Google Workspace Setup
Setup SPF
The SPF directive for Google Workspace is
include:_spf.google.com. A policy containing Google Workspace SPF directive would look like:v=spf1 include:_spf.google.com ~all
To verify if you have an existing SPF record, you can use the Domain Check tool:
Domain Check Tool If you do not have an existing SPF record, you need to create a new one with your DNS provider. Individual instructions can be found on the DNS Providerspage. You should try to include all your email senders at once into your initial SPF policy.
- Record Type
- TXT
- Host/Name
- yourdomain.com
- Value
v=spf1 include:_spf.google.com ~all
- TTL
- 3600 seconds (1 hour)
Setup DKIM
Setting up DKIM involves two steps: (1) Getting the public key from Google Workspace Admin. (2) Installing the new DNS record.
First we need to request a public key from Google Workspace Admin
- Go to the Google Workspace Gmail Admin page.
- Click on Authenticate Email
- Follow the instructions on screen to generate a DKIM key
- Record Type
- TXT
- Host/Name
- google._domainkey.yourdomain.com
- Value
- Generate unique DKIM from Google Workspace Gmail Admin.
v=DKIM1; k=rsa; p=example_do_not_copy_MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1xr5/Zs0b2DRNf9RdUqJblQU18xWN/mdGRmFKK4yP20i1PTGTGeJK5rkdDN6/ThIgdg7SWgGYbyTlG4jHTrEWWoKJzM8aMnn0CVU+vFT0AyYCG+VJghN2hVnNHmv6mxVre6VO3/ORv1/cc/cwv+uQTXqqRBMcw9vR6ZNU0GM8z0rsM50TwcMUfFCFrrnZSK8I6mqaQCDdlOygAz0hOclxQROLpbK0/azzK+RTY9Crkus4SgRBoRDU2pRusIf95BkpAxCvslUoqF2lXZW/BT6UqlR9stbSe8ZhFVMVX6rd/qcgLTBVAlqM+2NndcYSz2NFxPENb2Ql1KzNJKnTYG7TwIDAQAB
- TTL
- 3600 seconds (1 hour)
Setup DMARC
Lastly we can setup DMARC. Again, verify you don't already have DMARC setup.
With basic monitoring, you will receive XML reports to the email address specified which will tell you how email is passing/failing authentication. These are very useful for debugging when email isn't being delivered.
- Record Type
- TXT
- Host/Name
- _dmarc.yourdomain.com
- Value
v=DMARC1; p=none; rua=mailto:you@yourdomain.com
- TTL
- 3600 seconds (1 hour)
Verification
Once setup, you can verify your SPF/DKIM/DMARC records are setup with the domain check tool.
Verify DNS records
Verify DNS records