Steps to authenticate SPF, DKIM, and DMARC for Google Workspace 

In this blog, we’ll cover why Google’s 2024 email sender policy makes SPF, DKIM, and DMARC authentication mandatory and the steps to authenticate them.

For cold email marketers, email security is paramount. 

Yet, spam and phishing attempts are happening every day. Making it more important than ever to verify the legitimacy of emails. 

This is where SPF, DKIM, and DMARC come in – these are powerful protocols that act as gatekeepers, ensuring only authorized emails reach your recipients. 

And, with Google’s updated email sender policy for 2024, implementing these protocols is no longer essential but mandatory.

Why it matters? Google’s new emphasis on authentication

Google email sender policy makes SPF, DKIM, and DMARC authentication mandatory for bulk senders to Google accounts or personal accounts. 

Emails lacking proper authentication may face stricter scrutiny, potentially ending up in spam folders or even getting rejected. 

Think of it like stricter border control for your inbox – only legitimate emails with proper credentials pass through.

Understanding SPF, DKIM, and DMARC authentication

1. SPF (Sender Policy Framework)  

This acts as a whitelist of authorized servers for sending emails from your domain. Receiving servers check this list, ensuring emails truly originate from you.

2. DKIM (DomainKeys Identified Mail) 

This adds a digital signature to your emails, like a tamper-proof seal. Receiving servers verify the signature with a corresponding key, ensuring the email hasn’t been altered.

3. DMARC (Domain-based Message Authentication, Reporting & Conformance) 

This instructs receiving servers on how to handle emails that fail SPF and DKIM checks. Quarantine, reject, or simply monitor – DMARC takes control, protecting you from spoofing attempts.

Benefits to SPF, DKIM, and DMARC authentication

Authenticating SPF, DKIM, and DMARC deliver benefits beyond adhering to Google’s policy:

Enhanced Deliverability  

Authenticated emails have a higher chance of reaching inboxes, boosting your email communication effectiveness.

Reduced Spam

By tightening security, you make it harder for spammers to impersonate your domain, protecting your brand and safeguarding your recipients.

Increased Trust 

Authentication demonstrates your commitment to email security, fostering trust and confidence among your audience.

Authenticating SPF, DKIM, and DMARC

Don’t worry about technical jargon. 

Google offers user-friendly tools and resources to set up these protocols in your Google Workspace account. Remember, every step towards authentication strengthens your email security posture.

Here are the steps to authenticate SPF, DKIM, and DMARC for Google Workspace accounts:

1. SPF Authentication 

  • Locate your SPF record: In your Google Admin console, go to Apps > Google Workspace > Gmail > Authenticate email.

    For reference: Enter these values on the page or form for your domain provider’s TXT records:
Field nameValue to enter
Host@Note: If you’re adding an SPF record for a subdomain, enter the subdomain instead of @. Read Apply an SPF record to subdomain with the Host setting for more information.
ValueIf you only send email from Google Workspace, enter this SPF record:v=spf1 ~all
If you use additional email senders, enter the SPF record you created in Basic setup or in Advanced setup.
TTL1 hour or 3600 seconds
  • Add the SPF record to your DNS: Access your domain’s DNS settings and create a TXT record with the value provided by Google or mentioned above.

2. DKIM Authentication 

  • Generate a DKIM key: In the same section of the Admin console, click “Generate new record.”
  • Publish the DKIM record: Add the generated TXT record to your DNS settings.
  • Start authentication: Back in the Admin console, click “Start authentication.”

3. DMARC Authentication 

Wait for SPF and DKIM: Ensure SPF and DKIM are working for at least 48 hours before setting up DMARC.

Add a DNS TXT record, or modify an existing record, by entering your record in the TXT record for  _dmarc:

  • TXT record name: In the first field, under the DNS Hostname, enter:

Important Note: Some domain hosts automatically add the domain name after _dmarc. After you add the TXT record, you can verify the DMARC TXT record name to make sure it’s formatted correctly.

Important Note: The domain used here is an example domain. Replace with your own domain.

TXT record value: In the second field, enter the text for your DMARC record, for example:

v=DMARC1; p=none; rua=mailto:[email protected]

The field names might be different for your provider. DNS TXT record field names can vary slightly from provider to provider.

Important Note: The domain used here is an example domain. Replace with your own domain.

Key Points to remember whilst authentication

  • Order matters, so set up SPF and DKIM before DMARC.
  • Allow time (up to 48 hours) for DNS changes to take effect.
  • Use Google’s Toolbox ( or other tools to check authentication status.
  • Gradual DMARC: Start with a “none” or “quarantine” policy, then move to “reject” after monitoring.
  • Repeat the process for each domain you manage.

Additional tips when authenticating

  • Consult Google’s documentation, always refer to their detailed instructions for each step:
  • If you’re unsure, consult a technical expert or your IT administrator
  • Keep up with best practices and updates for email authentication.

Building a Secure Email Ecosystem

With Google’s 2024 email sender policy, SPF, DKIM, and DMARC are no longer optional. They’re the foundation for a safer and more trustworthy email environment for everyone. 

Take charge, implement these protocols, and watch your emails sail through the inbox gates with confidence.

Call to Action

  • Visit Google’s resources for detailed setup instructions.
  • Start your journey towards a more secure email environment today.
  • Share this information and spread the word about the importance of email authentication.

Together, let’s share and educate the cold emailing fraternity on the benefits and steps to authenticate SPF, DKIM, and DMARC. Let’s not do it because it’s mandatory, but because it’s the right thing to do.

Loved it? Spread it across!
Scroll to Top