All Collections
Setup πŸ› 
SPF, DMARC and DKIM: Google Domain & Google Workspace
SPF, DMARC and DKIM: Google Domain & Google Workspace

How to set up records and connect your Google domain to your Google workspace

Marija Zivanovic avatar
Written by Marija Zivanovic
Updated over a week ago

If you are using Google Workspace for your email accounts and Google domains as your domain host, you will need to set up some DNS records prior to starting using your email accounts for sending.

Adding a domain from Google domain to Google Workspace

You can connect your Google domain to your Google Workspace in a few simple steps, by giving permissions to Google Workspace to automatically generate DNS records for your domain. The records that will be generated automatically are MX, SPF, TXT and DKIM.

  1. Log in to your in one tab and your in the other

  2. Go to your Manage Domains page by clicking on Account, Domains, and Manage domains.

3. Click on Add a domain button

4. Enter the domain name, select Secondary domain type and click on Verify domain

5. On the next page you will be asked to sign in to verify the domain. Sign in to the account that you used to buy the domain from Google.

5.1. If the account that you used to buy the domain is different from the workspace admin account, you will need to sign in with its credentials to verify the ownership of the domain.

5.2. You will be asked to give the permission to the workspace admin to manage the domain. Click Add.

5.3. Click on Go to Google Workspace

6. After you verify your ownership and go back to Google Workspace, your domain will be verified. Next step is to activate Gmail.

7. Click on Activate Gmail

8. Select Set up MX Record and click NEXT

9. You will be asked to sign in to your Google Domain. After you sign in and authorize, Google will automatically update your domain settings to start routing your emails to Gmail. Sign in with the account that you used to buy the Google domain.

10. Records that will be automatically added to your domain DNS are MX, SPF, TXT and DKIM. Click on Yes, connect.

You can now go to your Google domains, check the DNS records of the domain that you connected to Google workspace. Click on Google workspace to see all the records created.*

*To set your expectations, Google Workspace records are generated automatically when you connect a domain with your Google Workspace email account via Google Domains. If you are to modify any record alone, you may need to delete the whole Google Workspace records and have them re-entered on your Custom Records.

DMARC Set up

On the DNS page for your domain, click on the arrow of the Custom Records

Enter the following, and confirm by clicking Save.

Host name:





v=DMARC1;p=none;sp=none;pct=100;rua=mailto:[email protected];ri=86400;aspf=s;adkim=s;fo=1

TTL for this record is set to the lowest possible (1h is perfectly fine).

For rua and ruf tags in the Value field, replace [email protected] with your email address.

You can also use third-party websites to help you generate your DMARC.

More about the value parts:

​v=DMARC1 tells the Internet that this is the DMARC record.

p= specifies what you want to do with your emails. p=none is what we recommend and it tells the recipient mail servers to do nothing with emails. Once you are comfortable with the report-only policy, you can scale it to the p=quarantine which tells the recipient mail servers to quarantine or move the messages to the spam folder if they fail spam checks. After that, you can change it to p=reject which tells the email servers to reject any email that fails the checks.

rua=mailto:[email protected] is very important, and you will replace the address with your email to receive the reports generated about your domains (on fraudulent emails that are being received across the internet, sent by your domain).

ruf=mailto:[email protected] is like the β€œrua” tag but allows you to specify any email address to receive your DMARC Forensic reports. The Forensic reports are sent to you when someone attempts to send an email impersonating your domain and it fails your DMARC and DKIM authentication.

ri=86400 allows you to specify the aggregate report interval in seconds. The minimum and the default value is 86400 seconds which equates to 24 hours. This means every 24 hours you will receive a DMARC Aggregate report.

aspf=s is an optional tag. You can use this tag to specify if you want to set your SPF policy to strict or relaxed. Your SPF policy basically makes sure all emails sent using your domain are authorized to send.
​adkim=s strict or relaxed DKIM policy.

fo=1 is an optional tag. It allows you to tell email service providers that you want email samples if the emails failed. The 1 value generates reports if any of your authentication mechanisms fail. SPF OR DKIM.

Custom tracking domain

To finish the set up you can create the custom record right away.
Later you can just activate it for your email accounts in Instantly.

Host name:





Learn more:

Did this answer your question?