Brand Protection Dmarc as a Service

How To Create and Set Up an SPF Record For Your Google Workspace Account

Each day, thousands of phishing and scam emails are sent to unsuspecting victims. Setting up an SPF record can be the first step towards securing your email.

Are you looking to create and set up a Google SPF record for your Google Workspace? You’ve come to the right place.

There can never be enough protection and cybersecurity in today’s digital world. While large data breaches, distributed denial-of-service (DDoS) attacks, and other major cyber attacks loom at large, one cybersecurity threat often flies under the radar—fake or malicious emails.

Email security may not always be at the forefront of an organization’s mind. Almost everyone in an organization has an email registered to an organization’s domain. And nearly everyone in that organization sends an average of 121 emails daily. But how many of those are actually safe, authorized, and legitimate? 

To put a number on it, a total of 6.4 billion fake emails get sent every single day. That’s 6.4 billion opportunities for a cyber attack.

Setting up a Google SPF record for your Google Workspace is one way to mitigate those chances. Below, we’ll walk you through everything you need to know about SPF records, including how they work, their importance, and the step-by-step process for creating and setting up an SPF record for your Google Workspace.

Why you need a Google SPF record

Email is still one of the most common ways malware can infect your company’s network. According to PurpleSec’s latest Cybersecurity Trends report, malicious actors deliver malware through email 92% of the time.

Fortunately, users can use email authentication practices to protect against cyberattacks.

Sender Policy Framework (SPF) is the most common authentication mechanism in play for email today. SPF ensures the email you receive is from a server authorized to send emails on behalf of the domain. It ensures that any suspicious attackers or spoofers do not send emails on your domain’s behalf.

How does SPF work?

Your emails come with a “from” address. Spammers may forge these “from” addresses in an attack and send fake messages from a legitimate domain name—yours.

To detect fake emails like these, receiving servers perform SPF checks to ensure the messages come from email servers authorized to send emails from your domain. To perform an SPF authentication, the receiving server performs a DNS lookup using the domain name to check the SPF record and ensure that the server the message is coming from is properly listed.

If the server or IP address is listed, the address is authorized to send emails from the sender’s domain. The email passes the SPF check and can thus be routed to one’s inbox.

However, if the IP address is not on the sender’s DNS records, the receiving server may flag the email as spam or reject the message outright.

Do I need to set up an SPF record?


Using SPF along with DMARC protects your domain from harmful cyberattacks that can potentially damage customer relationships, work productivity, and your bottom line.

Strong email authentication has three components: SPF, DKIM, and DMARC. These methods work together to help users mitigate spoofing and phishing attacks. To read more on SPF, DKIM, DMARC, and how SPF combined with DMARC can help stop malicious attacks, view any one of our guides below: 

Creating an SPF record for your domain can help prevent your domain from being used in malicious attacks, protecting your email delivery rates and your organization’s reputation.

How to create a Gmail SPF record

It takes just one act to infect a computer and potentially compromise an entire organization. 

Fortunately, given the right tools and information, even the most invasive attacks can be thwarted.

Before you start, make sure that you know which mail server your organization uses to send emails. This tutorial will be more helpful to you if you use Google Workspace (formerly Google Apps/G-Suite), but it may also be used with other mail servers.

Here are a few simple steps you can take today to prevent phishing attacks.

1. Sign in to your domain account

First, sign in to your domain provider and navigate to the page where you can update your domain’s DNS records. Accessing the DNS records will vary depending on which provider you use. 

Here’s how you can access your DNS records using GoDaddy or Namecheap.

If you don’t know where to access your DNS records, you can search your domain provider’s knowledge base to see where your DNS settings or manager is located.

2. Look for TXT records

Once you arrive at the DNS manager, you’ll see multiple types of records, such as A, CNAME, MX, TXT, SRV, and AAAA. SPF records are plain text files, so navigate to the TXT section to add your SPF record.

3. Set up a TXT record

You can use the default values for the host and TTL field and the value/text field to list the mail servers you use to send emails.

However, if you add an SPF record for a specific subdomain, fill in the “host” field with the subdomain’s name.

SPF records can have up to 255 characters. Here’s what the syntax for an SPF record looks like:

v=spf1 ip4: ~all

In this example, the user is sending emails from:

  • Google Workspace’s server (
  •  A third-party server (
  •  A server with the IP address

Let’s break down some of the tags we use in this example.

  • “v=spf1” is the version of the SPF record used
  •  The “include:” tag lets your SPF record the addresses of authorized domains.
  •  The “ip4” tag includes IPv4 addresses, and you can also use the “ip6” tag if you use IPv6 addresses
  •  The “~all” tag, or the soft fail qualifier, means that the receiving server should accept the email anyway if it’s not in the SPF record but mark it as suspicious. Alternatively, you can also use the “-all” tag or a fail qualifier, which means that messages from servers that aren’t included in your SPF record should be rejected.

Knowing these four tags will help you with a basic setup. If you’re only using Gmail to send your emails, this is how to SPF TXT record would look like:

v=spf1 include: ~all

4. Save the SPF record

Once you’re done, hit save. To be safe, check on your DNS manager to ensure the record is there. The new record will activate within 48 hours of saving.

Double-down your email security with DMARC

You’re one step closer to securing your emails now that you’ve set up your SPF records for Google Workspace. SPF, however, has its limitations. For example, its syntax alone makes it easy for a typo to slip in and make legitimate emails fail the SPF check. Additionally, SPF breaks when an email is forwarded, undermining all the efforts that preceded it.

For these reasons, it’s highly recommended to integrate DKIM into your email security authentication protocols. Additionally, it’s recommended to add a DMARC record to your domain and has that record use a policy of Quarantine to ensure complete protection.

Using DMARC enforcement and a comprehensive authentication plan, senders can improve email deliverability and maintain brand integrity.

Need a simple way to authenticate email? Create a free account today or learn more about DMARC-as-a-service with Valimail.