Countless phishing and scam emails are currently making their way into the user’s inboxes, putting data at risk. While using Gmail or Gmail for Business, setting up an SPF record has become crucial to enhance email security. In 2024, Google rolled out its updated sender requirement guidelines, making email authentication compulsory for all senders!
Here’s a quick recap of where it currently stands:
- Google requires all email senders to implement either SPF or DKIM
- Google requires bulk senders to additionally implement a DMARC policy of at least p=none, on top of an SPF or DKIM setup
A Gmail SPF record prevents unauthorized individuals from sending emails from your Google Workspace domain. This record works as a checkpoint for emails sent from your domain before they can reach your customer’s inbox. Properly implementing your Google Workspace SPF record reduces the chances of emails from your domain being marked as spam.
Therefore, if you want to create an SPF record for Google Workspace, you’re at the right place. This article will explain how to set up an SPF record for Google Workspace and why proper implementation is necessary.
Understanding Gmail SPF Records
An SPF (Sender Policy Framework) record specifies which mail servers are authorized to send emails on behalf of your domain. When an email is received, the receiving server checks the SPF record of the domain in the “From” address to verify whether the email is coming from an authorized server.
The SPF record is published in your domain’s DNS as a TXT record. It contains a list of IP addresses or hostnames of the servers permitted to send emails on behalf of your domain. This record can include multiple servers and third-party services.
If an email is sent from an unauthorized source, the receiving server will check the domain’s SPF record using the DNS TXT record.
The Importance of a Gmail SPF Record
If you are not abiding by Google’s new email authentication rules for senders, it can land you in trouble! Here’s what can happen if you are not implementing Google Workspace SPF Record:
- Your emails may get marked as spam
- Your domain/IP address may get blocklisted
- Your domain reputation may take a hit due to increased email spam complaints
The Mechanics of SPF: How It Operates
An SPF record is a single line of plain text including various tags. The tags contain the corresponding values, mainly the IP addresses and domain names for authorized sending sources.
An SPF record is added to your domain provider as a TXT record. It can only be up to 255 characters. The size of a TXT record file should be less than or equal to 512 bytes.
When an email is sent, the recipient’s mail server checks the SPF record of the sender’s domain. This is done to verify whether the IP address of the mail server that sent the email is listed in the SPF record.
Based on the check, the receiving mail server assigns one of the following results:
- Pass: The IP address is authorized to send emails for the domain.
- Fail: The IP address is not authorized, indicating potential email spoofing.
- Softfail: The IP address is not authorized, but the domain owner requests that the email should still be accepted but marked as suspicious.
- Neutral: The domain does not assert any authentication information about the IP.
- No SPF record found.
Setting Up an SPF Record for Google Workspace: Step-by-step Guide
Here’s what you need to do to set up an SPF record for Google Workspace.
1. Sign in to Your Domain Account
The first step in adding your Google Workspace SPF record is to sign in to your DNS management console. You should be able to access your domain’s DNS settings. You can update your DNS records here to add SPF for Google Workspace. This process depends on your service provider as well and may vary from one DNS provider to another.
If you don’t find this option in your DNS management console, contact your DNS provider to locate your DNS setting.
2. Create Your Google Workspace SPF TXT Record
After signing in to DNS management console, navigate to the TXT records section to add a new TXT record with the following values.
- Type: TXT
- Host: @ (or the specific subdomain if you’re setting up an SPF record for a subdomain)
- Value: For domains sending emails from Google Workspace, the SPF record “v=spf1 include: _spf.google.com ~all” must be used. For those using additional email senders, you need to have one consolidated SPF record for the domain that includes all your sending sources including other third-party email vendors. This can be done using multiple “include:” mechanisms.
- TTL: Set it to 1 hour or 3600 seconds.
3. Set Up Google Workspace SPF Record for Subdomains
Adding an SPF record to the root domain doesn’t mean it applies to your subdomains. This is because SPF policy is not inherited automatically by subdomains. Hence, if you are using subdomains, you need to set up SPF records for Gmail separately on each subdomain. This can, however, only be done if your domain provider allows SPF setup directly for subdomains.
As mentioned earlier, the steps of setting up SPF on subdomains are similar. Some domain providers don’t support the direct application of SPF on subdomains. In that case, you can create a Gmail SPF record on the root domain and later adjust the Host setting to point to the subdomain instead of “@”.
4. Save the SPF Record
After creating your SPF record, save the changes. The record should be activated within 48 hours of being saved, depending on the time taken on your DNS provider’s end to propagate the changes.
Verifying Your SPF Record for Gmail
Verifying Gmail SPF records after setting them up involves ensuring that your domain is properly authenticated with SPF.
The verification can be done by following these steps.
● You can use our SPF lookup tool to check your Gmail SPF record setup instantly.
● Go through the TXT entry of your implemented SPF record to see if the status is valid.
● Recheck if the record contains all the authorized IP addresses and third-party vendors you use to send your emails.
● Make sure you haven’t published multiple SPF records for a single domain. If you use additional third-party vendors other than Google Workspace for email marketing, you can use the “include” mechanism in the same SPF record to authorize them as shown in the example below:
v=spf1 include: _spf.google.com include:spf.thirdpartydomain1.com include:spf.thirdpartydomain2.com ~all
● Make sure you keep the proper formatting.
● If any discrepancies are found in your SPF record, update the SPF record for Gmail to remove these errors and verify your setup again.
Implement DMARC and SPF with PowerDMARC
Lastly, by implementing SPF record for Gmail, you can successfully comply with Google’s requirements to ensure smooth deliverability and reduce spam complaints. By combining this with a DMARC setup, sending organizations can protect your domain from email-based cyber-attacks like spoofing, phishing, and BEC.
Setting up a Google Workspace SPF record is only the first step towards protecting your domain. For enhanced domain security and visibility, start your journey with a 15-day free trial of PowerDMARC today!
- 5 Common DNS Vulnerabilities and How to Protect Your Network - December 24, 2024
- Introducing DNS Timeline and Security Score History - December 10, 2024
- PowerDMARC One-Click Auto DNS Publishing with Entri - December 10, 2024