Are you having issues with email deliverability from your company Gmail? Are your messages ending up in spam even though you regularly communicate with recipients? The most common cause is incorrect or incomplete email authentication setup at the DNS level of your domain.

To ensure reliable email communication, you need to properly configure three key technologies: SPF, DKIM, and DMARC. These records allow recipients to verify that an email actually comes from your domain and hasn’t been altered in transit. Misconfiguration (or missing setup) leads to poor deliverability, messages being marked as spam, or even complete rejection.

Well-configured SPF, DKIM, and DMARC also protect your domain from abuse (phishing, spoofing) and increase the trustworthiness of your emails.

✉️ SPF

Sender Policy Framework

SPF tells the recipient which servers are allowed to send emails on behalf of your domain. Upon delivery, the receiving server checks whether the sending server matches your SPF record.

Recommended setup (Google Workspace)

v=spf1 include:_spf.google.com ~all

What the parts mean:

• v=spf1 SPF version

• include:_spf.google.com allows sending via Google

• ~all "softfail" for other servers (recommended initially)

💡 Tip: Once you're sure all legitimate sending sources are included, you can switch to stricter -all (hard fail).

Common mistakes

• Multiple SPF records for one domain (there should be only one)

• Missing third-party services (CRM, newsletters, etc.), they need to be added via include:

• Exceeding the 10 DNS lookup limit

🔐 DKIM

DomainKeys Identified Mail

DKIM adds a digital signature to emails, ensuring the message hasn’t been altered and was sent by a legitimate source.

Setup in Google Workspace

DKIM is configured in the Google Workspace admin console:

https://admin.google.com/ac/apps/gmail/authenticateemail

Recommendations:

• Use a 2048-bit key (current standard)

• Make sure signing is enabled for all outgoing emails

🛡️ DMARC

Domain-based Message Authentication, Reporting, and Conformance

DMARC builds on SPF and DKIM and tells the recipient what to do if authentication fails. It also provides reports about how your domain is being used.

Recommended start (monitoring)

_dmarc.yourdomain.com TXT "v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com; pct=100;"

Parameter meaning:

• p=none monitoring only (no impact on delivery)

• rua= address for aggregate reports

• pct=100 applies to 100% of messages

Gradual enforcement

Once you verify everything works correctly:

• p=quarantine problematic messages go to spam

• p=reject problematic messages are rejected

⚠️ Important: Move to reject only after thoroughly reviewing reports.

Additional recommendations

• Configure alignment (SPF/DKIM domain alignment), critical for DMARC

• Analyze reports using third-party tools (e.g., Postmark, Valimail, etc.)

• Forensic reports (ruf) are used less today due to privacy concerns

✨ Bonus: What else to consider (2026)

• BIMI, displaying your logo in emails (requires DMARC set to quarantine/reject)

• ARC, relevant for forwarded emails (e.g., mailing lists)

• Regular domain/IP reputation checks

📌 Summary

Proper SPF, DKIM, and DMARC setup is the minimum requirement today for:

• good email deliverability

• protection against domain abuse

• trustworthy communication

Not sure about something? We’re happy to help you set it up, whether it's Google Workspace or email infrastructure in general.