How to set up SPF on Google Workspace

Add an SPF record so the world knows Google's servers are allowed to send email for your domain.

Why this matters to your business

SPF (Sender Policy Framework) is a short note in your domain’s DNS that lists which mail servers are allowed to send email “from” your domain. Without it, scammers can forge your address to send fake invoices, payment requests or quotes to your customers and suppliers — and your own legitimate email is more likely to land in spam. Setting SPF up is free, takes a few minutes, and is one of the strongest, cheapest things you can do to protect your name and keep your email getting delivered.

Important: where this actually gets done

This trips a lot of people up, so it’s worth being clear:

Google Workspace runs your email. But Google Workspace is usually not where your domain’s DNS lives.
The SPF record is added in your DNS host — the company that controls your domain’s nameservers. That might be the registrar where you bought the domain (GoDaddy, Namecheap, etc.), a web host, or something like Cloudflare. If you use Google Domains / Squarespace Domains, that’s your DNS host.

So: Google tells you what the record should contain; you add it where your DNS lives. The Google Admin console does not hold this record for you (unless your DNS happens to be hosted with Google).

First: which company runs your DNS?

A DNS record only takes effect if you add it at wherever your domain’s nameservers point. If you’re not sure, check the domain in your registrar account and look at the Nameservers section, or ask whoever set up your website. Add the SPF record in that company’s DNS settings (look for DNS / Records / Advanced DNS). Adding it in the wrong place will do nothing.

What you’ll add

A single TXT record for Google Workspace. The standard value is:

v=spf1 include:_spf.google.com ~all

include:_spf.google.com authorises Google’s mail servers to send for you.
~all is a “soft fail” — fine for most businesses. Some prefer the stricter -all once they’re confident every sender is listed.

You should have only one SPF record (one TXT starting with v=spf1) per domain. If you already have one — for example because you also send through a newsletter tool or a CRM — do not add a second. Edit the existing one and add Google’s part into it, e.g.:

v=spf1 include:_spf.google.com include:servers.mcsv.net ~all

Steps

Sign in to your DNS host (your registrar, web host, or DNS provider — not necessarily Google).
Open the DNS settings for your domain (look for DNS / Records / Advanced DNS).
Add a new record and choose TXT as the type.
In the Name / Host field, enter @ (this means “the domain itself”). Do not put your full domain name here.
In the Value / Data field, paste v=spf1 include:_spf.google.com ~all (or your combined record if you have other senders).
Leave TTL at the default (1 hour is fine).
Save.

Quirks people get wrong

It’s not in the Google Admin console. People search Google’s settings for “SPF” and can’t find where to type it — that’s because it belongs in your DNS host, not in Google Workspace.
Only one SPF record. Two records starting with v=spf1 breaks SPF completely. Combine senders into a single record using extra include: entries.
@ for the name, not your domain. Putting the full domain in the Name field can create the record in the wrong place.
Watch the quoting. Most DNS hosts add the quotes for you — paste the value plain. If your host shows the value already wrapped in "...", don’t add a second set; a double-quoted record is broken.
Changes aren’t instant. DNS can take from a few minutes up to a couple of hours to update everywhere.

Verify it worked

Once saved, confirm the record is live and correct with the free check on Defaults.Exposed. Enter your domain and it’ll tell you in plain language whether your SPF is set up properly. Your data is processed in the EU.

Done? Check your domain free to confirm it worked — and see your full grade across all 34 checks.