SPF, DKIM, and DMARC Setup for a Google Workspace Security Domain

A company website can look professional while its email domain is still easy to impersonate. SPF, DKIM, and DMARC close that gap by giving receivers evidence about who is allowed to send mail and how failures should be handled.

For a security-focused company, this is not optional polish. It is part of the public trust surface, especially when the site publishes contact, support, security, privacy, legal, and sales mailboxes.

• Create the operational mailboxes first, including a DMARC reporting mailbox such as dmarc@example.com.
• Publish SPF for the active sender, for example Google Workspace.
• Enable Google Workspace DKIM signing and publish the DKIM TXT record.
• Start DMARC with p=none and reporting enabled so failures can be observed before enforcement.
• Move to quarantine or reject only after legitimate senders are aligned.

Verification should happen from both DNS and real message headers. DNS confirms that the records exist. Message headers confirm that mail sent through the production path is actually passing SPF, DKIM, and DMARC alignment.

• SPF includes only services that actually send mail for the domain.
• DKIM uses a current selector and shows pass in received messages.
• DMARC reports are delivered to a monitored mailbox.
• The policy is documented so future mail tools do not break deliverability.

After reports look clean, tighten DMARC gradually. The strongest end state is reject, but the right timeline depends on whether newsletters, transactional mail, CRM tools, or support tools also send from the domain.