Google Workspace Setup

Setup SPF

The SPF directive for Google Workspace is include:_spf.google.com. A policy containing Google Workspace SPF directive would look like:

v=spf1 include:_spf.google.com ~all

To verify if you have an existing SPF record, you can use the Domain Check tool:
Domain Check Tool
If you do not have an existing SPF record, you need to create a new one with your DNS provider. Individual instructions can be found on the DNS Providerspage. You should try to include all your email senders at once into your initial SPF policy.
Record Type
TXT
Host/Name
yourdomain.com
Value

v=spf1 include:_spf.google.com ~all

TTL
3600 seconds (1 hour)

Setup DKIM

Setting up DKIM involves two steps: (1) Getting the public key from Google Workspace Admin. (2) Installing the new DNS record.
First we need to request a public key from Google Workspace Admin
Record Type
TXT
Host/Name
google._domainkey.yourdomain.com
Value
Generate unique DKIM from Google Workspace Gmail Admin.

v=DKIM1; k=rsa; p=example_do_not_copy_MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1xr5/Zs0b2DRNf9RdUqJblQU18xWN/mdGRmFKK4yP20i1PTGTGeJK5rkdDN6/ThIgdg7SWgGYbyTlG4jHTrEWWoKJzM8aMnn0CVU+vFT0AyYCG+VJghN2hVnNHmv6mxVre6VO3/ORv1/cc/cwv+uQTXqqRBMcw9vR6ZNU0GM8z0rsM50TwcMUfFCFrrnZSK8I6mqaQCDdlOygAz0hOclxQROLpbK0/azzK+RTY9Crkus4SgRBoRDU2pRusIf95BkpAxCvslUoqF2lXZW/BT6UqlR9stbSe8ZhFVMVX6rd/qcgLTBVAlqM+2NndcYSz2NFxPENb2Ql1KzNJKnTYG7TwIDAQAB

TTL
3600 seconds (1 hour)

Setup DMARC

Lastly we can setup DMARC. Again, verify you don't already have DMARC setup.
With basic monitoring, you will receive XML reports to the email address specified which will tell you how email is passing/failing authentication. These are very useful for debugging when email isn't being delivered.
Record Type
TXT
Host/Name
_dmarc.yourdomain.com
Value

v=DMARC1; p=none; rua=mailto:you@yourdomain.com

TTL
3600 seconds (1 hour)

Verification

Once setup, you can verify your SPF/DKIM/DMARC records are setup with the domain check tool.
Verify DNS records

Reference