Are you looking to create and set up a Google SPF record for your Google Workspace? You’ve come to the right place.
There can never be enough protection and cybersecurity in today’s digital world. While large data breaches, distributed denial-of-service (DDoS) attacks, and other major cyber attacks loom at large, one cybersecurity threat often flies under the radar—fake or malicious emails.
Email security may not always be at the forefront of an organization’s mind. Almost everyone in an organization has an email registered to an organization’s domain. And nearly everyone in that organization sends an average of 121 emails daily. But how many of those are actually safe, authorized, and legitimate?
To put a number on it, a total of 6.4 billion fake emails get sent every single day. That’s 6.4 billion opportunities for a cyber attack.
Setting up a Google SPF record for your Google Workspace is one way to mitigate those chances. Below, we’ll walk you through everything you need to know about SPF records, including how they work, their importance, and the step-by-step process for creating and setting up an SPF record for your Google Workspace.
What is a Google Workspace SPF record?
Think of a Google Workspace SPF record as your email’s ID card. It’s a simple text file that tells receiving mail servers “Hey, these are the legitimate servers that can send email from my domain.” When you use Google Workspace (formerly G Suite) for your company email, you need this record to prove that Google’s servers are allowed to send email on your behalf.
The record itself is pretty straightforward – it’s just a single line of text that lives in your domain’s DNS settings. For Google Workspace, the basic record looks like this:
v=spf1 include:_spf.google.com ~all
Here’s what that all means
v=spf1
tells servers this is an SPF record.include:_spf.google.com
says “Yes, Google’s servers can send email for me.”~all
means “These are my approved senders, but if you get mail from someone else, just flag it as suspicious.”
If you’re using other services to send email besides Google Workspace (like marketing tools or support desk software), you’ll need to add them to this record too. It’s like adding authorized users to your company’s security badge system—you want to include everyone who legitimately needs access, but no one else.
Why you need a Google SPF record
Email is still one of the most common ways malware can infect your company’s network. According to PurpleSec’s latest Cybersecurity Trends report, malicious actors deliver malware through email 92% of the time.
Fortunately, users can use email authentication practices to protect against cyberattacks.
Sender Policy Framework (SPF) is the most common authentication mechanism in play for email today. SPF ensures the email you receive is from a server authorized to send emails on behalf of the domain. It ensures that any suspicious attackers or spoofers do not send emails on your domain’s behalf.
How does SPF work?
Email might feel safe and familiar, but it’s actually the favorite route for cybercriminals to sneak malware into company networks. In fact, when malware shows up at your company’s digital doorstep, it’s come through email 92% of the time (according to PurpleSec’s latest research).
Your emails come with a “from” address. Spammers may forge these “from” addresses in an attack and send fake messages from a legitimate domain name—yours.
To detect fake emails like these, receiving servers perform SPF checks to ensure the messages come from email servers authorized to send emails from your domain. To perform an SPF authentication, the receiving server performs a DNS lookup using the domain name to check the SPF record and ensure that the server the message is coming from is properly listed.
If the server or IP address is listed, the address is authorized to send emails from the sender’s domain. The email passes the SPF check and can thus be routed to one’s inbox.
However, if the IP address is not on the sender’s DNS records, the receiving server may flag the email as spam or reject the message outright.
Do I need to set up an SPF record?
Yes.
Using SPF along with DMARC protects your domain from harmful cyberattacks that can potentially damage customer relationships, work productivity, and your bottom line.
Strong email authentication has three components: SPF, DKIM, and DMARC. These methods work together to help users mitigate spoofing and phishing attacks. To read more on SPF, DKIM, DMARC, and how SPF combined with DMARC can help stop malicious attacks, view any one of our guides below:
Creating an SPF record for your domain can help prevent your domain from being used in malicious attacks, protecting your email delivery rates and your organization’s reputation.
How to create a Gmail SPF record
It takes just one act to infect a computer and potentially compromise an entire organization.
Fortunately, given the right tools and information, even the most invasive attacks can be thwarted.
Before you start, make sure that you know which mail server your organization uses to send emails. This tutorial will be more helpful to you if you use Google Workspace (formerly Google Apps/G-Suite), but it may also be used with other mail servers.
Here are a few simple steps you can take today to prevent phishing attacks.
1. Sign in to your domain account
First, sign in to your domain provider and navigate to the page where you can update your domain’s DNS records. Accessing the DNS records will vary depending on which provider you use.
Here’s how you can access your DNS records using GoDaddy or Namecheap.
If you don’t know where to access your DNS records, you can search your domain provider’s knowledge base to see where your DNS settings or manager is located.
2. Look for TXT records
Once you arrive at the DNS manager, you’ll see multiple types of records, such as A, CNAME, MX, TXT, SRV, and AAAA. SPF records are plain text files, so navigate to the TXT section to add your SPF record.
3. Set up a TXT record
You can use the default values for the host and TTL field and the value/text field to list the mail servers you use to send emails.
However, if you add an SPF record for a specific subdomain, fill in the “host” field with the subdomain’s name.
SPF records can have up to 255 characters. Here’s what the syntax for an SPF record looks like:
v=spf1 include:_spf.google.com include:example.com ip4:192.72.10.10 ~all
In this example, the user is sending emails from:
- Google Workspace’s server (google.com)
- A third-party server (example.com)
- A server with the IP address 192.72.10.10.
Let’s break down some of the tags we use in this example.
- “v=spf1” is the version of the SPF record used
- The “include:” tag lets your SPF record the addresses of authorized domains.
- The “ip4” tag includes IPv4 addresses, and you can also use the “ip6” tag if you use IPv6 addresses
- The “~all” tag, or the soft fail qualifier, means that the receiving server should accept the email anyway if it’s not in the SPF record but mark it as suspicious. Alternatively, you can also use the “-all” tag or a fail qualifier, which means that messages from servers that aren’t included in your SPF record should be rejected.
Knowing these four tags will help you with a basic setup. If you’re only using Gmail to send your emails, this is how to SPF TXT record would look like:
v=spf1 include: _spf.google.com ~all
4. Save the SPF record
Once you’re done, hit save. To be safe, check on your DNS manager to ensure the record is there. The new record will activate within 48 hours of saving.
Double-down your email security with DMARC
You’re one step closer to securing your emails now that you’ve set up your SPF records for Google Workspace. SPF, however, has its limitations. For example, its syntax alone makes it easy for a typo to slip in and make legitimate emails fail the SPF check. Additionally, SPF breaks when an email is forwarded, undermining all the efforts that preceded it.
For these reasons, it’s highly recommended to integrate DKIM into your email security authentication protocols. Additionally, it’s recommended to add a DMARC record to your domain and has that record use a policy of Quarantine to ensure complete protection.
Using DMARC enforcement and a comprehensive authentication plan, senders can improve email deliverability and maintain brand integrity.
Need a simple way to authenticate email? Create a free account today or learn more about DMARC-as-a-service with Valimail.