3. Add the SPF record: v=spf1 include:_spf.google.com ~all

  4. If you use other email services, include them in the same SPF record

  5. Verify the SPF record is published correctly

Official Documentation

DKIM (DomainKeys Identified Mail)

What It Does

DKIM adds a digital signature to every outgoing message. This signature is verified against a public key published in your DNS records, confirming the message hasn't been altered in transit.

Purpose

  • Verifies that email content hasn't been tampered with during transmission

  • Confirms the email was authorized by the domain owner

  • Improves email deliverability and trustworthiness

  • Works in conjunction with SPF and DMARC for comprehensive email authentication

High-Level Setup Steps

  1. Generate a DKIM key in the Google Admin console

  2. Google will provide a TXT record with your DKIM signature

  3. Add this TXT record to your domain's DNS settings

  4. Turn on DKIM signing in the Google Admin console

  5. Verify DKIM is working by sending a test email

Official Documentation

DMARC (Domain-based Message Authentication, Reporting, and Conformance)

What It Does

DMARC builds on SPF and DKIM by telling receiving mail servers what to do if an email fails SPF or DKIM checks. It also provides reporting so you can monitor authentication results.

Purpose

  • Defines how receivers should handle emails that fail SPF or DKIM validation

  • Provides visibility into who is sending email from your domain

  • Prevents phishing attacks that spoof your domain

  • Generates reports showing authentication results and potential abuse

  • Required for strong email security posture

High-Level Setup Steps

  1. Ensure SPF and DKIM are already set up and working

  2. Create a DMARC policy (start with monitoring mode: p=none)

  3. Add a TXT record to your DNS at _dmarc.yourdomdomain.com

  4. Example starter record: v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com

  5. Monitor DMARC reports to identify legitimate and illegitimate sources

  6. Gradually increase policy enforcement (p=quarantine then p=reject)

Official Documentation

Implementation Best Practices

Recommended Order

  1. Start with SPF - Quick to implement and provides immediate benefit

  2. Enable DKIM - Adds message integrity verification

  3. Implement DMARC - Ties everything together and provides visibility

DMARC Policy Progression

  • Phase 1: p=none (monitoring only - generates reports without affecting delivery)

  • Phase 2: p=quarantine (sends suspicious emails to spam/junk folders)

  • Phase 3: p=reject (blocks emails that fail authentication)

Important Notes

  • DNS changes can take up to 48 hours to propagate fully

  • Always test authentication after making changes

  • Monitor DMARC reports regularly, especially when first implementing

  • Keep only one SPF record per domain

  • DKIM keys should be rotated periodically for security

Additional Resources

Google Workspace Email Security

Testing Tools

Quick Reference

Protocol

DNS Record Type

Priority

Purpose

SPF

TXT

High

Authorizes mail servers

DKIM

TXT

High

Signs message content

DMARC

TXT

Critical

Sets policy and reporting

All three protocols must be implemented for complete email authentication.