If your mail lands in spam or throttles in Gmail or Yahoo, the problem is usually alignment and policy. The fix is simple. Publish the correct SPF record for Google, sign with a 2048-bit DKIM key, and enforce a DMARC policy that aligns the visible From: with what you authenticate. Do this once, verify it, and delivery stabilizes.
What you’re configuring (in plain English)
SPF lists the servers allowed to send for your domain. DKIM signs each message so receivers can confirm it was not altered. DMARC connects the two and requires the domain in the visible From: to align with SPF or DKIM results. For Google Workspace, the values are well known. The nuance sits in alignment mode, reporting, and any third-party platforms you use.
The exact DNS you need for a Google-only sender
SPF (TXT at the zone apex; one record only):
v=spf1 include:_spf.google.com -all
This declares Google as your only sender and ends with a hard fail. If you are still discovering stray sources, start with a soft fail:
v=spf1 include:_spf.google.com ~all
Later, switch to -all. Keep one SPF TXT at the apex. Merge any extras into that single line.
DKIM (TXT at selector._domainkey.yourdomain):
Use selector “google” or your own label. Choose a 2048-bit key. Publish the TXT exactly as generated in Admin Console at:
google._domainkey.yourdomain
After publishing, click “Start authentication” so Gmail begins signing.
DMARC (TXT at _dmarc.yourdomain):
Phase A, monitoring:
v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain; ruf=mailto:dmarc-forensics@yourdomain; fo=1; pct=100; adkim=s; aspf=s
Phase B, enforcement ramp:
v=DMARC1; p=quarantine; sp=quarantine; rua=mailto:dmarc-reports@yourdomain; fo=1; pct=100; adkim=s; aspf=s
Phase C, full enforcement:
v=DMARC1; p=reject; sp=reject; rua=mailto:dmarc-reports@yourdomain; fo=1; pct=100; adkim=s; aspf=s
Strict alignment (adkim=s; aspf=s) forces a match between From: and the DKIM d= or SPF Mail-From. During migration, relaxed (r) is acceptable. After cleanup, return to strict.
When you also send through third parties
Keep the apex SPF to one record. Add each platform via include: in that same line, and respect the ten-lookup limit. If a vendor lacks a clean include, create a dedicated subdomain and publish its own SPF there. When the limit gets tight, move low-volume senders to subdomains, not the apex.
DKIM must sign with your domain. In each platform, upload your own key or publish the vendor’s selector under your domain so d=yourdomain. If a provider insists on using their domain for d=, delegate a subdomain you control and align DMARC on that subdomain.
Control subdomains with sp= in the parent DMARC record. Alternatively, publish a dedicated _dmarc.sub.yourdomain for each delegated sender. Choose one pattern and document it so new tools follow the same rules.
Google Workspace specifics people miss
Use 2048-bit DKIM and rotate keys on a schedule. Rotation is easiest with two selectors. First, publish a new selector and switch signing. Then remove the old key after TTL expires.
Gmail’s current sender rules require SPF, DKIM, and DMARC for bulk mail. Even small domains benefit from the same hygiene. Additionally, set up one-click unsubscribe if you send marketing mail. Lower complaint rates help delivery everywhere.
BIMI is optional. Nevertheless, it improves brand trust when DMARC is enforced and your logo is validated. You will need a VMC and an SVG-Tiny P/S logo. Enforce at least quarantine before you attempt BIMI.
How to publish and verify, step by step
First, create the SPF TXT at the apex. Wait for DNS to propagate. Send a test to Gmail, choose “Show original,” and confirm SPF: PASS with your domain.
Next, generate a 2048-bit DKIM selector in Admin Console. Publish the TXT at google._domainkey.yourdomain. Return to Admin Console and click “Start authentication.” Send a test again. In “Show original,” confirm DKIM: PASS with d=yourdomain and the selector you chose.
Then, publish the Phase A DMARC record. After two or three days of rua reports, fix any non-aligned traffic. When clean, move to Phase B. After a stable week or two, enforce Phase C. Because reporting continues, you can catch regressions quickly.
Alignment pitfalls that break delivery
Forwarders and list servers often break SPF and sometimes DKIM. DMARC still passes if at least one check passes and aligns. Therefore, prefer DKIM alignment for flows that pass through intermediaries.
The visible From: must be your domain. If a CRM sends with its own From:, you will not align. Use a subdomain you control, or switch to a vendor that supports a custom From: with DKIM on your domain.
Mixed selectors are fine. Google can sign with s=google while a platform signs with s=vendor1. As long as both use d=yourdomain, DMARC needs only one aligned pass.
Exact examples you can paste (replace yourdomain)
SPF, Google only, hard fail:
TXT @ “v=spf1 include:_spf.google.com -all”
SPF, Google plus a vendor, soft fail during discovery:
TXT @ “v=spf1 include:_spf.google.com include:_spf.sendvendor.com ~all”
DKIM, 2048-bit (publish output from Admin Console):
Name: google._domainkey
Value: v=DKIM1; k=rsa; p=MIIB…
DMARC, monitor with strict alignment:
TXT _dmarc “v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain; ruf=mailto:dmarc-forensics@yourdomain; fo=1; pct=100; adkim=s; aspf=s”
DMARC, full reject with subdomain coverage:
TXT _dmarc “v=DMARC1; p=reject; sp=reject; rua=mailto:dmarc-reports@yourdomain; fo=1; pct=100; adkim=s; aspf=s”
Testing and ongoing operations
Run a weekly Gmail self-test and check “Show original” for SPF, DKIM, and DMARC PASS with alignment. Review DMARC aggregate reports monthly. Focus on any source that fails DKIM or sends with a non-aligned domain.
Rotate your DKIM selector at least yearly. Test the rotation process before you need it. When you add a vendor, require DKIM with your domain, add a single include: in SPF, and publish or adjust a subdomain DMARC record if needed. Because posture drifts, keep a short checklist and repeat it after every change.
FAQs
Is include:_spf.google.com enough for SPF?
Yes, if Google is your only sender. If you add platforms later, extend the same line with their includes and keep total DNS lookups at or below ten.
Should I use -all or ~all?
Use ~all while you discover senders. Move to -all once your inventory is correct so unauthorized sources hard-fail.
Do I need DMARC if SPF and DKIM already pass?
Yes. DMARC enforces alignment with the visible From:. Gmail and Yahoo now expect it, and enforcement improves placement.
What DKIM selector and key length should I use?
Selector “google” is common, but any valid label works. Choose 2048-bit keys and rotate on a schedule.
When should I enable BIMI?
After you enforce DMARC at quarantine or reject and you have a validated logo. It is optional, yet it can help recognition in the inbox.
You do not need guesswork. Publish one SPF that names Google, enable a 2048-bit DKIM key, and add a DMARC record that aligns the visible From:. Start with monitoring, fix strays, and then enforce. When vendors come and go, make them meet your domain and alignment rules. As a result, delivery stops wobbling and your brand stays trustworthy.
One thought on “Google Workspace Email: Exact DKIM, SPF, and DMARC Settings”