Skip to main content
Relaymetry

Email authentication for Gmail: what you can set up

If your address ends in @gmail.com, there is nothing to set up: Google owns gmail.com and already publishes and signs its SPF and DKIM, so you cannot add your own. SPF, DKIM, and DMARC only apply when you send from your own domain — on Google that is the Google Workspace setup. Find the address you actually send from below to see which of the three cases is yours.

If you send from an @gmail.com address, you cannot set SPF, DKIM, or DMARC, and you do not need to: Google owns the gmail.com domain and already publishes and signs those records. People search for "gmail dkim" or "gmail spf" all the time, usually because a tool reported a failed check or because consumer Gmail is being mixed up with a domain on Google. The records you are picturing only exist for a domain that someone controls. So the useful question is not how to add them to Gmail, but which of three situations you are actually in.

Which case are you in?

Look at the address your mail is actually sent from — the From address your recipients see:

  • It ends in @gmail.com (like you@gmail.com) — that is case 1, consumer Gmail. Nothing to configure.
  • It is your own domain (like you@yourcompany.com) and your mail runs on Google — that is case 2, Google Workspace. This is where SPF, DKIM, and DMARC apply.
  • It is another address you added under Settings → Accounts → "Send mail as" — that is case 3, a Send-as alias. What applies depends on how that mail leaves.

Case 1 — you send from an @gmail.com address

There is nothing to do, and nothing you can do. Google publishes SPF for gmail.com and signs every outgoing gmail.com message with DKIM, so your mail already authenticates. You cannot add or override those records, because you do not own the domain — Google does. Anyone who tells you to "add an SPF record for your Gmail" is confusing a consumer @gmail.com account with a custom domain on Google. If a checker shows records for gmail.com, it is reporting Google's own configuration, not a gap you need to fill. For what SPF, DKIM, and DMARC actually do, see email authentication explained.

Case 2 — you send from your own domain on Google (Google Workspace)

This is the case where email authentication genuinely applies, and it is the Google Workspace setup. Your mailboxes run on Google, but your mail goes out under your own domain (for example you@yourcompany.com), so you are the domain owner and you publish the records. That means one SPF TXT record naming Google as a sender, a DKIM key you generate in the Admin console and publish in your DNS, and a DMARC policy — all on your own domain, never on gmail.com. The exact record values and the Admin console steps are on the Google Workspace email authentication guide.

Case 3 — you use Gmail's "Send mail as"

Gmail lets you send from another address — a separate mailbox or an alias — set up under Settings → Accounts. What authenticates that mail depends on how you configured the SMTP path:

  • If you set "Send mail as" to send through your own domain's SMTP server, the message leaves that server, so your domain's SPF and DKIM apply. You set them up at the mailbox provider that runs that SMTP server, exactly as you would for any custom domain.
  • If Gmail sends the message through Google's servers on your behalf, the sending path is Google's. Alignment follows the domain that actually sent the mail, so you generally cannot make your custom domain's SPF and DKIM align on that path.

If your alias is on a custom domain, set authentication up at whichever provider sends that domain's mail. For a domain on Microsoft, that is the Microsoft 365 setup; for a domain on Google, it is the Google Workspace setup.

Check what is actually published

You do not have to guess what any domain publishes. Run a lookup from the Relaymetry home page to read the live SPF, DKIM, and DMARC for a domain at once, or check one record at a time with the SPF checker and the DMARC checker. Point a lookup at gmail.com and you will see Google's own records; point it at your own domain and you will see what you have published so far. To set records up for a different mailbox host, start from the email authentication setup hub.

Frequently asked questions

Can I add SPF, DKIM, or DMARC to my @gmail.com address?

No. Google owns the gmail.com domain, and only the domain owner can publish these records. Google already does it for gmail.com, so there is no setting in your account and no DNS you can edit. Anyone telling you to add an SPF record for your Gmail is confusing consumer Gmail with a custom domain.

Does gmail.com already have SPF and DKIM?

Yes. Google publishes SPF for gmail.com and signs outgoing gmail.com mail with DKIM. That is why mail from an @gmail.com address already passes authentication without you doing anything. You benefit from it; you do not configure it.

I have a custom domain on Google — where do I set it up?

That is the Google Workspace case, and it is where SPF, DKIM, and DMARC genuinely apply. Your mail runs on Google but under your own domain, so you publish the records for your domain. The full record values and Admin console steps are on the Google Workspace setup page.

Does Gmail's "Send mail as" let my own domain's SPF and DKIM apply?

It depends on the SMTP path. If you point "Send mail as" at your own domain's SMTP server, that domain's SPF and DKIM apply and you set them up at that mailbox provider. If Gmail relays the message through Google on your behalf, alignment behaves differently and you generally cannot make the custom domain's SPF and DKIM align for that path.

Why does a checker say gmail.com has DMARC p=none or quarantine?

That is Google publishing DMARC for its own gmail.com domain — the policy is Google's, not something you set or can change. Seeing it in a checker is expected. To act on a DMARC policy you own, use your own sending domain, not gmail.com.

Other providers

References

Browse all guides →