SPF for Google Workspace: Complete Setup Guide
Set up SPF for Google Workspace correctly. Learn Google's required SPF include, how to combine it with other services, and avoid common DNS mistakes.
Your Google Workspace Emails Are Landing in Spam
You switched to Google Workspace for business email. Everything seemed fine until a client mentioned they never got your proposal. You check your sent folder — it's right there. But without a proper SPF record, Google Workspace emails have no way to prove they're legitimate. Spam filters see an unverified sender and act accordingly.
The Google Workspace SPF Problem
Google Workspace sends email from Google's servers, not yours. When a recipient's mail server receives your message, it checks your domain's DNS for an SPF record that authorizes Google's infrastructure. Without that record, your emails fail authentication.
Here's what makes it tricky:
- Google uses a specific SPF include that you must add exactly right
- If you already have an SPF record for another service, you can't just add a second one — domains can only have one SPF record
- A syntax mistake means all your email authentication breaks, not just Google's
Google Workspace requires include:_spf.google.com in your SPF record. This single include covers all of Google's sending infrastructure — Gmail, Google Groups, and any other Google service that sends on your behalf.
How SPF Creator Helps
Google Workspace preset
Select Google Workspace from the provider list and the correct include is added automatically. No need to memorize _spf.google.com.
Merge with existing services
Already using SendGrid or Mailchimp? SPF Creator combines all your providers into a single, valid SPF record. No duplicate records, no syntax conflicts.
Syntax validation
Before you copy the record, SPF Creator validates the entire string. Catch missing tildes, extra spaces, or malformed mechanisms before they reach your DNS.
DNS lookup count
Google's include uses several of your 10 allowed DNS lookups. SPF Creator tracks the total so you know if you're approaching the limit.
Monitor your Google Workspace email authentication
After creating your SPF record, make sure it stays valid. Get daily checks on SPF, DKIM, and DMARC.
Setting Up SPF for Google Workspace
Open SPF Creator
Go to SPF Creator and start a new record. Your record begins with v=spf1 automatically.
Add Google Workspace
Select Google Workspace from the provider dropdown. This adds include:_spf.google.com to your record.
Add other sending services
If you use additional services like SendGrid, Mailchimp, or a transactional email provider, add those too. SPF Creator merges them into one record.
Review your record
Check the generated record and the DNS lookup count. A typical Google Workspace-only record looks like: v=spf1 include:_spf.google.com ~all
Add the TXT record to your DNS
Log into your DNS provider (GoDaddy, Cloudflare, Namecheap, Route 53, etc.). Create a TXT record for your root domain (@) with the generated SPF value.
Wait for propagation and verify
DNS changes can take up to 48 hours, though most propagate within an hour. Send a test email and check the headers for spf=pass. You can also use SPF Record Check to verify your record is published correctly.
Common Google Workspace SPF Mistakes
Creating a second SPF record
Your domain can only have one SPF TXT record. If you already have an SPF record for another service, don't add a second one. Merge the includes into a single record.
Wrong:
v=spf1 include:_spf.google.com ~all
v=spf1 include:servers.mcsv.net ~all
Right:
v=spf1 include:_spf.google.com include:servers.mcsv.net ~all
Using the wrong include
Google's SPF include is _spf.google.com — not google.com, not gmail.com, not googlemail.com. Using the wrong value means the lookup fails and your emails aren't authenticated.
If you previously used Google Apps (the older branding), the SPF include is the same: _spf.google.com. No changes needed when migrating to Google Workspace.
Using -all too aggressively
The -all mechanism tells receiving servers to reject anything not covered by your SPF record. If you're still setting up or testing, use ~all (softfail) first. Switch to -all (hardfail) once you've confirmed all legitimate sending sources are included.
Once your SPF record is in place, complete your Google Workspace email authentication by setting up DKIM for cryptographic message signing and a DMARC policy to tell receivers how to handle authentication failures.
DNS Provider Quick Reference
| DNS Provider | Record Type | Host/Name | Value |
|---|---|---|---|
| Cloudflare | TXT | @ | v=spf1 include:_spf.google.com ~all |
| GoDaddy | TXT | @ | v=spf1 include:_spf.google.com ~all |
| Namecheap | TXT | @ | v=spf1 include:_spf.google.com ~all |
| Route 53 | TXT | (blank) | v=spf1 include:_spf.google.com ~all |
| Google Domains | TXT | @ | v=spf1 include:_spf.google.com ~all |
Pricing
Free
$0
- Up to 3 items
- Email alerts
- Basic support
Pro
$9/month
- Unlimited items
- Email + Slack alerts
- Priority support
- API access
Related Articles
Monitor Your New SPF Record
You've created your SPF record — now make sure it keeps working. The Email Deliverability Suite watches your SPF, DKIM, DMARC, and MX records daily and alerts you when something breaks.
Never miss an SPF issue
Monitor your SPF, DKIM, DMARC and MX records daily. Get alerts when something breaks.
Start Monitoring