Here are the exact records to fully authenticate a Google Workspace domain. Add them at your DNS host, then verify with the checker.
1. SPF (TXT at root)
v=spf1 include:_spf.google.com ~all
If you also send through other tools, add their include: — but watch the
10-lookup limit. One SPF record only.
2. DKIM (TXT, selector google)
In the Admin console: Apps → Google Workspace → Gmail → Authenticate email. Generate a 2048-bit key, then publish the TXT record it gives you at:
google._domainkey.yourdomain.com
Back in the console, click Start authentication. (The record is long — your DNS host may split it into chunks; that’s fine.)
3. DMARC (TXT at _dmarc)
Start in monitoring mode:
v=DMARC1; p=none; rua=mailto:you@yourdomain.com
Then follow the none → reject migration. Build the record with the DMARC generator.
4. Verify
Run your domain through the checker — SPF, DKIM (selector google) and DMARC should all
pass. Send a test and confirm alignment in the header analyzer.