The Ultimate DNS Setup Guide: SPF/DKIM/DMARC for Your Google Workspace (G Suite)

Dariia Leshchenko
Oct 31, 2022
Reading duration

You've meticulously planned your email marketing strategy, but you still experience issues with bounced emails or emails that perpetually land in spam folders. No sales representative or marketer wants to deal with this. Since bounces and a high spam complaint rate can harm a sender's reputation, email deliverability, and even cause the sender to be barred by ISPs, they should be avoided at all costs. But do not fret. 

The wrong setting of DMARC, DKIM, and SPF records is one of the possible causes of your emails being labeled as spam. You need to be aware of a few technical aspects to fix the issue. In fact, it is why we are here! What do the acronyms SPF, DKIM, and DMARC mean? Let's begin by defining a few terms.

SPF, DKIM, and DMARC explained

There are numerous references to DNS records in the definitions of SPF, DKIM, and DMARC. Here they are explained.

DNS (Domain Name System) is a database of IP addresses and domain names, such as (111.222.333.444). Each domain may have multiple IP addresses; for instance, the domain mail server may have several separate IP addresses.

You require access to DNS to set up SPF, DKIM, and DMARC. System administrators from your business or, occasionally, developers, can assist you with it. SPF assists with spoofing prevention by confirming the sender's IP address.

SPF (Sender Policy Framework) is a DNS record that lists the servers that are permitted to send emails from a particular domain (for example, It allows you to confirm that messages sent from your domain are being transmitted by mail servers and IP addresses to that you have given permission. This might be your email servers or the servers of a different business that you use to send emails. If SPF isn't configured, scammers may exploit it and send false communications that appear to be from you.

It's crucial to keep in mind that each domain can have only one SPF record. However, many servers and IP addresses may be included in a single SPF record (for instance, if emails are sent from several mailing platforms).

DKIM demonstrates that the email is from a certain company. Another technical standard, known as DKIM (DomainKeys Identified Mail), aids in the detection of bogus email addresses, the prevention of spam, and the avoidance of spoofing and identity theft.

Email servers check the digital signature added by DKIM to your email message's header to make sure the email's content hasn't changed. A DKIM record is present in the DNS, similar to SPF. SPF and DKIM mechanisms are in line with DMARC. If an email doesn't pass the authentication check, DMARC records (Domain-based Message Authentication, Reporting & Conformance) specify how the recipient's mail server should handle it (either SPF, DKIM, or both). In essence, the email gets sent to the recipient's mailbox if it bears a DKIM signature and the sending server is identified in the SPF data. If authentication is unsuccessful, the message is handled under the chosen DMARC records policy: none, reject, or quarantine.

  • If your emails' authentication fails, the receiving server doesn't do anything under the "none" policy. It has no bearing on your deliverability. However, it also won't shield you against con artists, therefore we don't advise setting it. You can only prevent them from happening in the first place by enacting stronger policies, which will also demonstrate to the public that you value your brand and customers; 
  • Messages from your domain that fail the DMARC records check are sent to "quarantine" in this case. The provider is suggested to move your email to the spam bin in this situation;
  • The receiving server rejects any messages that fail email authentication using the "reject" policy. This indicates that such emails will bounce because the addressee won't receive them. The "reject" option is the most useful, but you should only use it if you are certain that everything is set up properly. After defining each term, let's examine how to determine whether you now have an SPF record, DKIM record, and DMARC policy in place.

Знімок Екрана 2022 10 31 О 23.19.54

How can you determine whether your technological configuration is suitable for SPF, DKIM and DMARC?

Here are a few quick techniques to verify your technical setup to make sure everything is operating as it should.

Gmail's SPF, DKIM, and DMARC check

Option 1

Send a test email to the address you provided, then check your inbox. To view details, click. Your DKIM and SPF are in order if you observe a "mailed-by" header with the domain name and a "signed-by" header with the sender domain. 

Option 2

More details about SPF, DKIM, and DMARC can be seen by selecting "Show original" from the drop-down menu.


Check SPF, DKIM, and DMARC using the command line

Let's now examine how to use the command line in Windows to check SPF, DKIM, and DMARC information. The procedure is a little different for Mac users because verification is done using the Mac OS Terminal.

Check SPF records

Nslookup, a standard query tool that offers the user a command-line interface to access the DNS, can be used to check your SPF record.

  1. (Start > Run > cmd) Launch the command line.
  2. A domain or hostname should be entered after "nslookup -type=txt" and a space, for instance, "nslookup -type=txt".
  3. The outcome will look like this if an SPF record is present: "v=spf1 include: all".
  4. There is an issue obtaining the record for the domain if there are no results or no "v=spf1," or it does not exist.

Знімок Екрана 2022 10 31 О 23.21.45

How to accurately read SPF

  • The "v=spf1" section of the record indicates that it is an SPF record (version 1).
  • The "include" section contains a list of email-sending servers for the domain.
  • The "all" component means that the destination server will probably reject the message if even one part of it doesn't match the record.

Check DKIM records

  1. The methods below explain how to use nslookup to verify DKIM:
  2. (Start > Run > cmd) Launch the command line.
  3. Enter the command "nslookup" in the command window.
  4. Enter after typing "set q=txt".

Знімок Екрана 2022 10 31 О 23.22.31

Enter after typing "selector.". The DKIM selector and domain you want to look up should be used in place of the words selector and domain.

If you go to any email you've sent, click "Show Original," and scroll down, you'll see the DKIM selection in the DKIM-Signature email header. It is designated as a "s=" tag.

Знімок Екрана 2022 10 31 О 23.23.13

Check DMARC policy

From the command line, you may check for DMARC policies as well:

  1. (Start > Run > cmd) Launch the command line.
  2. For instance, enter "nslookup -type=txt" instead of "nslookup -type=txt".

Знімок Екрана 2022 10 31 О 23.24.04

DMARC, SPF, and DKIM checks with MxToolbox

This choice is possibly the simplest. All you have to do is perform three checks on the MxToolbox website. Please be aware that, exactly like with the command line we previously discussed, a selector is required for the DKIM record lookup.

Set up SPF for Google Workspace

A whitelist of IP addresses permitted send emails on your domain's behalf is known as an SPF record. Spam is likely to be associated with emails sent from IP addresses that are not listed in the SPF record.

To let Google Workspace hosts to send emails on your domain's behalf, you should:

  • Log in to the DNS settings dashboard for your domain;
  • visit the page where you can modify the domain's DNS settings;
  • see if a TXT record with the prefix v=spf1 is already present; If so, you must update the domain's SPF record as it currently exists; if not, you must set up an SPF record;
  • add an include mechanism just before the ending mechanism (all or -all) in the SPF record to update it: include For instance, if the current SPF record appears as follows:


update it to:


  • Simply create a TXT record using the following settings to produce an SPF record:
    • Name/Host/Alias: @
    • 3600 is the Time to Live (TTL) or default.
    • v=spf1 Content/Value/Answer/Destination the following: all

DKIM configuration for Google Workspace

To confirm that the email hasn't been tampered with in transit, a DKIM record published in the DNS enables the receiving server to decrypt the signature generated by the departing server.

To set up DKIM authentication in Google Workspace, adhere to these steps:

  • To access Google Admin Console, go there and log in:


  • choose Apps to see the app settings:


  • visit the Google Workspace Core Services page:


  • choose Gmail:


  • click the Authenticate Email button:


  • To create a fresh DKIM record, click the GENERATE NEW RECORD button;
  • publish the DKIM record in the DNS; it could take up to an hour for the record to become accessible due to DNS propagation;
  • Click the START AUTHENTICATION button in Google Workspace once the file is available, then click SAVE to finish the authentication procedure.

Set up DMARC for Google Workspace

It's now time to set up DMARC to begin keeping track of the email Google Workspace authentication state with the end objective of getting to p=reject so that:

  • Email deliverability is better since there is no illegal email spoofing on your domain
  • legitimate emails sent from your domain are more likely to make it to the mailbox.

My email deliverability is still poor despite my setup of SPF, DKIM, and DMARC

Your recipients' inboxes might not fully trust you even if you've put up SPF, DKIM, and DMARC records. When you have a fresh domain, it is frequently the situation. Before starting bulk email marketing, warm up your domain to demonstrate to email service providers that you are a reliable sender.


We hope this piece has covered all your questions concerning the world of Google Workspace authentication. Now that you know how to set up SPF DKIM and DMARC, all that's left to do is begin sending your cold emails now that your SPF record, DKIM record, and DMARC policy are correctly created and your email account has warmed up!

Dariia Leshchenko
Dariia Leshchenko
Customer Success Manager
Dariia's decades in Email Deliverability and Sales have allowed her to successfully manage diverse business clients. For years now, she proves that there are no issues not to be fixed. Dariia speaks for the synergy of new-level email analysis technology and a human approach to improving email performance.