Authorize senders with SPF
About SPF records
We recommend that you create a Sender Policy Framework (SPF) record for your domain. An SPF record is a type of Domain Name Service (DNS) record that identifies which mail servers are permitted to send email on behalf of your domain.
The purpose of an SPF record is to prevent spammers from sending messages that imitate your domain during an email connection. Recipients can refer to the SPF record to determine whether a message purporting to be from your domain comes from an authorized mail server.
For example, suppose that your domain example.com uses Gmail. You create an SPF record that identifies the G Suite mail servers as the authorized mail servers for your domain. When a recipient's mail server receives a message from email@example.com, it can check the SPF record for example.com to determine whether it is a valid message. If the message comes from a server other than the G Suite mail servers listed in the SPF record, the recipient's mail server can reject it as spam.
If your domain does not have an SPF record, some recipient domains may reject messages from your users because they cannot validate that the messages come from an authorized mail server.
If you've already set the SPF record for your domain, it means that you have set Google's servers in the SPF records.
Set up DMARC to prevent third party imitation of your domain
SPF explicitly protects the domain used in an email connection, but not the domain used in the From address that is visible to recipients reading emails. The From domain can be authenticated with both SPF and DomainKeys Identified Mail (DKIM).
To control how mail providers handle From domains that belong to you but appear in email without matching authentication, you can create a Domain-based Message Authentication, Reporting & Conformance (DMARC) record for your G Suite domain. You can specify a DMARC policy to either take no action, quarantine the message, or reject the message when a third party sends email using your domain in their From address without your matching authentication. If your DMARC policy is to take no action, mail providers can still choose to quarantine or reject the message for other reasons. Learn more about DMARC.
SPF records for outbound gateway
If you decide to enable the email gateway feature, you will need to make sure both Google server addresses and the outbound gateway SMTP server address are included.
- If you purchased your domain from one of our registration partners while signing up for G Suite, Google does not publish SPF records for your domain.
- If you have an existing SPF record, you can update it to authorize an additional mail server. Be careful not to create multiple SPF records - only update the existing record. Multiple SPF records are not recommended and will cause authorization problems. See Add SPF records for more information.