Learning Objective
By the end of this tutorial, you’ll know how to set up DKIM, SPF, and DMARC for a domain managed in Google Domains (or Squarespace Domains), and how to verify each record so your email is authenticated and more likely to land in the inbox.
Why This Matters
Email authentication proves that messages sent from your domain are legitimate. When DKIM, SPF, and DMARC are configured correctly, you reduce spoofing/phishing risk and improve deliverability—especially for Google Workspace and other major inbox providers.
Prerequisites
You have access to your domain’s DNS settings in Google Domains (note: many domains are now managed via Squarespace Domains).
You have admin access to Google Admin Console for your Google Workspace (for DKIM setup).
You know which systems send email as your domain (Google Workspace, a CRM, marketing tool, support platform, etc.). This matters for SPF and DMARC alignment.
Core Lesson: Step-by-Step Workflow
Phase 1: Set up DKIM in Google Workspace (signing your outgoing mail)
DKIM adds a cryptographic signature to your outgoing messages. Receiving servers use it to verify your emails weren’t altered and were authorized by your domain.
Open the Google Admin Console
Go to admin.google.com and sign in with a super administrator account.
Navigate to Gmail authentication (DKIM)
Go to Apps > Google Workspace > Gmail.
Select Authenticate email (DKIM).
Select the domain you want to authenticate
Use the domain selector to choose the domain you send mail from.
Generate the DKIM record, then publish it in DNS
Google will provide a DKIM TXT record (name/host and value).
In a new tab, open your domain’s DNS settings in Google Domains and add the provided TXT record.
Save the record.
Start DKIM signing
Return to the Admin Console DKIM page and click Start authentication (or the equivalent “start” action).
Note: Some Google Workspace setups may have already published DKIM records. Always verify what’s currently in DNS before adding duplicates.
Phase 2: Publish an SPF record in Google Domains (authorizing senders)
SPF tells receiving servers which systems are allowed to send email for your domain. This helps prevent spoofing and supports DMARC enforcement later.
Open DNS for your domain
Sign in to Google Domains.
Select your domain, then open the DNS section.
Add (or edit) your SPF TXT record
Find the area for Custom records (often labeled Manage custom records).
Create a new record with:
Type: TXT
Host/Name:@
Value:v=spf1 include:_spf.google.com ~all
TTL: default (or your preference)Save the record.
Important: You should have only one SPF record (one TXT record starting with v=spf1) per domain. If you use other senders (e.g., a CRM or marketing platform), you must merge their SPF “include” mechanisms into the same record.
Phase 3: Publish a DMARC record in Google Domains (policy + reporting)
DMARC tells mailbox providers what to do when SPF and/or DKIM checks fail, and it can send you reports about authentication results.
Open DNS for your domain
In Google Domains, go to your domain’s DNS section.
Add a DMARC TXT record
Create a new TXT record with:
Type: TXT
Host/Name:_dmarc
Value:v=DMARC1; p=none; rua=mailto:[email protected]
TTL: default (or your preference)Replace
[email protected]with an inbox that should receive DMARC aggregate reports.Save the record.
Recommendation: Start with p=none to monitor reports first. After you confirm legitimate sources pass SPF/DKIM consistently, consider moving to stricter policies (quarantine then reject) to better block spoofing.
Phase 4: Verify DKIM, SPF, and DMARC are working
Verification ensures your DNS changes are propagated and that authentication is actually passing for real mail.
Verify DKIM by checking message headers
Send a test email to a Gmail address.
Open the message in Gmail, click the three-dot menu, then select Show original.
Look for
Authentication-Resultsand confirm you seedkim=pass(or similar pass wording).
Verify SPF and DMARC
In the same “Show original” view, confirm you see
spf=passanddmarc=pass(once DMARC is published and aligned).Optionally, use a DNS lookup tool to confirm the TXT records exist and match what you entered.
Note: DNS propagation can take up to 48 hours, though it’s often much faster.
Practical Application / Real-Life Example
If you only send mail through Google Workspace, a common “baseline” configuration is:
SPF:
v=spf1 include:_spf.google.com ~allDKIM: Enabled in Google Admin Console and published as the TXT record Google provides
DMARC (monitoring):
v=DMARC1; p=none; rua=mailto:[email protected]
Once you confirm passes in headers and DMARC reports show only legitimate sources, you can tighten DMARC to reduce spoofing attempts.
Troubleshooting & Pitfalls
Issue: SPF shows “fail” or “softfail”
Root cause: The sending system isn’t included in SPF, or you accidentally created multiple SPF records.
Fix:
Ensure there is only one TXT record beginning with
v=spf1.Add the required SPF “include” for any additional sender you use (CRM/marketing/support tools) into the same SPF record.
Issue: DKIM fails even after you “started authentication”
Root cause: The DKIM TXT record in DNS doesn’t match what Google generated, or the selector/domain is wrong.
Fix:
Re-check the DKIM TXT record name/host and value exactly as provided in the Admin Console.
Wait for DNS propagation, then test again using Gmail “Show original.”
Issue: DMARC shows “fail” while SPF and DKIM both pass
Root cause: DMARC requires alignment (the domain that passes SPF/DKIM must align with the visible “From” domain).
Fix:
Confirm the message is being sent with the correct “From” domain.
Ensure DKIM is signing with your domain and/or SPF passes for the same domain (or properly aligned subdomain).
Issue: You don’t receive DMARC reports
Root cause: The
ruamailbox is wrong, blocked, or not monitored; some providers also take time to start sending reports.Fix:
Confirm the
rua=mailto:address exists and can receive external mail.Wait a few days, aggregate reports are typically periodic, not immediate.
Knowledge Check / Quick Quiz
Can you explain which systems are currently authorized to send mail for your domain (and whether they’re all included in SPF)?
When you check “Show original” in Gmail, do you see
dkim=passandspf=passfor your test messages?What is your current DMARC policy (
none,quarantine, orreject) and why?