Home
IT Hub
How to Configure SPF Records for Google Workspace

How to Configure SPF Records for Google Workspace

Google Drive
Reco Security Experts
Updated
February 5, 2025
February 5, 2025

How to Configure SPF Records for Google Workspace: Complete Guide

Email is one of the most critical communication tools for businesses. However, ensuring that your email reaches its intended recipient’s inbox and isn’t flagged as spam or phishing is a significant challenge. If your business uses Google Workspace for email, it has several options to validate the sending email server, and the Sender Policy Framework (SPF) record is the most important one. It is used to notify the recipient’s email server that Google is authorized to send email messages on behalf of your domain.

In this article, we’ll explain what an SPF record is, why it’s important, and provide step-by-step instructions for configuring it for Google Workspace.

What is an SPF Record?

SPF is a Domain Name System (DNS) record that specifies which mail servers are authorized to send email on behalf of your domain. Essentially, an SPF record tells the recipient’s email server, “Here is a list of servers that are allowed to send email using our domain.”

An illustration of how an SPF record authorizes email servers to send messages on behalf of a domain, helping prevent spoofing and improve email deliverability.

When an email is received, the recipient’s email server checks the SPF record to verify whether the email came from an authorized server. If the server isn’t listed, the email might (and probably would) be marked as spam or rejected altogether.

Why is SPF Important?

Emails are a common entry point for various types of cyberattacks. There are different types of cyberattacks that target email users: spam, phishing, malware, spoofing, etc. Email spoofing is a cyberattack where the attacker forges the sender's email address to make it appear as though the email comes from a trusted source, such as a company, colleague, or friend. The goal of email spoofing is often to trick the recipient into taking a specific action, such as:

  • Clicking a malicious link that may lead to malware or phishing websites.
  • Opening an attachment that contains malware.
  • Sharing sensitive information, such as passwords or financial details.

An email delivery failure notification due to an unauthorized sending server in Google Workspace. This occurs when the sender's domain lacks a properly configured SPF record, causing the recipient's server to reject or mark the email as spam.

The fundamental way to prevent spoofing of your domain is to create SPF records in the external DNS zone. 

One might ask, “SPF records protect the recipients of emails we send from spoofing, not the users within our own domain - so why should we care?” The answer lies in the primary purpose of SPF: improving the deliverability of your emails. By signaling to recipient mail servers which servers are authorized to send emails on behalf of your domain, SPF reduces the chances of legitimate messages being flagged as spam or rejected. Furthermore, it helps to protect your organization’s reputation by preventing your domain from being associated with spam or malicious activity, thereby maintaining credibility with recipients and email service providers.

SPF Record Structure

To create SPF for your email domain, you need to create a TXT record in the external DNS zone. The record contains two fields – domain name and value. The domain name field should specify the domain that sends the messages. If you don’t use subdomains, there is no need to specify anything here. Some domain registrars require using the “@” symbol in this case. If you use subdomain – specify it here.

Record value is the text string that defines the policy itself, it contains several elements, each must be separated by space:

  1. Version tag. Only one version is currently available - v=spf1. This tag is mandatory, and the SPF record value must begin with it.
  2. Lookup mechanisms. These mechanisms define which servers are authorized to send emails for your domain:
    • A: Authorizes email messages sent from the server specified in the domain’s A-record.
    • MX: Permits email messages to be sent from all servers specified in the domain's MX records.
    • IP4 and IP6: Allows sending from specific IP addresses or a range of addresses in CIDR format (e.g., ip4:64.233.160.0/19).
    • Include: Authorizes email senders based on another domain's SPF record, specified using a fully qualified domain name (e.g., include:_spf.google.com).
  1. Finalizing lookup mechanism. This mechanism determines how to handle email senders that do not match any of the previous rules. It must be the last entity in the SPF record. Possible values are:
    • +all: Allows all senders to pass authorization. This configuration is strongly discouraged for security reasons and is rarely used, as it can lead to significant email deliverability and cybersecurity issues.
    • ~all: A "soft fail." Messages from senders that fail SPF checks will be accepted but flagged as suspicious. In most cases, these messages will be delivered to a quarantine or Junk folder.
    • -all: A "hard fail." Messages from any sender not explicitly authorized in the SPF record will be rejected. This is the most secure option and prevents unauthorized senders from delivering emails.

Your record should look something like this in the end:

This image displays the setup of an SPF record in a domain registrar’s DNS management panel. The record authorizes Google’s mail servers to send emails on behalf of the domain, improving email deliverability and security.

How to Configure an SPF Record for Google Workspace

Form Your SPF Record

Before configuring your SPF record, gather information about all the services that will send emails to external recipients on behalf of your domain. Each service must be included in the lookup mechanisms.

In the simplest case, where only Google Workspace will be used for sending emails, the SPF record should look like this:

v=spf1 include:_spf.google.com ~all

If you use multiple services - for example, Google Workspace for corporate emails and a third-party provider (such as Mailchimp or SendGrid) for marketing campaigns - both must be included in the SPF record. The following example authorizes both Google Workspace and Mailchimp:

v=spf1 include:_spf.google.com include:servers.mcsv.net ~all

For scenarios where you have an on-premises SMTP relay service, you need to include the IP addresses of your data center in the SPF record. For example:

v=spf1 include:_spf.google.com ip4:193.22.100.7/30 ~all

An SPF record example showing sender authorization for both Google Workspace and an on-premises email server, ensuring proper email delivery and security.

By ensuring all relevant services are included, you help prevent unauthorized senders from misusing your domain while maintaining email deliverability.

Create the Record

Once you’ve defined the content of your SPF record, you can create it in your external DNS zone. This is typically managed through your domain registrar’s web interface. If you’re unsure where your domain is registered, refer to the Identify your domain registrar help article for guidance.

The steps to create the SPF record may vary depending on the DNS management tools provided by your registrar, but they generally follow this process:

  1. Access Your DNS Settings: Log in to your domain registrar or DNS hosting provider.
  2. Locate Your Domain’s DNS Records: Navigate to the section where DNS records can be managed, often labeled as "DNS Settings" or "DNS Management."
  3. Create or Update the SPF Record: Add a new TXT record (or modify an existing one) and use the SPF value you prepared earlier.
  4. Save Changes: Once the record is added or updated, save your DNS settings.

    After saving, the new SPF record must propagate to DNS servers globally, which may take some time.
  1. Verify the SPF Record: Once the SPF record is replicated, you can verify it using third-party SPF record checkers like MX Toolbox, DNS Checker or similar. These tools will confirm whether your SPF record is correctly configured.

Additional Tips for SPF Configuration

When configuring an SPF record for your Google Workspace email infrastructure, follow these best practices:

  • Avoid Multiple SPF Records. Ensure there is only one SPF record per domain. If you need to authorize multiple email services, combine them into a single record. Having multiple SPF records can lead to email rejections, as email servers may interpret this as potentially malicious activity.
  • Use Subdomains for Additional Email Services. As an alternative to combining all email services into a single SPF record, consider creating subdomains for each service. This allows you to create separate SPF records for each subdomain. For example, use domain.com for corporate emails and marketing.domain.com for marketing campaigns.
  • Monitor and Update Your SPF Record. Regularly review your SPF record to ensure it includes all authorized email sources. Update it whenever you add a new email service or decommission an old one to maintain accuracy.
  • Complement SPF with DKIM and DMARC. While SPF is a powerful tool, it’s even more effective when used alongside DomainKeys Identified Mail (DKIM) and Domain-based Message Authentication, Reporting, and Conformance (DMARC) for comprehensive email authentication. For detailed instructions on setting up DKIM and DMARC in Google Workspace, see the articles Set up DKIM and Set up DMARC.

Troubleshooting SPF Record

If you are experiencing email deliverability issues, one possible cause could be a misconfigured SPF record. Common signs of misconfiguration include:

  • Issues with outgoing emails. Outgoing messages are either rejected or delivered to the Junk folder, while incoming emails function normally.
  • SMTP errors. Messages are rejected with SMTP status code 421 or similar errors.

To troubleshoot SPF-related problems, follow these steps:

  1. Verify the SPF record syntax:
    • Check the existing SPF record for syntax errors.
    • Common mistakes include extra spaces (e.g., v = spf1 instead of v=spf1) or incorrect formatting (e.g., include: example.com instead of include:example.com).
    • Ensure mechanisms are correctly named, such as ip4 instead of ipv4, and that IP subnet notation is accurate.
  1. Check the DNS lookup limit. SPF allows up to 10 DNS lookups per record. If you exceed this limit, optimize the record by consolidating mechanisms or flattening the SPF record.
  2. Ensure the SPF record size is within limits. The TXT record must not exceed 255 characters as per RFC 1035. If your record is too large, optimize it by using IP ranges instead of listing individual IP addresses.
  3. Test the DNS zone. Verify that the DNS zone of your domain is functioning correctly. If the zone is deleted or temporarily unavailable, SPF checks will fail.
  4. Analyze email logs. Use tools like the Email Log Search to review logs for problematic messages and identify patterns or errors.
  5. Consult recipient IT teams. Contact the recipient's IT personnel and request delivery logs from their side. These logs often contain critical information that can help diagnose the issue.

Conclusion

Configuring an SPF record for Google Workspace is a simple yet critical step in protecting your business’s email communications. It protects your domain against spoofing, enhances email deliverability, and preserves your brand’s reputation.Besides SPF, there are many other aspects that affect the security of your SaaS infrastructure. To get full visibility of the configuration and improve your organization’s security posture, you may need additional tools, such as Reco’s Posture Management solution, that will help reduce administrative overhead and compliance risks. Reach out for a demo of Reco today.

ServiceNow Vulnerability Response: Features & Configuration
ServiceNow Vulnerability Response (VR) is a robust solution designed to help organizations manage vulnerabilities effectively by integrating security data with IT workflows. It automates the processes of identifying, prioritizing, and remediating vulnerabilities, ensuring a proactive security posture.
Mastering Role Hierarchy in Salesforce: A Complete Guide
A role hierarchy is a structured system where roles or positions are organized in ascending levels of authority and responsibility. Higher-level roles have greater authority than those positioned lower in the hierarchy.
Understanding Object-Level Security in Salesforce
An object in Salesforce is a database table that serves as a storage for data. It plays a fundamental role in the management and organization of data within the Salesforce CRM platform.
Get the Latest SaaS Security Insights
Subscribe to receive weekly updates, the latest attacks, and new trends in SaaS Security
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Explore More
ServiceNow Vulnerability Response: Features & Configuration
ServiceNow Vulnerability Response (VR) is a robust solution designed to help organizations manage vulnerabilities effectively by integrating security data with IT workflows. It automates the processes of identifying, prioritizing, and remediating vulnerabilities, ensuring a proactive security posture.
Mastering Role Hierarchy in Salesforce: A Complete Guide
A role hierarchy is a structured system where roles or positions are organized in ascending levels of authority and responsibility. Higher-level roles have greater authority than those positioned lower in the hierarchy.
Understanding Object-Level Security in Salesforce
An object in Salesforce is a database table that serves as a storage for data. It plays a fundamental role in the management and organization of data within the Salesforce CRM platform.
See more articles from our Hub

Start Securing Your Entire SaaS Lifecycle

Request a demo