Google Workspace SPF, DKIM, and DMARC setup review

Use this as a cautious review path before changing DNS for a domain that sends through Google Workspace. SenderReady can help check public records, but final changes should be confirmed with your DNS owner, Google Admin settings, and each sending platform.

Scan your Google Workspace domain

Check public SPF, DKIM, DMARC, and sender-readiness signals before editing DNS.

01$0Free scan

Check the public sender-auth records mailbox providers expect.

02$0Shareable action plan

Keep one URL with evidence, owner steps, and decisions.

03$49$49 fix plan

Add human review, provider context, and verification steps.

Optional. Most first scans can run with just the domain.

Checks Gmail, Yahoo, and Microsoft sender requirementsPublic DNS onlyNo mailbox login needed

Example result72/100Needs attention

Review DMARC policy strength before a high-volume send.

Public DNS evidence: DMARC/SPF/DKIM status and caveats are visible before you pay.
Owner-ready next step: The audit adds provider context and a verification checklist.

Get the exact fix plan for your domain.$49 readiness audit: prioritized owner actions, DNS evidence, and verification checks.

Get my $49 fix plan View sample

Sender readiness cockpitExample action plan

Public DNS workspace

Overall sender readiness

72/100

Needs attention

Sample output: one warning and one fail mean this domain is not campaign-ready yet.

DMARCPass

SPFPass

DKIMPass

MXPass

BIMIWarning

MTA-STSFail

Fix workspace preview

The scan becomes a focused work surface: evidence, owner action, verification, and the paid context a public lookup cannot infer.

HighDMARC

Review DMARC policy strength before a high-volume send.

Evidence: Evidence: a monitoring-only policy can satisfy visibility needs, but enforcement requires aligned legitimate senders.
Verify after change: Re-scan _dmarc after DNS propagation and confirm aligned SPF or DKIM senders before enforcement.
Paid audit adds: Policy sequence, starter record review, alignment questions, and enforcement caveats.

Get my fix plan

What Google publicly emphasizes

Google sender guidelines describe SPF or DKIM for all senders to personal Gmail accounts. For senders above the 5,000 messages per day threshold to Gmail accounts, Google lists SPF, DKIM, DMARC, alignment for direct mail, valid DNS, TLS, spam-rate expectations, message-formatting requirements, and unsubscribe requirements for marketing and subscribed messages.

That makes authentication a readiness baseline, not a complete deliverability audit. Reputation, complaint rates, list consent, message content, volume patterns, and Google Postmaster Tools data can still matter after DNS records look technically correct.

Setup areas to review

Confirm every sender first

List Google Workspace, marketing platforms, billing systems, support desks, and any product mailers that use the domain. Authentication changes are safer when you know which systems must keep passing.

Review SPF as an inventory control

SPF should represent the services allowed to send for the domain. Do not paste a sample SPF value from a guide without reconciling it with existing senders, because a domain should normally publish one SPF policy at the root.

Enable DKIM from Google Admin

For Google Workspace mail, generate or verify DKIM in the Admin console and publish the DNS value Google provides. A high-level guide should not invent your selector, host, or key value.

Publish DMARC for visibility

DMARC is published at the _dmarc host and tells receivers how to treat messages that fail aligned SPF or DKIM. Many teams begin with monitoring, then move toward enforcement after reviewing legitimate sources.

DNS examples are placeholders, not instructions

Records such as v=spf1 ... or v=DMARC1; p=none only show the shape of an SPF or DMARC record. They are not safe to copy until your actual sender inventory, DKIM selector, DMARC reporting address, and existing DNS are reviewed.

Google Workspace FAQ

Should I copy a Google Workspace SPF value from a blog post?

No. Treat examples as shape only. Your SPF policy has to include every legitimate sender for the domain and should be reviewed against any existing SPF record before DNS changes are made.

Is DKIM required if SPF already passes?

Google describes SPF or DKIM for all senders and SPF, DKIM, and DMARC for bulk senders to personal Gmail accounts. DKIM is also useful because it can survive forwarding paths where SPF may fail.

Can p=none satisfy the first DMARC step?

Google says a DMARC policy for bulk senders can be set to none. That is a monitoring position, not an enforcement finish line, so review reports and sender alignment before moving to quarantine or reject.

Want a readiness report before DNS changes?

SenderReady readiness audits summarize public DNS findings and cautious next steps. They do not replace Google Workspace support, legal advice, ESP support, or a full deliverability investigation.

View pricing Ask about a report