The Google Workspace Email Security Checklist: SPF, DKIM, and DMARC


Setting DNS records improperly can cause unauthorized parties to masquerade as your email domain. In this post, I show all of the DNS records that must be added.


  • SPF
    • TXT @: v=spf1 -all
    • TXT *: v=spf1 -all
  • DKIM


SPF HARDFAIL for unauthenticated email being sent from your root domain

  • TXT @: v=spf1 -all

This record ensures that all email being sent from your root domain comes from Google Workspace.

SPF HARDFAIL for all email being sent from your subdomains

  • TXT *: v=spf1 -all

If a subdomain does not exist, this rule ensures that all email being sent from the subdomain is flagged and/or rejected.


This rule marks all unauthenticated email from your root domain as spam (quarantine) and instructs recipients of unauthenticated email to reject all email from your subdomains (reject).


DKIM ensures that Google is cryptographically signing the contents of your emails. This ensures that your email contents aren't being tampered with.

Thanks for reading! Have any questions, comments, or suggestions? Feel free to use the comment section below or email me at [email protected] and I'll do my best to respond.

Alternatively, you can view the source of the post here and send a pull request.