---
title: "Gmail SPF Record Setup: A Practical Guide for Google Workspace | AutoSPF"
description: "Learn how to set up SPF records for Google Workspace - from the baseline include:_spf.google.com record to mapping third-party senders, managing DNS permissions, and avoiding the 10-lookup limit."
image: "https://autospf.com/og/blog/gmail-spf-record-setup-a-practical-guide-for-google-workspace.png"
canonical: "https://autospf.com/blog/gmail-spf-record-setup-a-practical-guide-for-google-workspace/"
---

Quick Answer

To set up SPF for Google Workspace, publish a DNS TXT record at your root domain containing v=spf1 include:\_spf.google.com \~all. The include:\_spf.google.com mechanism authorizes all Google mail servers to send on your behalf. Add additional include or ip4/ip6 mechanisms for any third-party services that also send email from your domain, while staying within the 10-DNS-lookup limit defined by RFC 7208.

Share 

[ ](https://www.linkedin.com/sharing/share-offsite/?url=https%3A%2F%2Fautospf.com%2Fblog%2Fgmail-spf-record-setup-a-practical-guide-for-google-workspace%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=Gmail%20SPF%20Record%20Setup%3A%20A%20Practical%20Guide%20for%20Google%20Workspace&url=https%3A%2F%2Fautospf.com%2Fblog%2Fgmail-spf-record-setup-a-practical-guide-for-google-workspace%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fautospf.com%2Fblog%2Fgmail-spf-record-setup-a-practical-guide-for-google-workspace%2F "Share on Facebook") [ ](https://reddit.com/submit?url=https%3A%2F%2Fautospf.com%2Fblog%2Fgmail-spf-record-setup-a-practical-guide-for-google-workspace%2F&title=Gmail%20SPF%20Record%20Setup%3A%20A%20Practical%20Guide%20for%20Google%20Workspace "Share on Reddit") [ ](mailto:?subject=Gmail%20SPF%20Record%20Setup%3A%20A%20Practical%20Guide%20for%20Google%20Workspace&body=Check out this article: https%3A%2F%2Fautospf.com%2Fblog%2Fgmail-spf-record-setup-a-practical-guide-for-google-workspace%2F "Share via Email") 

![Gmail SPF Record Setup for Google Workspace](https://media.mailhop.org/autospf/images/2026/04/spf-validator-2074.jpg) 

To set up SPF for Google Workspace, publish a DNS TXT record at your root domain containing `v=spf1 include:_spf.google.com ~all`. The `include:_spf.google.com` mechanism authorizes all Google mail servers to send on your behalf. Add additional `include` or `ip4`/`ip6` mechanisms for any third-party services that also send email from your domain, while staying within the **10-DNS-lookup limit** defined by RFC 7208.

_According to [Google’s February 2024 bulk sender requirements](https://blog.google/products/gmail/gmail-security-authentication-spam-protection/), any domain sending 5,000+ messages per day to Gmail users must have SPF or DKIM authentication and a published DMARC policy of at least p=none - making correct SPF configuration a compliance requirement, not just a best practice._

> “Google Workspace administrators often inherit SPF records with 8-9 includes already in place. Adding \_spf.google.com pushes them over the 10-lookup limit, and suddenly legitimate mail starts bouncing,” says Brad Slavin, General Manager of AutoSPF. “The fix isn’t to remove senders - it’s to flatten the record so every service stays authorized within the RFC 7208 limit.”

For setup instructions covering Google Workspace and dozens of other platforms, see our [SPF Record Setup Guide](/blog/spf-record-setup-guide-every-platform/).

Sender Policy Framework (SPF) is a foundational email authentication control that helps Gmail and other providers verify which servers may send mail on behalf of your domain. For **Google Workspace organizations**, a correctly published SPF record improves email deliverability, strengthens security, and supports data protection by signaling trust to receiving systems and deterring [spoofing and phishing](https://www.msspalert.com/brief/novel-usps-spoofing-phishing-attack-relies-on-malicious-pdfs).

## Business and Compliance Impact

- Email authentication reduces impersonation risk, supporting legal and compliance obligations around identity confirmation and access control. It complements DMARC and [DKIM](/blog/how-dkim-works-a-comprehensive-guide-to-email-authentication/) as part of a **layered security strategy**.
- Strong domain management practices - such as ensuring the SPF record is accurate in DNS - protect brand reputation and reduce help desk load tied to support and troubleshooting.
- Administrators can use the [Google Workspace](https://en.wikipedia.org/wiki/Google%5FWorkspace) Admin console to set up and manage services, verify configuration, and leverage reports and monitoring to track authentication alignment, aiding audit readiness.

### Operational Benefits for Administrators

- _Fewer false positives and better inbox placement with Gmail due to clear authorization signals_.
- Easier user management, especially during [data migration](https://www.techtarget.com/searchstorage/definition/data-migration) or when you deploy apps that send mail, because policies are centralized in DNS rather than distributed on endpoints.
- Aligns with security settings for device management and internal apps, minimizing shadow IT risks from **unvetted apps & integrations**.

![SPF Mechanisms and Qualifiers](https://media.mailhop.org/autospf/images/2026/04/spf-record-tester-6074.jpg)

## How SPF Works: Mechanisms, Qualifiers, and DNS TXT Essentials

SPF is defined via a [DNS TXT record](https://www.cloudflare.com/learning/dns/dns-records/dns-txt-record/) at the root domain. Receivers evaluate the SPF record of the MAIL FROM domain to determine pass/fail outcomes.

### SPF Mechanisms: The Building Blocks

Common mechanisms include:

- `a` **and** `mx`: Authorize the **domain’s A or MX hosts** to send.
- `ip4` **and** `ip6`: Allow explicit IP ranges.
- `include`: Delegate to another domain’s SPF record (for example, Google’s).
- `exists` **and** `ptr`: Advanced/legacy options; use sparingly.
- `all`: A catch-all that should appear last.

### Qualifiers and Policy Semantics

- `+` (pass) is implied when omitted.
- `~` (softfail) signals “not authorized, but accept and flag.”
- `-` (fail) rejects unauthorized sources outright.
- `?` (neutral) makes no assertion.

_Most organizations start with `~all` to reduce disruption, then tighten to `-all` once sender mapping is complete._

### DNS TXT Essentials for Administrators

- Place the SPF record in DNS as a **single TXT string** beginning with `v=spf1`.
- Respect the 10-[DNS-lookup](https://www.digicert.com/faq/dns/how-does-dns-lookup-work) limit across `include`, `a`, `mx`, `ptr`, and `exists`.
- Keep the record under 255 characters per string (use quoted splits if necessary).
- _Coordinate changes in the admin console change calendar so administrators know when mail paths are being adjusted_.
- Use reports and **monitoring tools** to validate changes and troubleshoot errors proactively.

## Map Your Senders: Google, Third-Party Platforms, and Network Sources

Before you set up SPF, inventory all systems that send using your domain. This is core domain management and reduces drift when apps & integrations evolve.

![Email Sender Sources](https://media.mailhop.org/autospf/images/2026/04/spf-record-checker-6320.jpg)

### First-Party: Google and Your Network

- **Gmail and Google Workspace services**: _Authorize with `include:spf.google.com`._

_Google services that send via Apps Script or a cloud application workflow also authenticate through Google’s SPF infrastructure when routed correctly._

- **Your network egress**: If devices or relays send directly, add `ip4`/`ip6` mechanisms. Document device management ownership so user management and IT know who maintains those IPs.

### Third-Party Apps & Integrations

_Many third-party apps send system emails, alerts, or notifications on your behalf_. Examples include 15Five, 4me, Adaptive Insights, Adobe Acrobat Sign, Aha!, Amazon Business, services on Amazon Web Services, AppDynamics, Asana, Atlassian Cloud, Automox, BambooHR, Betterworks, and many more. For each:

- Confirm whether they provide an SPF `include` (preferred) or require dedicated IPs.
- In Marketplace administration, **manage Marketplace apps** and track admin-installed apps, app access requests, and verified third-party app status.
- Use OAuth 2.0 and SSO practices - SAML, SAML-based SSO, integrated SAML apps, or a custom SAML app via a third-party IdP - to authorize access and control app access. Maintain SAML certificates, align [SSO settings](https://www.cloudflare.com/learning/access-management/what-is-sso/), and monitor the SSO sign-in flow.
- Configure third-party apps with an app allowlist, review app access regularly, and enable automatic token revocation where supported to manage data access responsibly.

_According to a [2025 Egress report](https://www.egress.com/resources/cybersecurity-information/phishing/phishing-statistics-round-up), 94% of organizations experienced email security incidents in the past 12 months - many traced to misconfigured or missing SPF records for third-party senders that were added without updating DNS._

### Integration Governance Checklist

- Map custom attributes and user schema to ensure correct sender identity in notifications.
- Confirm private web apps or internal apps do not send external mail unless explicitly authorized.
- _Document policies in training guides for consistent administration and faster support and troubleshooting_.

![Google Workspace Baseline SPF Record](https://media.mailhop.org/autospf/images/2026/04/spf-record-syntax-0332.jpg)

## Locate and Access Your DNS Host: Prerequisites and Permissions

Your [SPF record](/blog/what-spf-records-are-and-how-they-protect-email-domains/) lives in DNS. Ensure you know where your domain’s zone is hosted and who has rights to change it.

### Identify the DNS Provider and Zone of Authority

- Check your registrar or hosting provider dashboard, or query NS records to find where DNS is managed. Many organizations use cloud DNS services such as those offered on [Amazon Web Services](https://www.geeksforgeeks.org/cloud-computing/introduction-to-amazon-web-services/).
- Validate subdomain needs separately (marketing.example.com vs example.com) and ensure consistent domain management across business units.
- If vendors provision **subdomains or CNAMEs**, coordinate to avoid SPF fragmentation.

### Confirm Roles, Access, and Change Control

- Ensure a super administrator and designated administrators have access control to both the **DNS portal** and the Admin console.
- Align billing and subscriptions ownership so changes don’t stall during renewals.
- Use an implementation overview and change ticket, schedule a maintenance window, and plan propagation monitoring.

### Process Hygiene and Observability

- Log every DNS change; capture before/after SPF record values.
- Use reports and monitoring to check authentication results in Gmail post-change.
- Where appropriate, validate data synchronization impacts if integrations rewrite [MAIL FROM](https://aws.amazon.com/blogs/messaging-and-targeting/amazon-ses-now-supports-custom-mail-from-domains/) or route through different gateways.

## Build the Baseline Record for Google Workspace

_The safest starting point for most Google Workspace tenants is to publish Google’s include and softfail_. This authorizes Gmail and core Google senders while letting you identify stragglers:

```
v=spf1 include:_spf.google.com ~all
```

Once you’ve mapped all third-party senders and confirmed their SPF includes, add them to the record. If you exceed the 10-lookup limit, consider [SPF flattening](/blog/best-spf-flattening-tools-in-2026-the-complete-guide/) to resolve nested includes into IP addresses - or use [AutoSPF](/) to automate flattening and keep your record compliant without manual DNS management.

## Topics

[ DKIM ](/tags/dkim/)[ DMARC ](/tags/dmarc/)[ SPF ](/tags/spf/)[ SPF record ](/tags/spf-record/) 

![Brad Slavin](https://media.mailhop.org/autospf/images/authors/brad-slavin.jpg) 

[ Brad Slavin ](/authors/brad-slavin/) 

General Manager

Founder and General Manager of DuoCircle. Product strategy and commercial lead for AutoSPF's 2,000+ customer base.

[LinkedIn Profile →](https://www.linkedin.com/in/bradslavin) 

## Ready to get started?

Try AutoSPF free — no credit card required.

[ Book a Demo ](/book-a-demo/) 

## Related Articles

[  Intermediate 3m  3 points to consider before setting your SPF record to -all (HardFail)  May 22, 2025 ](/blog/3-points-to-consider-before-setting-your-spf-record-hardfail/)[  Intermediate 6m  6 Best practices for maintaining an SPF record  Jun 5, 2025 ](/blog/6-best-practices-for-maintaining-an-spf-record/)[  Intermediate 3m  Adding your SPF record to your domain provider  Sep 2, 2024 ](/blog/adding-your-spf-record-to-your-domain-provider/)[  Intermediate 5m  Are Your SPF and DKIM Identifiers Aligned?  Jul 18, 2024 ](/blog/are-your-spf-and-dkim-identifiers-aligned/)

```json
{"@context":"https://schema.org","@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com","logo":{"@type":"ImageObject","url":"https://autospf.com/images/autospf-logo.png"},"description":"Automatic SPF flattening and email authentication management. Resolve SPF lookup limits, flatten SPF records, and maintain email deliverability across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138897474","https://www.linkedin.com/company/autospf","https://x.com/autospf01","https://www.g2.com/products/autospf/reviews"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://autospf.com/contact-us/"},"knowsAbout":["SPF Record Flattening","Sender Policy Framework","Email Authentication","DNS Management","DMARC","DKIM"]}
```

```json
{"@context":"https://schema.org","@type":"WebSite","name":"AutoSPF","url":"https://autospf.com","description":"Automatic SPF flattening and email authentication management. Resolve SPF lookup limits, flatten SPF records, and maintain email deliverability across all your domains.","publisher":{"@type":"Organization","name":"AutoSPF","url":"https://autospf.com","logo":{"@type":"ImageObject","url":"https://autospf.com/images/autospf-logo.png"},"description":"Automatic SPF flattening and email authentication management. Resolve SPF lookup limits, flatten SPF records, and maintain email deliverability across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}}
```

```json
{"@context":"https://schema.org","@type":"BlogPosting","headline":"Gmail SPF Record Setup: A Practical Guide for Google Workspace","description":"Learn how to set up SPF records for Google Workspace - from the baseline include:_spf.google.com record to mapping third-party senders, managing DNS permissions, and avoiding the 10-lookup limit.","url":"https://autospf.com/blog/gmail-spf-record-setup-a-practical-guide-for-google-workspace/","datePublished":"2026-04-06T10:36:45.000Z","dateModified":"2026-04-18T02:36:41.000Z","dateCreated":"2026-04-06T10:36:45.000Z","author":{"@type":"Person","@id":"https://autospf.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://autospf.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin is the founder and General Manager of DuoCircle, the company behind AutoSPF, DMARC Report, Phish Protection, and Mailhop. He founded DuoCircle in 2014 to solve the SPF 10-DNS-lookup problem at scale and has led the company's growth to 2,000+ customers. Brad's focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement) rather than hands-on DNS engineering.","image":"https://media.mailhop.org/autospf/images/authors/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"AutoSPF","url":"https://autospf.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com","logo":{"@type":"ImageObject","url":"https://autospf.com/images/autospf-logo.png"},"description":"Automatic SPF flattening and email authentication management. Resolve SPF lookup limits, flatten SPF records, and maintain email deliverability across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138897474","https://www.linkedin.com/company/autospf","https://x.com/autospf01","https://www.g2.com/products/autospf/reviews"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://autospf.com/contact-us/"},"knowsAbout":["SPF Record Flattening","Sender Policy Framework","Email Authentication","DNS Management","DMARC","DKIM"]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://autospf.com/blog/gmail-spf-record-setup-a-practical-guide-for-google-workspace/"},"articleSection":"intermediate","keywords":"DKIM, DMARC, SPF, SPF record","wordCount":1480,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/autospf/images/2026/04/spf-validator-2074.jpg","caption":"Gmail SPF Record Setup for Google Workspace","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}}
```

```json
{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://autospf.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://autospf.com/blog/"},{"@type":"ListItem","position":3,"name":"Intermediate","item":"https://autospf.com/intermediate/"},{"@type":"ListItem","position":4,"name":"Gmail SPF Record Setup: A Practical Guide for Google Workspace","item":"https://autospf.com/blog/gmail-spf-record-setup-a-practical-guide-for-google-workspace/"}]}
```