Setting Up Email Authentication for Google Workspace

Complete guide to configuring SPF, DKIM, and DMARC for Google Workspace (Gmail for Business). Step-by-step instructions for optimal deliverability.

Setting Up Email Authentication for Google Workspace

Google Workspace (formerly G Suite) requires proper email authentication for optimal deliverability, especially with Google's 2024 bulk sender requirements. This guide covers SPF, DKIM, and DMARC setup for Google Workspace.

Overview

Google Workspace provides automatic SPF configuration, but you need to:

  1. Verify SPF - Google adds itself automatically, but verify and add other services
  2. Enable DKIM - Must be manually enabled in Admin Console
  3. Configure DMARC - You publish this yourself in DNS

Prerequisites

  • Google Workspace admin access
  • Access to your domain's DNS settings
  • Domain verified in Google Workspace

Step 1: Configure SPF for Google Workspace

Google's Default SPF

Google automatically adds itself to your SPF when you add a domain, but you should verify and potentially add other services.

Check Current SPF Record

  1. Go to Google Admin Console
  2. Navigate to AppsGoogle WorkspaceGmail
  3. Click Authenticate email
  4. Select your domain
  5. View current SPF record

Or check DNS directly:

dig TXT yourdomain.com

Standard Google Workspace SPF Record

v=spf1 include:_spf.google.com -all

Adding Additional Services

If you use other email services alongside Google Workspace:

v=spf1 include:_spf.google.com include:sendgrid.net include:servers.mcsv.net -all

Important: Google's SPF includes multiple IP ranges. Don't try to flatten it manually.

Common Google Workspace SPF Includes

ServiceInclude Statement
Google Workspace (default)include:_spf.google.com
GmailAlready included in above
Google AppsAlready included

DNS Configuration

Add or update TXT record:

FieldValue
TypeTXT
Host/Name@ or leave blank
Valuev=spf1 include:_spf.google.com -all
TTL3600

Step 2: Enable DKIM for Google Workspace

Google Workspace uses TXT records for DKIM (unlike Microsoft's CNAME approach).

Enable DKIM in Admin Console

  1. Go to Google Admin Console

  2. Click Authenticate email

  3. Select your domain

  4. Find DKIM authentication section

  5. Click Generate new record

  6. Google generates DKIM record with selector (usually google)

Add TXT Record to DNS

Google provides a TXT record like:

google._domainkey.yourdomain.com  TXT  "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC..."

DNS Configuration:

FieldValue
TypeTXT
Host/Namegoogle._domainkey
ValueThe complete DKIM record (starts with v=DKIM1; k=rsa; p=...)
TTL3600

Important: Copy the entire value exactly as provided by Google, including v=DKIM1; k=rsa; p= prefix.

Verify DKIM Setup

Method 1: Google Admin Console

  • Return to Authenticate email page
  • Status should show "Authenticating email" or green checkmark
  • May take up to 48 hours to fully activate

Method 2: Send Test Email

  1. Send email from Google Workspace account
  2. Open email → Click three dots → Show original
  3. Look for DKIM-Signature header
  4. Verify d= matches your domain

Method 3: Online Tools

  • Use MailSentinel to check DKIM records
  • Use MXToolbox DKIM checker
  • Use Google's own Postmaster Tools

DKIM Key Length

Google Workspace uses 1024-bit keys by default, which meets Google's requirements. For enhanced security, you can request 2048-bit keys, but 1024-bit is sufficient for compliance.

DKIM Key Rotation

Google automatically rotates DKIM keys periodically:

  • Keys rotate every few months
  • You'll need to update DNS record when rotated
  • Google notifies you in Admin Console
  • Old keys remain valid during transition period

Step 3: Configure DMARC for Google Workspace

Google doesn't configure DMARC automatically - you must do this yourself.

Get Your MailSentinel Report Address

  1. Log in to MailSentinel
  2. Go to SettingsDMARC Configuration
  3. Copy your report address: your-org-id@reports.mailsentinel.io

Create DMARC Record

Starting with monitoring (recommended):

v=DMARC1; p=none; rua=mailto:your-org-id@reports.mailsentinel.io; ruf=mailto:your-org-id@forensic.mailsentinel.io

After monitoring period:

v=DMARC1; p=quarantine; rua=mailto:your-org-id@reports.mailsentinel.io; adkim=r; aspf=r

Full enforcement:

v=DMARC1; p=reject; rua=mailto:your-org-id@reports.mailsentinel.io; ruf=mailto:your-org-id@forensic.mailsentinel.io; adkim=r; aspf=r

Add DMARC Record to DNS

FieldValue
TypeTXT
Host/Name_dmarc
ValueYour DMARC record
TTL3600

Verify DMARC Setup

  1. Use MailSentinel to check DNS
  2. Verify DMARC record is detected
  3. Wait 24-48 hours for first reports
  4. Monitor in MailSentinel dashboard

Google Workspace Specific Considerations

Gmail Routing

  • Gmail routing uses Google's authentication
  • No special configuration needed
  • DMARC applies to all routed emails

Google Groups

  • Google Groups emails use Google Workspace authentication
  • No special SPF/DKIM needed
  • Replies use the sender's authentication

Google Workspace Marketplace Apps

Third-party apps sending email:

  • May need to be added to SPF
  • Check app documentation for SPF includes
  • Configure DKIM if app supports it

External Email Forwarding

If you forward emails externally:

  1. Enable ARC (Authenticated Received Chain)

    • Helps preserve authentication through forwarding
    • Configure in Gmail settings

  2. Update SPF if forwarding to external addresses

    • May need to include forwarding server IPs

Google Workspace + Gmail Personal

If users have both:

  • Workspace emails use Workspace authentication
  • Personal Gmail uses Gmail authentication
  • Separate DMARC policies if needed

Google's 2024 Bulk Sender Requirements

Google enforces strict requirements for bulk senders (5,000+ emails/day to Gmail):

Requirements

  1. SPF and DKIM - Both required (not just one)
  2. DMARC Policy - Must publish DMARC (minimum p=none)
  3. DMARC Alignment - From: domain must align with SPF or DKIM
  4. One-Click Unsubscribe - Required for marketing emails (RFC 8058)
  5. Spam Rate - Keep below 0.3% (monitor in Postmaster Tools)
  6. Valid PTR Records - Reverse DNS must be configured
  7. TLS Encryption - Required for transmission

Compliance Checklist

  • SPF record includes _spf.google.com
  • DKIM enabled and TXT record published
  • DMARC record published (start with p=none)
  • DMARC reports being received
  • SPF alignment verified
  • DKIM alignment verified
  • List-Unsubscribe headers configured
  • Spam complaint rate monitored in Postmaster Tools
  • PTR records configured for sending IPs

Google Postmaster Tools

Set up Google Postmaster Tools to monitor:

  1. Go to https://postmaster.google.com
  2. Add and verify your domain
  3. Monitor key metrics:
    • Spam Rate - Must stay below 0.3%
    • IP Reputation - Track sender reputation
    • Domain Reputation - Overall domain health
    • Delivery Errors - Bounce and error rates

Troubleshooting Google Workspace Issues

Issue 1: SPF Too Permissive

Problem: Using +all or ?all instead of -all

Solution:

  1. Edit DNS TXT record
  2. Change to -all
  3. Verify in Google Admin Console

Issue 2: DKIM Not Signing

Symptoms:

  • No DKIM signature in headers
  • DKIM status shows "Not authenticated"

Solutions:

  1. Verify DKIM is enabled in Admin Console
  2. Check TXT record is published correctly
  3. Wait 24-48 hours for full activation
  4. Verify domain is fully configured in Google Workspace
  5. Check for typos in DNS record

Issue 3: DMARC Failures

Symptoms:

  • DMARC reports show failures
  • Emails going to spam

Common Causes:

  1. SPF alignment issues

    • Envelope sender doesn't match From: domain
    • Check Return-Path header

  2. DKIM alignment issues

    • DKIM signing domain doesn't match From: domain
    • Google signs with your domain, so this is usually fine

  3. Third-party senders

    • Services sending as your domain not in SPF
    • Add missing services to SPF

Issue 4: Multiple SPF Records

Problem: Multiple SPF TXT records exist

Solution:

  1. Find all SPF records: 
    dig TXT yourdomain.com | grep "v=spf1"
  2. Merge into single record
  3. Remove duplicates

Issue 5: DKIM Key Rotation

Symptoms:

  • DKIM validation fails after Google rotates keys
  • Need to update DNS record

Solution:

  1. Check Admin Console for new DKIM record
  2. Update DNS TXT record with new key
  3. Old key remains valid during transition
  4. Wait for DNS propagation

Issue 6: High Spam Rate

Symptoms:

  • Spam rate above 0.3% in Postmaster Tools
  • Emails going to spam folder

Solutions:

  1. Review email content and practices
  2. Ensure double opt-in for subscribers
  3. Make unsubscribe easy and prominent
  4. Remove inactive subscribers
  5. Honor unsubscribe requests immediately
  6. Segment lists for better engagement

Best Practices for Google Workspace

1. Start with Monitoring

Begin with p=none DMARC policy:

  • Monitor for 2-4 weeks
  • Identify all sending sources
  • Fix alignment issues
  • Then move to enforcement

2. Use MailSentinel for Monitoring

  • Set up DMARC reporting to MailSentinel
  • Monitor SPF/DKIM pass rates
  • Get alerts for authentication failures
  • Track progress toward enforcement

3. Monitor Postmaster Tools

Regularly check:

  • Spam complaint rate (target: <0.3%)
  • IP reputation
  • Domain reputation
  • Delivery errors

4. Regular Audits

Review quarterly:

  • SPF record for unused services
  • DKIM signing status
  • DMARC report data
  • Alignment issues
  • Spam rates

5. Document Configuration

Keep records of:

  • SPF includes and why
  • DKIM selector and key rotation dates
  • DMARC policy progression
  • Any custom configurations

6. Test Before Changes

  • Use test subdomain first
  • Send test emails
  • Verify headers
  • Check DMARC reports
  • Then apply to production

Common Google Workspace Configurations

Small Business (Google Workspace Only)

SPF:

v=spf1 include:_spf.google.com -all

DKIM: Enable in Admin Console with google selector

DMARC:

v=DMARC1; p=none; rua=mailto:your-org-id@reports.mailsentinel.io

Enterprise (Google Workspace + Marketing Platform)

SPF:

v=spf1 include:_spf.google.com include:servers.mcsv.net -all

DKIM: Enable Google Workspace DKIM + configure marketing platform DKIM

DMARC:

v=DMARC1; p=quarantine; rua=mailto:your-org-id@reports.mailsentinel.io; adkim=r; aspf=r

Developer (Google Workspace + Transactional Email)

SPF:

v=spf1 include:_spf.google.com include:sendgrid.net include:spf.postmarkapp.com -all

DKIM: Enable Google Workspace DKIM + configure transactional service DKIM

DMARC: Same as above, covers all sending sources

Next Steps

After configuring Google Workspace authentication:

  1. Monitor DMARC Reports - Track authentication status
  2. Set Up Alerts - Get notified of issues
  3. Review SPF Validation - Check lookup count
  4. Set Up Postmaster Tools - Monitor spam rates
  5. Progressive DMARC Enforcement - Move toward p=reject

Additional Resources