What is the SPF record for Google Workspace (Gmail)?

If you send email through Google Workspace (formerly G Suite) or Gmail for a custom domain, you need one SPF record so receiving servers can verify that Google is authorized to send mail for you. Google publishes the exact record in its Set up SPF help page, and it is shorter than most people expect.

The exact Google Workspace SPF record

If Google Workspace is the only service that sends email for your domain, publish exactly this as a TXT record on the root of your domain:

v=spf1 include:_spf.google.com ~all

That is the complete, official record copied verbatim from Google's documentation. You do not add IP addresses, and you do not add anything in the Google Admin console — SPF lives entirely in your domain host's DNS, not in Google. The include:_spf.google.com mechanism tells receivers to also trust whatever IP ranges Google publishes under _spf.google.com, which Google keeps up to date for you. That is why you never hard-code Google's mail server IPs yourself.

What each part means

• v=spf1 — declares this is an SPF version 1 record. Every SPF record starts with this exact token.
• include:_spf.google.com — authorizes all of Google Workspace's sending servers. This is the heart of the record.
• ~all — the "all" mechanism with a soft-fail qualifier. It means "anything not listed above probably is not us — treat it as suspicious but do not necessarily reject it."

~all vs -all: which should you use?

The qualifier in front of all controls how strict you are about mail that fails SPF:

• ~all (soft fail) — Google's recommended default. Mail from unlisted servers is accepted but marked suspicious. Safe while you are still discovering every service that sends as your domain.
• -all (hard fail) — tells receivers to reject anything not explicitly authorized. Stronger anti-spoofing, but only switch to it once you are certain every legitimate sender is in the record, otherwise you will block your own mail.
• +all — never use this. It authorizes the entire internet to send as your domain and defeats the purpose of SPF.

Google's published example uses ~all. Move to -all deliberately, after you have confirmed there are no failing legitimate sources — your DMARC aggregate reports are the safest way to confirm that before you tighten the policy.

Adding other senders (and the one-record rule)

A domain may have only one SPF record. If you also send through, say, a marketing platform or a CRM, you do not publish a second SPF record — you add their include: to the same line. For Google Workspace plus a second sender, Google's own examples look like this:

v=spf1 include:_spf.google.com include:spf.protection.outlook.com ~all
v=spf1 include:_spf.google.com include:amazonses.com ~all

Two separate SPF TXT records is a configuration error that causes a permanent SPF failure (permerror), because receivers do not know which one to trust. If you need to combine senders, use the SPF record generator to build one valid line with every include: in place.

The 10-DNS-lookup limit (the most common Google Workspace SPF failure)

SPF caps the number of DNS lookups it performs during evaluation at 10. Each include: (and each a, mx, ptr, exists, and redirect) costs at least one lookup, and some include: chains expand into several. _spf.google.com alone expands into multiple nested includes. Stack Google Workspace with a couple of other large providers and you can silently blow past 10 — at which point SPF returns permerror and many receivers treat your mail as unauthenticated, sending it to spam.

If you are over the limit, the fix is SPF flattening, which replaces nested include: lookups with the resolved IP ranges so the record stays under 10. Removing unused senders is always the better first step, but flattening handles the cases where every include: is genuinely needed.

How to check your Google Workspace SPF record

1. Build or validate the record with the SPF record generator — it shows you the live lookup count and warns if you exceed 10 or accidentally publish +all.
2. Run a full pass with the free email security test to confirm SPF, DKIM, and DMARC all align and that the record is actually published and resolving.
3. If Gmail is part of a broader sender setup, the Google, Yahoo and Microsoft sender requirements page explains what else those providers now expect from every domain that sends them mail.

SPF is necessary but not sufficient on its own. Google's bulk-sender rules require DKIM and a published DMARC policy as well — read the SPF guide for the fundamentals, then add DKIM and DMARC to complete authentication. Once all three pass and align, your Google Workspace mail has the strongest chance of reaching the inbox.