How to set up a DNS record, SPF, DKIM and DMARC for Google

SPF, DKIM and DMARC records are little bits of information you set up with whomever you bought your domain from (Namecheap or GoDaddy, for instance). These will help email services trust your sending as legitimate. Without these items setup, you can encounter sending errors and/or end up in spam.

Do I need to set this up if I'm using @gmail.com or @outlook.com email addresses for my sending:

No. These emails are domains that are managed by the email service provider and they maintain their own records. This also applies to other generic email addresses like @yahoo.com, etc.

Okay. I'm using Google Workspace (formerly GSuite) So how do I (or my tech person) set this up?

Setting Up your SPF - Sender Policy Framework

  1. Sign into your domain account on your domain host's site (not your Google Admin Console).
    1. This may be Namecheap, GoDaddy, SquareSpace etc.
  2. Go to the page for updating your domain’s DNS records.
    1. Often labeled as DNS Management, Name Server Management, or Advanced Settings
  3. Find your TXT records and check if your domain has an existing SPF record.
    1. The SPF record starts with “v=spf1…”.
  4. If your domain already has an SPF record, remove it if it's not set up to the specifications below intended for Google Workspace.
  5. Create a TXT record with these values:
    1. Name/Host/Alias - Enter @ or leave blank
    2. Other DNS records for your domain might indicate the correct entry.
    3. Time to Live (TTL) - Enter 3600 or leave the default.
    4. Value/Answer/Destination - Enter v=spf1 include:_spf.google.com ~all.
  6. This can take up to 48 hours to take effect.

DKIM - Domain Key Identified Mail

  1. Log into Google Admin: admin.google.com
    1. In the navigation menu on the left hand side: Menu > Apps > GSuite > Gmail
  2. Generate a DKIM Key

  3. Create a DNS TXT Record with the DKIM Key generated in the previous step.
    1. For this you will need to go to your domain provider
      1. This may be Namecheap, GoDaddy, SquareSpace etc.
  4. After creating the DNS TXT Record in your domain with the DKIM Key, you can Start Authenticating within your Google Workspace admin portal.

DMARC - Domain-based Message Authentication, Reporting, and Conformance

  1. Go to your domain administrator’s site. Find DNS Management or Settings.
  2. Add this TXT Record to your DNS:
    1. Host Name: _dmarc
    2. VALUE (with email): v=DMARC1; p=quarantine; rua=mailto:{email}; pct=90; sp=none
      1. The email version will send reports to whatever email you put in there. This is totally optional. Here is the value without the email:
    3. VALUE (no email): v=DMARC1; p=quarantine;  pct=90; sp=none

Verify that all DNS settings were set up correctly here.

If you're struggling with formatting the DMARC Record, we like this DMARC record generator.