Setting Up SPF Records for Your Google Workspace Account (a.k.a. G Suite)

Author
Dariia Leshchenko
Published
May 04, 2022
Reading duration
5m

Before launching any email outreach campaign, do your best to ensure email deliverability. One of the aspects of deliverability is keeping your DNS records properly edited. This includes SPF records and DKIM and DMARC signatures.

All three are email authorization methods that, for one, ensure that your message is delivered; and secondly, protect your inbox from the malicious activity of spammers and phishers. 

Every email sent from your domain is scanned using relevant records and signatures to make sure your domain has all authorization to send emails. For example, If you have a Google Workspace with an SPF record set, that email will pass through Google’s servers before ever leaving your domain—and Google’s servers will check to see if the email was sent from your domain. If it wasn’t, then it won’t get delivered to the recipient.

Let’s examine each of the methods in detail. 

How does SPF protect my inbox?

Email security is a must for sales teams deeply engaged in email marketing. Malicious emails have become a common and popular tool for cybercriminals. They can attack your devices with ransomware, or they can mimic other trusted service providers or companies to gain access to your devices or your personal information.

You might be thinking, “Who’s going to fall for that?” But in reality, people do get tricked on a daily basis. Cybercriminals are getting more sophisticated, making their ill-intentioned emails more realistic. To mitigate the risk, organizations use SPF records.

There are practices that make spamming and spoofing much more difficult by requiring an email address’s owner to inform servers of their approval to send emails from that particular domain. Sender Policy Framework (SPF record) is one of them. It’s important because malicious entities can send fake messages from your domain’s name even without revealing their intent and interacting with your inbox physically. That’s why, when getting a message from your domain account, a server will perform an SPF check to verify that there is email authorization attached to this message and the mail server isn’t suspicious.

SPF provides a mechanism to specify which servers are approved to send messages on behalf of a domain. That identifies which host or domain may send emails from a specific email address and prevent your emails from being marked as spam. This mechanism allows your sender ID to communicate to a server: “I officially approve this inbox to send messages from my name.” In the context of malicious emails, SPF is able to identify suspicious activity and prevent emails from being sent on behalf of your domain.

How to set up SPF for my Google Workspace?

Google Workspace, formerly known as G Suite, requires that you verify its outgoing emails so that its messages are fully authenticated and are not flagged as spam.

Here’s what you do to enable your Google Workspace hosts to send emails on your behalf.

Navigate to the DNS records for your domain

To change your domain’s SPF records, log into your domain’s DNS records page. You can find the DNS settings for your domain provider on their website. The specific location where you can access your DNS settings varies depending on which provider you use.

Scroll down to the section labeled TXT Records

To use SPF records, you must first add them to the DNS manager. To do this, navigate to the _spf TXT section and create a new record using a plain text editor. You should see a line that begins with v=spf1.

If such a line exists, you will need to update it with your new text. Add include:_spf.google.com before ~all or -all.

For example, you see the line: v=spf1 a ~all, and you update it to: v=spf1 a include:_spf.google.com ~all

Otherwise, create a new SPF record by creating a TXT record to specify a domain's email servers. Use the following settings:

  • Host/Name/Alias: @
  • Time to Live (TTL): 3600 or default
  • Content/Value/Answer/Destination: v=spf1 include:_spf.google.com ~all

Save the SPF record

After saving the SPF record, check on your DNS manager to make sure that the SPF record is there. Within 48 hours of saving the new resource, it will become active.

Now, add DKIM

After you enable Google Workspace as a sender, add the DKIM signature. It’s a DomainKeys Identified Mail (DKIM) method that creates a digital signature, which the sending server uses in every email, and then the receiving server verifies it. This means that the receiver can be sure that the email was sent by you because only your sending server has access to the private key used to create the signature.

It’s another email authentication method that establishes a shared cryptographic key between a sender and a receiver so that the receiver can verify the authenticity of the sender.

Most major ESPs make DKIM signatures a requirement for all messages sent, and many ESPs like Gmail and MailChimp do it for you. However, if you are using your own mail server, you need to create a DKIM signature for your domain.

Here’s what you should do to set up DKIM for Google Workspace:

  • Log into Google Admin
  • Find Google Workspace Core Services in App Settings
  • Choose Gmail
  • Choose Authenticate Email and Generate New Record
  • Post that record in the DNS
  • Access the record in 1 hour and press Start Authentication
  • Save the authentication process

Add more security with DMARC

Though setting up an SPF record is effective at preventing unauthorized use of your domain name for whatever purposes, there are some weaknesses inherent to this protocol. For instance, it can be easy to mistakenly set up an incorrect record and unintentionally prevent emails you sent from being used in SPF checks. 

Another weakness of an SPF record is that when one of your recipients forwards an email, the forwarded message contains no indication of who originally sent it, causing the message to fail the SPF check.

To ensure complete protection, it’s recommended to integrate DKIM into your email security authentication protocols, as well as add a DMARC record to your domain using a policy of Quarantine.

Improve email deliverability

You can use a cold outreach tool like an email client to streamline your workflow, but in order to do so, you must ensure that your workflow is organized and efficient enough to support the tool. If you have clearly defined goals and make sure that your DNS settings are configured correctly, any cold outreach tool will help you increase productivity.

If your organization sends hundreds of marketing emails daily, make sure your inboxes are technically ready to wrestle in the world of spammers, phishing attacks, and spoofers without compromising your email performance. If you want all your legitimate emails to pass through spam filters, use all the three elements – SPF authentication, DKIM, and DMARC – to ensure strong email authentication and deter phishing attacks and spoofing.

Dariia Leshchenko
Author:
Dariia Leshchenko
Customer Success Manager
Dariia's decades in Email Deliverability and Sales have allowed her to successfully manage diverse business clients. For years now, she proves that there are no issues not to be fixed. Dariia speaks for the synergy of new-level email analysis technology and a human approach to improving email performance.