Google Workspace

Google Workspace SPF Setup

Google Workspace uses include:_spf.google.com to authorize Gmail and Google Apps SMTP infrastructure for your domain.

Beginner · 6 min read · Reviewed Jul 4, 2026

Quick answer

Google Workspace authorizes outbound mail with include:_spf.google.com in your domain SPF TXT record. This macro covers Google-hosted SMTP infrastructure. Combine it with includes for other sending systems, publish only one SPF record per hostname, and complete DKIM setup in the Google Admin console. SPF alone does not cover third-party Gmail add-ons that send via external IPs.

Beginner explanation

Google Workspace sends mail from shared Google infrastructure, not from the IP address of your office network. That means receivers need an SPF record that trusts Google's sending pool when they see your domain on employee messages.

Google's documentation centers on a single include macro. For many small businesses, the entire SPF record is just v=spf1 include:_spf.google.com ~all or -all.

Larger organizations add marketing platforms and transactional vendors to the same record. Google fits as one include among several, and lookup planning becomes important as the list grows.

Technical explanation

The supported Google Workspace SPF mechanism is include:_spf.google.com. Google maintains the nested content of that hostname; customers should not attempt to replace it with static ip4 entries except in unusual architectural scenarios.

DKIM is configured separately by generating a DNS TXT record for the selector Google provides in the Admin console. SPF and DKIM alignment for DMARC may use different domains if you use subdomain delegation; verify whether MAIL FROM uses your primary domain or a Google bounce subdomain.

Third-party Google Marketplace applications that send email often use non-Google infrastructure. Those services need their own SPF includes. Assuming Google's include covers add-on mail is a frequent cause of SPF failure for workflow apps.

Business impact

Google Workspace SPF errors affect everyday business communication with external recipients. Sales and recruiting teams notice deliverability issues before IT finishes troubleshooting because consumer Gmail aggressively filters misauthenticated mail.

Marketing and workspace email share brand perception. When authentication fails, customers cannot distinguish an employee note from a phishing attempt, eroding trust in legitimate messages.

Common mistakes

- Using include:_netblocks.google.com directly instead of the supported _spf.google.com macro
- Enabling a CRM or ticketing marketplace app without adding its SPF include
- Publishing SPF only at the apex while some Google services send from a subdomain bounce address

How SPF Manager helps

SPF Manager confirms _spf.google.com is configured correctly and detects marketplace or third-party senders that still need separate authorization. Lookup expansion shows how Google's include fits into your overall policy cost.

Integration guides help teams combine Google Workspace with common marketing and CRM platforms without exceeding SPF limits.

Recommended next step

See how this applies to your domain before you change DNS.

Analyze my domain

Related articles

Microsoft 365

Microsoft 365 SPF Setup

Microsoft 365 requires include:spf.protection.outlook.com in your SPF record to authorize Exchange Online outbound mail.

Beginner 6 min read

Providers

SPF Email Providers

Email providers publish SPF include hostnames or IP ranges that you must add to your domain policy to authorize their outbound mail.

Beginner 6 min read

Email Authentication

DKIM and SPF

DKIM cryptographically signs messages while SPF authorizes sending IPs; together they strengthen authentication under DMARC.

Intermediate 7 min read

Providers

Provider SPF Synchronization

Provider SPF synchronization keeps your DNS policy aligned with the email services your organization actually uses.

Intermediate 7 min read