← Back to Learn Hub

How to Set Up SPF for Google Workspace (Gmail)

Setting up SPF for Google Workspace is a single DNS record that tells the world Google's servers are allowed to send email for your domain. It's the quickest of the three email authentication records to add.

SPF (Sender Policy Framework) lists the servers permitted to send mail for your domain. Without it, receiving servers can't confirm that mail from your domain is genuine, which makes you easier to spoof.

The Google Workspace SPF record

For a domain that sends only through Google Workspace, the record you publish is:

v=spf1 include:_spf.google.com ~all

v=spf1 marks it as an SPF record, include:_spf.google.com authorises Google's mail servers, and ~all tells receivers to treat mail from anywhere else as suspect. You publish this as a single TXT record on your domain.

Step 1: Add the SPF record

Add the record where your domain's DNS is managed (your registrar or DNS host).

  • Type: TXT
  • Host / Name: @ (your root domain)
  • Value: v=spf1 include:_spf.google.com ~all
  • Save, then allow time to propagate. It's usually live within an hour, up to 48 hours at most.

Adding your other senders

If anything else sends email as your domain (a newsletter tool, CRM, invoicing or booking system), it has to go in the same record. You can only have one SPF record per domain; a second one makes both invalid.

Add each provider's include before the ~all, for example: v=spf1 include:_spf.google.com include:servers.example.com ~all. Keep the whole record within 10 DNS lookups, or it fails and receivers ignore it.

Use ~all (soft fail) while you confirm every sender is covered, then you can move to -all (hard fail) for stricter protection.

How to check it worked

Confirm your record with our free SPF checker. It shows the servers your record authorises and flags issues like a missing record, an unsafe +all, or too many lookups.

Common problems

Most Google Workspace SPF issues come from a few causes.

  • Two SPF records on the domain: only one is allowed, so merge them into a single record.
  • Too many lookups: each include counts toward a limit of 10. Past that, the record fails.
  • Other senders missing: mail from tools not listed in the record can be treated as spoofed.

Check your domain now

Enter your domain to see your current email security status.

Frequently Asked Questions

What is the SPF record for Google Workspace?

For a domain that sends only through Google Workspace, the record is v=spf1 include:_spf.google.com ~all, published as a single TXT record on your root domain. The include authorises Google's mail servers; ~all marks mail from anywhere else as suspect.

Can I have two SPF records for my domain?

No. A domain can only have one SPF record. If you publish two, both become invalid and receivers ignore them. When you add another sender, put its include into your existing record rather than creating a second one.

Should I use ~all or -all for Google Workspace?

Start with ~all (soft fail) while you confirm every legitimate sender is in the record. Once you're sure nothing is missing, -all (hard fail) is stricter and tells receivers to reject mail from unlisted servers. Moving too early can affect real mail.

How long does the SPF record take to work?

After you save the TXT record, DNS changes usually take effect within an hour, though they can take up to 48 hours to fully propagate. Once it resolves, receiving servers start using it to check mail from your domain.

Setting up SPF for Google Workspace is one TXT record, v=spf1 include:_spf.google.com ~all, plus an include for any other tool that sends as you, all kept in a single record under the 10-lookup limit.

Check it with our SPF checker, then set up DKIM and DMARC for Google Workspace too, or let readyDMARC handle all three for you.

Related Articles

How to Set Up DKIM for Google Workspace (Gmail)

Set up DKIM for Google Workspace (Gmail): generate the key in the Admin console, publish the google....

Read more →

How to Set Up DMARC for Google Workspace (Gmail)

Set up DMARC for Google Workspace (Gmail): publish the _dmarc DNS record, pick a policy, and move to...

Read more →

What Is SPF? How Sender Policy Framework Works

Learn what SPF is, how Sender Policy Framework stops email spoofing, protects your domain, and impro...

Read more →

Misconfiguring this is easy, and costly

One wrong record can let attackers send email as your domain, or block your own legitimate mail once you turn on enforcement. Getting from a published record to real protection, without breaking delivery, is where most teams get stuck. Our specialists set up SPF, DKIM, and DMARC for you and roll it out safely, checking at every stage.

Book a call with our team