Email Security

Google Workspace Email Security: Complete Setup Guide

Google Workspace provides powerful email security features, but many of them are not enabled by default. This guide walks you through every setting you need to configure to fully protect your organization.

Get Expert Configuration Help

What You Will Configure

SPF Record

Authorize senders

DKIM Signing

Sign outgoing email

DMARC Policy

Enforce authentication

Admin Settings

Advanced protections

Step 1: Set Up SPF for Google Workspace

Google Workspace sends email through its own servers. You need an SPF record that authorizes these servers to send on behalf of your domain.

Google Workspace SPF Record

Add the following TXT record to your DNS:

v=spf1 include:_spf.google.com -all

If you send email through additional services, add them as well. For example, with HubSpot and SendGrid:

v=spf1 include:_spf.google.com include:spf.hubspot.com include:sendgrid.net -all

Type

TXT

Host/Name

TTL

3600

Step 2: Enable DKIM in Google Workspace Admin Console

Google Workspace can generate DKIM keys for your domain. You need to generate the key in the admin console, publish it in DNS, and then activate signing.

Generate and Publish DKIM Key

1Sign in to the Google Admin console at admin.google.com
2Navigate to Apps > Google Workspace > Gmail > Authenticate email
3Select your domain and click Generate new record. Choose a 2048-bit key length for stronger security.
4Google will display a TXT record value. Copy the entire value.
5Add a TXT record to your DNS with the hostname google._domainkey and the value provided by Google.
6Wait for DNS propagation, then return to the admin console and click Start authentication.

Important

Some DNS providers have a character limit on TXT records. If your 2048-bit key is too long, you may need to split it across multiple strings within the same record, or some providers handle this automatically. Check your DNS provider documentation.

Step 3: Configure DMARC

With SPF and DKIM configured, publish a DMARC record to tie everything together. Start in monitoring mode.

DMARC DNS Record

v=DMARC1; p=none; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=1;

Type

TXT

Host/Name

_dmarc

TTL

3600

Monitor reports for 2-4 weeks, then progress through quarantine to reject once all legitimate senders pass authentication. Google recommends this phased approach in their own documentation.

Step 4: Enable Advanced Phishing and Malware Protection

Google Workspace includes advanced phishing protections that go beyond standard authentication. These settings are found in the Admin Console under Safety settings and are critical for comprehensive protection.

Spoofing and Authentication

In Admin Console > Apps > Google Workspace > Gmail > Safety:

Protect against domain spoofing based on similar domain names
Protect against spoofing of employee names
Protect against inbound emails spoofing your domain
Protect against any unauthenticated emails
Protect your Groups from inbound spoofing emails

Attachments and Links

Enable these attachment and link protections:

Protect against encrypted attachments from untrusted senders
Protect against attachments with scripts from untrusted senders
Protect against anomalous attachment types in emails
Identify links behind shortened URLs
Scan linked images and identify links behind them

Step 5: Additional Security Settings

Beyond email authentication and phishing protection, configure these additional settings to harden your Google Workspace environment.

User Security

Enforce 2-step verification for all users (mandatory, not optional)
Require security keys for admin accounts
Disable less secure app access
Set up login challenges for suspicious sign-in attempts

Email Routing and Compliance

Enable comprehensive mail storage for compliance needs
Configure content compliance rules for sensitive data (PII, financial data)
Set up email retention policies based on your industry requirements
Enable MTA-STS and TLS reporting for enforced transport encryption

Google Workspace Email Security Checklist

Authentication

SPF record published with _spf.google.com
DKIM 2048-bit key generated and activated
DMARC record published with reporting
All third-party senders authenticated

Admin Console

Advanced phishing protections enabled
Attachment and link protections enabled
2-step verification enforced
MTA-STS and TLS reporting configured

Need Help Securing Your Google Workspace?

Our cybersecurity team configures email security for Google Workspace organizations every day. We can audit your current setup, fix misconfigurations, and deploy full DMARC enforcement.

Explore Email Security Services

Get Security Insights Delivered

One email per month with our best articles. No spam.

Step 1: Set Up SPF for Google Workspace

Google Workspace sends email through its own servers. You need an SPF record that authorizes these servers to send on behalf of your domain.

Google Workspace SPF Record

Add the following TXT record to your DNS:

v=spf1 include:_spf.google.com -all

If you send email through additional services, add them as well. For example, with HubSpot and SendGrid:

v=spf1 include:_spf.google.com include:spf.hubspot.com include:sendgrid.net -all

Type

TXT

Host/Name

TTL

3600

Step 2: Enable DKIM in Google Workspace Admin Console

Google Workspace can generate DKIM keys for your domain. You need to generate the key in the admin console, publish it in DNS, and then activate signing.

Generate and Publish DKIM Key

1Sign in to the Google Admin console at admin.google.com
2Navigate to Apps > Google Workspace > Gmail > Authenticate email
3Select your domain and click Generate new record. Choose a 2048-bit key length for stronger security.
4Google will display a TXT record value. Copy the entire value.
5Add a TXT record to your DNS with the hostname google._domainkey and the value provided by Google.
6Wait for DNS propagation, then return to the admin console and click Start authentication.

Important

Step 3: Configure DMARC

With SPF and DKIM configured, publish a DMARC record to tie everything together. Start in monitoring mode.

DMARC DNS Record

v=DMARC1; p=none; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=1;

Type

TXT

Host/Name

_dmarc

TTL

3600

Monitor reports for 2-4 weeks, then progress through quarantine to reject once all legitimate senders pass authentication. Google recommends this phased approach in their own documentation.

Step 4: Enable Advanced Phishing and Malware Protection

Spoofing and Authentication

In Admin Console > Apps > Google Workspace > Gmail > Safety:

Protect against domain spoofing based on similar domain names
Protect against spoofing of employee names
Protect against inbound emails spoofing your domain
Protect against any unauthenticated emails
Protect your Groups from inbound spoofing emails

Attachments and Links

Enable these attachment and link protections:

Protect against encrypted attachments from untrusted senders
Protect against attachments with scripts from untrusted senders
Protect against anomalous attachment types in emails
Identify links behind shortened URLs
Scan linked images and identify links behind them

Step 5: Additional Security Settings

Beyond email authentication and phishing protection, configure these additional settings to harden your Google Workspace environment.

User Security

Enforce 2-step verification for all users (mandatory, not optional)
Require security keys for admin accounts
Disable less secure app access
Set up login challenges for suspicious sign-in attempts

Email Routing and Compliance

Enable comprehensive mail storage for compliance needs
Configure content compliance rules for sensitive data (PII, financial data)
Set up email retention policies based on your industry requirements
Enable MTA-STS and TLS reporting for enforced transport encryption

Google Workspace Email Security Checklist

Authentication

SPF record published with _spf.google.com
DKIM 2048-bit key generated and activated
DMARC record published with reporting
All third-party senders authenticated

Admin Console

Advanced phishing protections enabled
Attachment and link protections enabled
2-step verification enforced
MTA-STS and TLS reporting configured