How to set up a Google Workspace SPF record (Gmail SPF setup and examples)

Are you looking to create and set up a Google SPF record for your Google Workspace? You’ve come to the right place.

There can never be enough protection and cybersecurity in today’s digital world. While large data breaches, distributed denial-of-service (DDoS) attacks, and other major cyber attacks loom large, one cybersecurity threat often flies under the radar: fake or malicious emails.

Email security may not always be at the forefront of an organization’s mind, but almost everyone in an organization has an email registered to the organization’s domain. In fact, by 2027, 408.2 billion emails will be sent per day. But how many of those are actually safe, authorized, and legitimate? 

To put a number on it, a total of 3.4 billion spam emails get sent every single day. That’s 3.4 billion opportunities for a cyber attack.

Setting up a Google SPF record for your Google Workspace is one way to mitigate those chances. Below, we’ll walk you through everything you need to know about SPF records, including how they work, their importance, and the step-by-step process for creating and setting up an SPF record for your Google Workspace.

Key Takeaways: – Set up an SPF record for Google Workspace to prevent spoofing, protect your brand reputation, and improve email deliverability. – Avoid common SPF mistakes such as multiple records, +all, or missing Google’s SPF mechanism, and always test your record with an SPF checker. – Pair SPF with DKIM and DMARC for a complete email authentication strategy that stops phishing attacks and secures your domain.

What is a Google Workspace SPF record?

Think of a Google Workspace SPF record as your email’s ID card. It’s a simple text file that tells receiving mail servers, “Hey, these are the legitimate servers that can send email from my domain.” When you use Google Workspace (formerly G Suite) for your company email, you need this record to prove that Google’s servers are allowed to send email on your behalf.

The record itself is pretty straightforward – it’s just a single line of text that lives in your domain’s DNS settings. For Google Workspace, the basic record looks like this:

v=spf1 include:_spf.google.com ~all

Here’s what all that means:

• v=spf1 tells servers this is an SPF record.
• include:_spf.google.com says “Yes, Google’s servers can send email for me.”
• ~all means “These are my approved senders, but if you get mail from someone else, just flag it as suspicious.”

If you’re using other services to send email besides Google Workspace (like marketing tools or support desk software), you’ll need to add them to this record too. It’s like adding authorized users to your company’s security badge system—you want to include everyone who legitimately needs access, but no one else.

Why you need a Google SPF record

Email is still one of the most common ways malware can infect your company’s network. According to PurpleSec’s latest Cybersecurity Trends report, malicious actors deliver malware through email 92% of the time.

Fortunately, users can use email authentication practices to protect against cyberattacks.

Sender Policy Framework (SPF) is the most common authentication mechanism in play for email today. SPF ensures the email you receive is from a server authorized to send emails on behalf of the domain. It ensures that any suspicious attackers or spoofers do not send emails on your domain’s behalf.

Use our SPF checker to check your SPF record for free:

How does SPF work?

Email might feel safe and familiar, but it’s actually the favorite route for cybercriminals to sneak malware into company networks. In fact, when malware shows up at your company’s digital doorstep, it’s come through email 92% of the time (according to PurpleSec’s latest research).

Your emails come with a “from” address. Spammers may forge these “from” addresses in an attack and send fake messages from a legitimate domain name—yours.

To detect fake emails like these, receiving servers perform SPF checks to ensure the messages come from email servers authorized to send emails from your domain. To perform an SPF authentication, the receiving server performs a DNS lookup using the domain name to check the SPF record and ensure that the server the message is coming from is properly listed.

If the server or IP address is listed, the address is authorized to send emails from the sender’s domain. The email passes the SPF check and can thus be routed to one’s inbox.

However, if the IP address is not on the sender’s DNS records, the receiving server may flag the email as spam or reject the message outright.

Do I need to set up an SPF record?

Yes. 

Using SPF along with DMARC protects your domain from harmful cyberattacks that can potentially damage customer relationships, work productivity, and your bottom line.

Strong email authentication has three components: SPF, DKIM, and DMARC. These methods work together to help users mitigate spoofing and phishing attacks. To read more on SPF, DKIM, DMARC, and how SPF combined with DMARC can help stop malicious attacks, view any one of our guides below: 

• What is SPF?
• What is DMARC?
• What is DKIM?

Creating an SPF record for your domain can help prevent your domain from being used in malicious attacks, protecting your email delivery rates and your organization’s reputation.

Common SPF records to avoid for Google Workspace

When setting up SPF, it’s easy to make small errors that cause big problems with email deliverability and security. Here are some common SPF records to avoid when using Google Workspace:

1. Using v=spf1 +all

• Example: v=spf1 +all
• Why it’s bad: This record essentially says “accept mail from any server, anywhere.”
• Result: Spammers can freely impersonate your domain, making this one of the worst possible SPF records to publish.

2. Using ?all (Neutral)

• Example: v=spf1 include:_spf.google.com ?all
• Why it’s bad: ?all tells receiving servers not to enforce SPF checks. Spoofed or unauthorized mail can still slip through.
• Result: Your SPF record exists but provides little to no protection.

3. Overly restrictive -all without testing

• Example: v=spf1 include:_spf.google.com -all
• Why it’s risky: -all is a hard fail, which means any email from an unauthorized server is rejected outright.
• Problem: If you forget to include a legitimate service (like Mailchimp, Salesforce, or Zendesk), important messages may get blocked.
• Best practice: Start with ~all (soft fail), monitor with DMARC reports, then move to -all once you’re confident everything is included.

4. Duplicating SPF Records

• Example: v=spf1 include:_spf.google.com ~all v=spf1 include:example.com ~all
• Why it’s bad: Domains should only have one SPF TXT record. Multiple SPF records cause validation errors, leading to SPF “permerror” failures.
• Solution: Combine all senders into a single SPF record instead.

5. Exceeding the 10 DNS Lookup Limit

• Example (too many “include” tags): v=spf1 include:_spf.google.com include:spf.mailservice.com include:spf.emailtool.com include:spf.marketing.com ... ~all
• Why it’s bad: SPF allows only 10 DNS lookups. Exceeding this limit causes SPF to fail automatically.
• Solution: Use Valimail’s SPF macro, Instant SPF®, to avoid SPF flattening.

6. Forgetting to Add Google’s SPF Mechanism

• Example: v=spf1 ~all
• Why it’s bad: Without include:_spf.google.com, Gmail and Workspace servers aren’t authorized to send mail for your domain.
• Result: Legitimate mail from Google Workspace can fail SPF and get rejected or flagged as spam.

By avoiding these common SPF records and configurations, you can ensure your Google Workspace SPF record is secure, effective, and reliable.

How to create a Gmail SPF record

It takes just one act to infect a computer and potentially compromise an entire organization. 

Fortunately, given the right tools and information, even the most invasive attacks can be thwarted.

Before you start, make sure that you know which mail server your organization uses to send emails. This tutorial will be more helpful to you if you use Google Workspace (formerly Google Apps/G-Suite), but it may also be used with other mail servers.

Here are a few simple steps you can take today to prevent phishing attacks.

1. Sign in to your domain account

First, sign in to your domain provider and navigate to the page where you can update your domain’s DNS records. Accessing the DNS records will vary depending on which provider you use. 

Here’s how you can access your DNS records using GoDaddy or Namecheap.

If you don’t know where to access your DNS records, you can search your domain provider’s knowledge base to see where your DNS settings or manager is located.

2. Look for TXT records

Once you arrive at the DNS manager, you’ll see multiple types of records, such as A, CNAME, MX, TXT, SRV, and AAAA. SPF records are plain text files, so navigate to the TXT section to add your SPF record.

3. Set up a TXT record

You can use the default values for the host and TTL field and the value/text field to list the mail servers you use to send emails.

However, if you add an SPF record for a specific subdomain, fill in the “host” field with the subdomain’s name.

SPF records can have up to 255 characters. Here’s what the syntax for an SPF record looks like:

v=spf1 include:_spf.google.com include:example.com ip4:192.72.10.10 ~all

In this example, the user is sending emails from:

• Google Workspace’s server (google.com)
• A third-party server (example.com)
• A server with the IP address 192.72.10.10.

Let’s break down some of the tags we use in this example.

• “v=spf1” is the version of the SPF record used
•  The “include:” tag lets your SPF record the addresses of authorized domains.
•  The “ip4” tag includes IPv4 addresses, and you can also use the “ip6” tag if you use IPv6 addresses
•  The “~all” tag, or the soft fail qualifier, means that the receiving server should accept the email anyway if it’s not in the SPF record but mark it as suspicious. Alternatively, you can also use the “-all” tag or a fail qualifier, which means that messages from servers that aren’t included in your SPF record should be rejected.

Knowing these four tags will help you with a basic setup. If you’re only using Gmail to send your emails, this is how to SPF TXT record would look like:

v=spf1 include: _spf.google.com ~all

4. Save the SPF record

Once you’re done, hit save. To be safe, check on your DNS manager to ensure the record is there. The new record will activate within 48 hours of saving.

Double-down your email security with DMARC

You’re one step closer to securing your emails now that you’ve set up your SPF records for Google Workspace. SPF, however, has its limitations. For example, its syntax alone makes it easy for a typo to slip in and make legitimate emails fail the SPF check. Additionally, SPF breaks when an email is forwarded, undermining all the efforts that preceded it.

For these reasons, it’s highly recommended to integrate DKIM into your email security authentication protocols. Additionally, it’s recommended to add a DMARC record to your domain and has that record use a policy of Quarantine to ensure complete protection.

Using DMARC enforcement and a comprehensive authentication plan, senders can improve email deliverability and maintain brand integrity.

Need a simple way to authenticate email? Create a free account today or learn more about DMARC-as-a-service with Valimail.

FAQs about Google Workspace SPF records