Google Workspace security guide
SPF, DKIM, and DMARC are not optional polish. They are the trust layer for business email.
A strong Google Workspace email setup maps every legitimate sender, publishes one clean SPF policy, activates DKIM signing, and rolls out DMARC without accidentally blocking invoices, website forms, or CRM mail.
SPF, DKIM, and DMARC are email authentication controls. They do not replace good mailbox security, and they do not guarantee that every message lands in the inbox. They help receiving mail systems decide whether a message that claims to come from your domain is allowed, signed, and aligned with your domain policy.
For a small business using Google Workspace, the goal is practical: reduce spoofing risk, improve trust, and avoid breaking legitimate mail from websites, CRMs, invoicing systems, payment reminders, support tools, and marketing platforms.
Authentication sequence
Quick answer
For a Google Workspace-only sender setup, the starting SPF policy often looks like this:
v=spf1 include:_spf.google.com ~allBut do not blindly paste that if your domain also sends from a website, CRM, help desk, billing tool, marketing system, or SMTP relay. SPF is usually one TXT record for the domain, and it should include all legitimate senders. Google's SPF documentation explains the Google include pattern and the need to identify senders first: Set up SPF.
The safe order is:
List Google Workspace and every third-party system that sends from the domain.
Publish one SPF record that covers legitimate senders without duplicate SPF records.
Generate a DKIM key in Google Admin, publish the TXT record, then activate signing.
Start with monitoring, review reports, then move toward stricter policy when ready.
Check headers, reports, sender tools, and business-critical delivery.
Sender inventory
Most SPF and DMARC mistakes happen because the team only thinks about Gmail. A domain can send from many places:
Sender inventory checklist
- Google Workspace Gmail.
- Website contact forms.
- WordPress, Shopify, Webflow, custom backend, or form plugin.
- CRM or sales automation.
- Invoice, accounting, or payment reminder tool.
- Support desk or ticketing system.
- Email marketing platform.
- SMS or OTP platform sending email fallbacks.
- Server alerts, cron jobs, or app notifications.
- Old provider that still sends during migration.
If an approved system sends from @company.com, record its SPF include value, DKIM requirement, bounce address behavior, and whether it supports custom return-path alignment. This is the difference between a real authentication setup and a DNS record copied from a checklist.
Sender inventory worksheet
| Sender | Example | Needed record | Owner |
|---|---|---|---|
| Google Workspace | Employee Gmail | SPF include and DKIM | Workspace admin |
| Website form | Contact page | SPF or SMTP provider DKIM | Web team |
| CRM | Lead follow-up | Vendor SPF/DKIM | Sales ops |
| Billing tool | Invoices | Vendor SPF/DKIM | Accounts |
| Marketing platform | Campaigns | Separate DKIM and DMARC alignment review | Marketing |
Set up SPF
SPF answers a sender authorization question: is this sending server allowed by the domain's SPF policy?
The implementation rules:
- Keep one SPF TXT record for the root domain.
- Include Google Workspace with
include:_spf.google.comwhen Google sends mail for the domain. - Add only legitimate third-party senders.
- Keep
allas the final mechanism. - Avoid duplicate SPF TXT records.
- Avoid adding providers that no longer send mail.
Google's SPF troubleshooting guidance also highlights common checks: record existence, syntax, third-party senders, DNS management, lookup limits, and waiting for DNS fixes to take effect. See Troubleshoot SPF issues.
Set up DKIM
DKIM adds a digital signature to outbound mail. For Google Workspace, the practical flow is:
- Open Google Admin.
- Go to Gmail authentication settings.
- Select the domain.
- Generate a DKIM key.
- Add the provided TXT record at the active DNS host.
- Wait until DNS is visible.
- Return to Google Admin and start authentication.
- Send a test email and inspect headers.
Use Google's current DKIM setup instructions while implementing: Set up DKIM.
DKIM can fail even when the DNS record exists. Common causes include copying the key incorrectly, placing the selector under the wrong host, publishing at the wrong DNS provider, using an old key after regeneration, or sending through a third-party system that does not sign with your domain.
Set up DMARC
DMARC tells receivers how to handle mail that fails authentication and alignment checks. It also enables aggregate reporting when configured with a reporting address.
For small-business Google Workspace rollouts, do not start by rejecting everything. Start with visibility:
v=DMARC1; p=none; rua=mailto:[email protected]Use a real mailbox or reporting tool that someone will review. A DMARC record that sends reports to a mailbox nobody reads is not operational monitoring.
Google recommends setting up SPF and/or DKIM before DMARC and rolling DMARC out gradually. Use Google's current DMARC instructions and recommended rollout guidance while implementing: Set up DMARC and Recommended DMARC rollout.
Start with p=none
Use monitoring to discover legitimate senders that are not yet authenticated or aligned.
Clean up senders
Add missing vendor authentication, stop old systems, and move forms to approved SMTP paths.
Move policy gradually
After reports look clean, move toward quarantine or reject with care and business approval.
Keep it maintained
Recheck DMARC when adding a CRM, marketing tool, support desk, website, or invoice sender.
Troubleshooting and monitoring
Authentication troubleshooting needs evidence. Send test messages to an external mailbox, open the message headers, and look for SPF, DKIM, and DMARC results. Google's DMARC troubleshooting guide specifically points to checking message headers for authentication results: Troubleshoot DMARC issues.
SPF passes but DKIM fails
Google may not be signing yet, DNS may not have propagated, or the message may be sent through a third-party path.
DKIM passes but DMARC fails
Alignment can still fail if the visible From domain does not align with the authenticated domain.
Website form fails authentication
The website may be sending directly from the server. Use an approved SMTP or transactional email provider with proper domain authentication.
DMARC reports are ignored
Reports should feed an owner, tool, or process. Otherwise the business cannot safely move from monitoring to enforcement.
FAQ
Is SPF enough for Google Workspace?
No. SPF is useful, but DKIM and DMARC add signing, alignment checks, and failure policy. Use all three for a professional setup.
Can I have multiple SPF records?
Avoid multiple SPF TXT records for the same domain. Merge legitimate senders into one SPF policy.
When should I move DMARC to quarantine or reject?
Move only after reports show that Google Workspace and all legitimate third-party senders are passing correctly.
Do aliases need separate SPF records?
Normal aliases under the same domain do not need separate SPF. Separate domains or subdomains may need their own authentication records.
What should the handover include?
Include DNS host, SPF record, DKIM selector, DKIM activation date, DMARC policy, report destination, tested senders, and known third-party tools.
