If I want Gmail to trust mail from my domain, I don’t start with filters or warm-up tools. I start with Google Workspace SPF DKIM DMARC. Those three records tell receiving servers, “this message really came from me.”
The short version is simple: I add one SPF TXT record at my DNS host, generate a DKIM key in Google Admin and publish it in DNS, then add a DMARC policy after SPF and DKIM work. In 2026, that’s basic mail hygiene, and for bulk sending to Gmail, it’s expected.
Table of contents
- Before I touched DNS
- My Google Workspace SPF DKIM DMARC records
- How I verified the setup and fixed common errors
- FAQ
- My final take
Before I touched DNS
DNS feels like the fuse box in an old house. Flip the wrong switch, and one room stays bright while the rest goes dark. So before I changed anything, I checked two things.
First, I confirmed where my DNS is hosted, usually Cloudflare, GoDaddy, Squarespace, or another registrar. That’s where SPF, DKIM, and DMARC live. Google Admin helps me create DKIM, but the actual TXT records go in my DNS panel.
Second, I listed every service that sends mail from my domain. If I send invoices from Gmail, but Mailchimp, HubSpot, or a help desk also sends mail, SPF has to account for them too. I cross-check that plan against Google’s authentication overview, because it explains the basics and current sender rules clearly.
If I send 5,000 or more messages a day to Gmail, I also need DMARC at p=none or stricter. That’s no longer something I put off.
My Google Workspace SPF DKIM DMARC records
I set everything up in this order: SPF, DKIM, then DMARC. Here are the example records I use as a template. I always confirm the final values inside Google Admin and my DNS host before saving anything.
| Record | Host / Name | Type | Example value |
|---|---|---|---|
| SPF | @ | TXT | v=spf1 include:_spf.google.com ~all |
| DKIM | google._domainkey | TXT | v=DKIM1; k=rsa; p=PASTE_PUBLIC_KEY_FROM_GOOGLE_ADMIN |
| DMARC | _dmarc | TXT | v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com; adkim=s; aspf=s; pct=100 |
The big takeaway is simple: SPF and DMARC can look copy-ready, but DKIM must use the exact selector and public key Google gives me. Google often uses google as the selector, but I use whatever appears in Admin console.
For SPF, I add a TXT record at the root of the domain. Some DNS hosts use @, while others want the field blank. If Google Workspace is my only sender, v=spf1 include:_spf.google.com ~all is enough.
Never publish two SPF TXT records on the same hostname. SPF only allows one record, so I merge all senders into one line.
For DKIM, I go to Apps > Google Workspace > Gmail > Authenticate email in Admin console. Then I choose my domain, generate a new 2048-bit key, copy the TXT record, and add it in DNS. After the record is visible publicly, I go back to Admin and click Start authentication. If I miss that last click, Google won’t sign outgoing mail.
For DMARC, I add a TXT record at _dmarc. I start with p=none, because that lets me watch reports before moving to quarantine or reject. Google’s DMARC setup guide helps here, especially for tags like rua, adkim, and aspf. I also make sure the reporting mailbox exists.
Most DNS changes appear fast, but I still allow 1 to 48 hours for propagation. In practice, I recheck after 15 minutes, then give it a full day before I assume something broke.
How I verified the setup and fixed common errors
Once the records were live, I tested from three places. First, I sent a message from Gmail to a personal inbox and used “Show original.” I wanted SPF, DKIM, and DMARC to pass. Next, I checked Google Admin for DKIM status. If I send volume, I also watch Google Postmaster Tools. Then I ran the domain through free SPF, DKIM, and DMARC checkers to catch syntax errors and DNS lookup problems.
A few problems show up again and again. Duplicate SPF records are the classic one. I fix that by merging Google and every other sender into one record. Multiple email senders also cause trouble when I forget one platform. If a tool sends as my domain, it needs SPF coverage or its own authenticated custom domain.
DKIM not authenticating usually means the record hasn’t propagated, the selector is wrong, the public key was broken when pasted, or I forgot to start authentication in Google Admin.
DMARC alignment issues are more subtle. SPF can pass, yet DMARC still fails if the return-path domain doesn’t align with the visible From address. DKIM can fail alignment too if a third-party tool signs with its own domain. I fix that by setting a custom return-path or custom DKIM domain in the sending platform.
DNS syntax mistakes are the quiet troublemakers. I watch for smart quotes, missing semicolons, stray spaces, and TXT records split badly by the DNS host. If inbox placement still looks weak after authentication passes, I also clean my lists with tools focused on email verification for sender reputation, because bad addresses can still drag results down.
FAQ
Do I use ~all or -all for Google Workspace SPF?
I start with ~all. It’s safer while I confirm every sender. After I know the record is complete, I may move to -all.
How long does DKIM take to start working?
Sometimes it works within minutes. Still, I allow up to 48 hours for DNS propagation, then I resend a test email and check headers again.
Do I need DMARC if I send low volume?
Yes. Even a small domain can be spoofed. DMARC also gives me reporting data, which helps me catch problems early.
My final take
When I set up Google Workspace SPF DKIM DMARC in the right order, mail feels calmer. Messages land more cleanly, spoofing gets harder, and troubleshooting gets less foggy. I start with p=none, verify every record, and only tighten policy after the reports make sense.
