Nov 16, 2021

How To Create and Set Up an SPF Record For Your Google Workspace Account

Setting Up a Google SPF Record.


There can never be enough protection and cybersecurity in today’s digital world. While large data breaches, distributed denial-of-service (DDoS) attacks, and other major cyber attacks loom at large, one cybersecurity threat often flies under the radar—fake or malicious emails.

Email security might not always be at the forefront of an organization’s mind, though it should be. Almost everyone in an organization has email registered to an organization’s domain. And almost everyone in that organization sends an average of 121 emails a day. But how many of those are actually safe, authorized, and legitimate? 

To put a number on it, a total of 6.4 billion fake emails get sent every single day. That’s 6.4 billion opportunities for a cyber attack.

Setting up a Google SPF record for your Google Workspace is just one way of mitigating those chances.


The Threat of Email


Email is still one of the most common ways malware can infect your company’s network. According to PurpleSec’s latest Cybersecurity Trends report, malicious actors deliver malware through email 92% of the time.

Fortunately, users can use email authentication practices to protect against cyberattacks.

Specifically, SPF (Sender Policy Framework) is the most common authentication mechanism in play for email today. SPF ensures that the email you’ve received is coming from a server that’s authorized to send emails on behalf of the domain. Conversely, it also ensures that any suspicious attackers or spoofers do not send any emails on behalf of your domain.


How Does SPF Work?


Your emails come with a “from” address. In an attack, spammers may forge these “from” addresses and send fake messages from a legitimate domain name—yours.

To detect fake emails like these, receiving servers perform SPF checks to make sure that the messages come from email servers that are authorized to send emails from your domain. To perform an SPF authentication, the receiving server performs a DNS lookup using the domain name to check the SPF record and ensure that the server the message is coming from is properly listed.

If the server or IP address is listed, it means that the address is authorized to send emails from the sender’s domain. The email passes the SPF check and can thus be routed to one’s inbox.

However, if the IP address is not on the sender’s DNS records, the receiving server may flag the email as spam or even reject the message outright.


Do I Need to Set Up an SPF Record?


In short? Yes. 

By utilizing SPF along with DMARC, your domain is protected from harmful cyberattacks that can potentially damage customer relationships, work productivity, and essentially, your bottom line.

There are three components of strong email authentication: SPF, DKIM, and DMARC. Together, these methods work together to help users mitigate spoofing and phishing attacks. To read more on SPF, DKIM, DMARC and how SPF combined with DMARC can help stop malicious attacks, view any one of our guides below: 

Creating an SPF record for your domain can help prevent your domain from being used in malicious attacks, protecting your email delivery rates and your organization’s reputation.


Create a Google Workspace SPF record in 1 Fell Swoop


When using Valimail Authenticate, there are two steps to enabling Google Workspace as a sender: 

  1. Add it as an authorized sender for your domain to take care of the SPF piece.
  2. Then, add the DKIM key. 

By using Valimail Authenticate, all you need to do is follow our simple steps to approve Google in your services drop-down. That’s it, you’ve got SPF set up for Google now.

Not quite ready to use Valimail to handle this? That’s okay, you can update your SPF record using the four steps below.


Create a Google Workspace SPF Record in 4 Simple Steps


It takes just one act to infect a computer and potentially compromise an entire organization. Fortunately, given the right tools and information, even the most invasive attacks can be thwarted. Here are a few simple steps you can take today to prevent phishing attacks of all kinds:

Before you start, make sure that you know which mail server your organization uses to send emails. This tutorial will be more helpful to you if you use Google Workspace (formerly Google Apps/G-Suite), but it may also be used with other mail servers.


1. Sign in to your domain account

First, sign in to your domain provider and navigate to the page where you can update your domain’s DNS records. Accessing the DNS records will vary depending on which provider you use. 

Here’s how you can access your DNS records if you use GoDaddy or Namecheap.

If you don’t know where you can access your DNS records, you can search your domain provider’s knowledge base to see where your DNS settings or DNS manager is located.

2. Look for TXT records

Once you arrive at the DNS manager, you’ll see multiple types of records, such as A, CNAME, MX, TXT, SRV, and AAAA. SPF records are plain text files, so navigate to the TXT section to add your SPF record.

3. Set up a TXT record

You can use the default values for the host and TTL field, and the value/text field to list the mail servers you use to send emails.

However, if you’re adding an SPF record for a specific subdomain, fill in the “host” field with the name of the subdomain.

SPF records can have up to 255 characters. Here’s how the syntax for an SPF record looks like:

v=spf1 include:_spf.google.com include:example.com ip4:192.72.10.10 ~all

In this example, the user is sending emails from:

  • Google Workspace’s server (google.com)
  • A third-party server (example.com)
  • A server with the IP address 192.72.10.10.

Let’s break down some of the tags we use in this example.

  • “v=spf1” is the version of the SPF record used
  • The “include:” tag lets your SPF record the addresses of authorized domains
  • The “ip4” tag includes IPv4 addresses, and you can also use the “ip6” tag if you use IPv6 addresses
  • The “~all” tag, or the soft fail qualifier, means that the receiving server should accept the email anyway if it’s not in the SPF record, but mark it as suspicious. Alternatively, you can also use the “-all” tag, or a fail qualifier, which means that messages from servers that aren’t included in your SPF record should be rejected.

Knowing these four tags will help you with a basic setup. If you’re only using Gmail to send your emails, this is how to SPF TXT record would look like:

v=spf1 include: _spf.google.com ~all

4. Save the record

Once you’re done, hit save. Just to be safe, check on your DNS manager to make sure that the record is there. The new record will activate within 48 hours of saving


Double-down Your Email Security with DMARC


Now that you’ve set up your SPF records, you’re one step closer to securing your emails. SPF, however, has its limitations. For example, its syntax alone makes it easy for a typo to slip in and make legitimate emails fail the SPF check. Additionally, SPF breaks when an email is forwarded, undermining all the efforts that preceded it.

For these reasons, it’s highly recommended to integrate DKIM to your email security authentication protocols. Additionally, it’s recommended to add a DMARC record to your domain as well as have that record use a policy of Quarantine in order to ensure complete protection.

Using DMARC enforcement and a comprehensive authentication plan, senders can improve email deliverability and maintain brand integrity.

Need a simple way to authenticate email? Create a free account today or learn more about DMARC-as-a-service with Valimail

Subscribe to our newsletter