MailerMonk
    01Free tools
    02Backlink agent03How it works04Pricing
    Sign inStart free trial
    PrivacyTerms
    Chapter · SPF for Google Workspace
    Revised 17 Jun 2026
    Guide · SPF · Google Workspace

    How to set up SPF for Google Workspace.

    Google Workspace (formerly G Suite) handles mail for many small and mid-size businesses. The DNS setup is well-documented but the DKIM step requires generating the key inside the Admin console first.

    Afsan Rahmatullah
    Afsan RahmatullahMailerMonk

    SPF (Sender Policy Framework, RFC 7208) authorizes specific servers to send mail for your domain. When you start sending through Google Workspace, you must publish a single SPF record at your domain apex that includes Google Workspace's sending infrastructure — otherwise the messages will fail SPF, your DMARC checks will fail, and your mail will land in spam or be rejected outright.

    If you already publish SPF for another sender (Google Workspace for inbound, a marketing tool, your CRM), do not publish a second record. Merge the new include into the existing record. RFC 7208 §3 forbids multiple SPF records on the same name and receivers MUST return permerror when they see one.

    Publish these DNS records

    Add the following record(s) to your domain's DNS zone. Most registrars (Cloudflare, Route 53, Namecheap, GoDaddy) accept values exactly as shown.

    Record · TXT
    Type
    TXT
    Host
    @
    Value
    v=spf1 include:_spf.google.com ~all
    Why this matters
    • Use `~all` (soft fail) initially. Move to `-all` once you've confirmed in DMARC reports that no legitimate sender is missing.
    • If you also send through a marketing tool, merge its `include:` into this record. Do not publish two TXT records starting with `v=spf1`.

    Where in Google Workspace

    The SPF configuration lives in Admin console → Apps → Google Workspace → Gmail → Authenticate email.

    Verify the records

    Once published, run the SPF Checker on your domain to verify the lookup chain expands cleanly and stays under the 10-DNS-lookup limit.

    From a terminal
    dig +short TXT your-domain.com
    Run the free SPF checker

    Common pitfalls

    Pitfall
    • Generating a new DKIM key in the Admin console rotates the key — old signatures stay valid until they expire, but verify mail still signs cleanly afterwards.
    • If you've migrated from another provider and inherited an SPF record with conflicting includes, Google's authentication check will appear to pass while DMARC still fails alignment. Always check the DMARC report, not just the Admin console green checkmark.

    Frequently asked questions

    What is the correct SPF record for Google Workspace?

    The standard SPF record for Google Workspace is: v=spf1 include:_spf.google.com ~all — published as a TXT record at your domain apex (@). If you also send from other services, merge their include: mechanisms into this record before the ~all. Never publish a second SPF record; multiple v=spf1 records at the same name cause a PermError that fails authentication for all mail from your domain.

    Why is ~all (softfail) recommended instead of -all (hardfail) for Google Workspace?

    Start with ~all because DMARC reports often reveal legitimate mail streams you didn't know about — a CRM, a support tool, a third-party service sending on behalf of your domain. Switching to -all before you've enumerated all legitimate senders can cause their mail to fail SPF. Once DMARC reports show only intended senders, upgrading to -all is appropriate and adds slight protection against envelope spoofing.

    Does Google Workspace require SPF for email to be delivered?

    SPF is not strictly required for delivery, but it is required for DMARC alignment. Google's 2024 bulk sender requirements mandate that domains sending more than 5,000 messages per day to Gmail have a valid DMARC record — and a DMARC record is only useful if SPF and/or DKIM alignment is passing. Without SPF or DKIM, DMARC fails and Google's policy enforcement kicks in.

    Can I use Google Workspace and another email sender with the same SPF record?

    Yes — merge both into a single record. For example, if you also use Mailchimp: v=spf1 include:_spf.google.com include:servers.mcsv.net ~all. Keep the total DNS lookup count under 10 (include: each use one lookup). Check the count with the free SPF checker at mailermonk.com/tools/spf-checker.

    After you publish

    Want to know if it actually keeps working?

    MailerMonk continuously watches your SPF record, aggregate DMARC reports, and inbox placement — and pings you the moment something drifts. Free for the first domain.

    Start free trial

    About the author

    Afsan Rahmatullah
    Afsan Rahmatullah
    MailerMonk

    Building tools that keep cold email out of spam. Writes about deliverability, DMARC, and what actually moves inbox placement.

    Related · Google Workspace

    Other records for Google Workspace