| 4 min read

Google Workspace SPF record setup: the current TXT value

Set up the Google Workspace SPF record correctly, merge it with other senders, avoid duplicate SPF records, and verify SPF before moving DMARC toward enforcement.

ML
Marc Lelu
Google Workspace SPF record setup: the current TXT value

If Google Workspace is the only service that sends mail for your domain, the SPF record is simple:

v=spf1 include:_spf.google.com ~all

That value comes from Google’s current SPF setup documentation. The important part is include:_spf.google.com, which authorizes Google’s mail servers to send for your domain.

The harder part is not copying the Google value. The harder part is making sure it is the only SPF record on the domain and that it also includes every other legitimate sender.

Before you start

You need DNS access for the domain in your From address. For example, if users send as [email protected], update DNS for example.com.

You also need a sender inventory. Google Workspace might be your mailbox provider, but your domain may also send from Stripe, HubSpot, Mailchimp, Zendesk, Salesforce, SendGrid, or an invoicing system. SPF is one record, not one record per vendor.

Run your domain through the DMARCTrust domain checker before editing DNS. If an SPF record already exists, edit it instead of creating a second one.

Step 1: check for an existing SPF record

In your DNS provider, look for TXT records at the root domain, usually shown as @.

If you see a TXT value that starts with v=spf1, that is your SPF record. Keep it and edit the value. Do not add another SPF TXT record.

Two SPF records cause a PermError. Receivers can ignore both records, which is worse than having a record that needs one more include.

Step 2: publish the Google Workspace SPF value

If Google Workspace is your only sender, add or edit this TXT record. Our SPF record generator builds the value for you and counts DNS lookups so you stay under the limit:

Field Value
Type TXT
Host / Name @
Value v=spf1 include:_spf.google.com ~all
TTL Default

Some DNS providers want the host to be blank instead of @. Use the format your DNS provider expects.

Google recommends ~all in its examples. A hard fail (-all) can be reasonable later, but use it only after you know every sender is covered.

Step 3: merge other senders into the same record

If you use more than Google Workspace, add each provider to the same SPF value.

For example, Google Workspace plus Microsoft 365:

v=spf1 include:_spf.google.com include:spf.protection.outlook.com ~all

Google Workspace plus SendGrid:

v=spf1 include:_spf.google.com include:sendgrid.net ~all

Google Workspace plus Zendesk:

v=spf1 include:_spf.google.com include:mail.zendesk.com ~all

Keep the record under SPF’s 10 DNS lookup limit. Google notes that SPF records can have up to 10 include lookups. If you are close to that limit, clean up old services before adding new ones.

Step 4: verify SPF

DNS changes can take time to propagate. Google’s docs say SPF authentication can take up to 48 hours to start working.

Use the DMARCTrust domain checker to confirm:

  • There is exactly one SPF record.
  • The record includes _spf.google.com.
  • The lookup count is below 10.
  • The syntax starts with v=spf1.

Then send a test email from Google Workspace to a Gmail or Outlook mailbox and inspect the authentication results. SPF should pass for mail sent through Google.

Common mistakes

Adding a second SPF record. SPF must be one TXT record. Merge Google into the existing record.

Putting SPF on the wrong host. For normal Google Workspace mail from example.com, publish SPF at @, not _spf, _dmarc, or mail.

Forgetting non-Google senders. Google Workspace does not cover your CRM, helpdesk, marketing platform, or payment provider.

Assuming SPF is enough for DMARC. SPF must align with the visible From domain for DMARC. Forwarding and third-party tools often make DKIM the more reliable path.

What about DKIM and DMARC?

Google says bulk senders need SPF, DKIM, and DMARC. SPF is only the first layer. You should also set up Google Workspace DKIM so Gmail signs mail with your domain.

After SPF and DKIM are working, publish a DMARC record with reporting:

v=DMARC1; p=none; rua=mailto:[email protected];

Use the DMARC generator to create the record and add your DMARCTrust reporting address.

FAQ

What is the SPF record for Google Workspace?

For a domain that sends only with Google Workspace, use v=spf1 include:_spf.google.com ~all.

Should I use gmail.com in my SPF record?

No. For Google Workspace custom domains, use _spf.google.com.

Can I have Google Workspace and SendGrid in the same SPF record?

Yes. Put both includes in one SPF record, for example v=spf1 include:_spf.google.com include:sendgrid.net ~all.

How do I know SPF is working?

Check your domain with DMARCTrust, then inspect a test message’s authentication results. SPF should pass for mail sent through Google Workspace.

Read Next

View all posts
ESPs, subdomains, and the "can't get DKIM to align w/ DMARC" rabbit hole
dmarc-setup ·

ESPs, subdomains, and the "can't get DKIM to align w/ DMARC" rabbit hole

A recurring forum storyline: you set up an ESP, authentication tools say it's fine, yet DMARC alignment is still broken. This usually comes down to how the ESP signs DKIM (d=), whether you're using a custom sending domain, and whether you should isolate with a sending subdomain.

DT
DMARCTrust
5 min read
DMARC, SPF, DKIM... and the thing everyone misses: alignment
dmarc-setup ·

DMARC, SPF, DKIM... and the thing everyone misses: alignment

Forum threads keep repeating the same confusion: "SPF and DKIM pass, so why does DMARC fail?" The missing mental model is DMARC alignment. We explain aspf/adkim, organizational vs strict alignment, and why you likely rely on DKIM alignment more than you think.

DT
DMARCTrust
5 min read

Need expert help with email deliverability?

Hire an email deliverability consultant who has shipped billions of emails. Free assessment, hands-on engagement, written quote before any work starts.