One wrong character in your SPF record and every cold email from that domain fails authentication — regardless of how good your inbox reputation is, how clean your list is, or how compelling your copy is. SPF is foundational. Getting it right takes 5 minutes. Getting it wrong silently kills deliverability until someone thinks to check.
What SPF Does for Google Workspace Cold Email
SPF (Sender Policy Framework) is a DNS TXT record that tells receiving mail servers which servers are authorised to send email from your domain. When your email arrives at a recipient's mail server, the server checks your domain's SPF record and verifies that the email came from an authorised source.
For Google Workspace cold email:
SPF PASS: The receiving server confirms Google's mail servers are authorised to send for your domain. Positive trust signal.
SPF FAIL or SOFTFAIL: The receiving server cannot verify the sender is authorised. Significant spam filter trigger — most corporate email gateways route FAIL/SOFTFAIL emails directly to spam or reject them.
SPF NEUTRAL: No SPF record found or the record is too vague to produce a clear result. Treated as a minor negative signal.
🚩 SPF Failure Is Silent
A broken SPF record doesn't produce an error message on your end. Emails send normally. Open rates collapse. Reply rates drop. And the cause sits undetected in DNS until someone runs a diagnostic. Check your SPF record on mxtoolbox.com before every new domain launch — not just at initial setup.
The Exact SPF Record for Google Workspace Cold Email
Here is the correct SPF TXT record for a domain sending cold email exclusively from Google Workspace:
Record type: TXT
Host/Name: @ (or your domain name, depending on your DNS provider)
Value: v=spf1 include:_spf.google.com -all
TTL: 3600 (1 hour) or your DNS provider's default
That's the complete record. Nothing more needs to be added for a domain sending exclusively from GWS.
If You're Sending From GWS and Microsoft 365 on the Same Domain
v=spf1 include:_spf.google.com include:spf.protection.outlook.com -all
If You're Also Sending Transactional Email from a Third Party (SendGrid, Mailgun)
v=spf1 include:_spf.google.com include:sendgrid.net -all
(Replace sendgrid.net with your transactional email provider's SPF include)
✅ The -all vs ~all Decision
Use -all (hard fail) for cold email domains. This tells receiving servers to reject email that doesn't pass SPF — the strongest enforcement signal. Some guides recommend ~all (soft fail) as a more conservative option, but for dedicated cold email domains where you control all sending, -all produces better deliverability outcomes. ~all tells receiving servers to treat non-matching email with suspicion but not reject it — a weaker stance than cold email infrastructure warrants.
Common SPF Record Errors for Google Workspace
These are the specific errors that appear repeatedly in cold email deliverability troubleshooting. Each one silently degrades deliverability without an obvious error message.
Error | What It Looks Like | Why It Breaks Things | Fix |
|---|---|---|---|
Two SPF records on one domain | Two separate TXT records both starting with v=spf1 | Multiple SPF records = SPF PERMERROR — fail on all receiving servers | Combine into one record. Delete the duplicate. |
Wrong Google include | include:google.com instead of include:_spf.google.com | include:google.com doesn't resolve — SPF FAIL | Change to include:_spf.google.com (note the underscore) |
Missing -all or ~all | v=spf1 include:_spf.google.com (no ending) | SPF NEUTRAL — no enforcement, weak trust signal | Add -all to the end of the record |
Too many DNS lookups | SPF record with 10+ includes | SPF has a 10-lookup limit — exceeding it causes SPF PERMERROR | Remove unnecessary includes. Use only what you actually send from. |
Using ?all instead of -all | v=spf1 include:_spf.google.com ?all | ?all is neutral — provides no enforcement signal to receiving servers | Change ?all to -all for cold email sending domains |
How to Add the SPF Record for GWS — Step by Step
The exact steps vary by DNS provider. Here's the process for the most common ones.
Cloudflare DNS (Recommended for Cold Email Domains)
Log in to Cloudflare → select your domain
Go to DNS → Records → Add record
Type: TXT | Name: @ | Content: v=spf1 include:_spf.google.com -all | TTL: Auto
Click Save
GoDaddy DNS
Log in → My Products → DNS → Manage DNS for your domain
Add Record → Type: TXT | Host: @ | TXT Value: v=spf1 include:_spf.google.com -all | TTL: 1 Hour
Save
Namecheap DNS
Log in → Domain List → Manage → Advanced DNS
Add New Record → TXT Record | Host: @ | Value: v=spf1 include:_spf.google.com -all | TTL: Automatic
Save Changes
DNS propagation typically takes 15–60 minutes. In some cases up to 24–48 hours. Run the mxtoolbox.com check after 60 minutes to verify propagation.
How to Verify Your GWS SPF Record Is Working
Three verification methods — run all three after adding your SPF record. Each catches a different type of failure.
🔍Check 1: MXToolbox SPF Lookup
Go to mxtoolbox.com/spf. Enter your sending domain. Result should show: SPF Record Found, v=spf1 include:_spf.google.com -all, and SPF Syntax Check: Pass. Any error in this result means the record needs to be corrected before sending.
🔍Check 2: Gmail Header Verification
Send a test email from your GWS inbox to a Gmail address you control. In Gmail, click the three-dot menu on the email → Show Original. Look for the Authentication-Results section. You should see: spf=pass. Any result other than pass means your SPF record isn't working correctly.
🔍Check 3: Mail-Tester.com Score
Send a test to the address at mail-tester.com. A SPF-related deduction in your score indicates the record isn't configured correctly. Your overall score should be 9/10 or 10/10 with a correctly configured SPF record.
If all three checks pass, your SPF record is correctly configured and contributing to authentic email delivery. The next steps are verifying DKIM activation and DMARC publication — SPF alone is not sufficient for full authentication.
SPF Works Best With DKIM and DMARC — Don't Stop at SPF
SPF by itself is the weakest of the three authentication records. A domain with only SPF configured and missing DKIM will see lower deliverability than a domain with all three in place — even if the SPF record is perfectly configured.
The complete authentication stack for GWS cold email:
SPF: v=spf1 include:_spf.google.com -all — authorises Google's servers to send for your domain
DKIM: Activated in Google Admin Console → Apps → Google Workspace → Gmail → Authenticate Email — cryptographically signs outgoing emails
DMARC: v=DMARC1; p=none; rua=mailto:dmarc@[yourdomain] — monitors authentication and provides enforcement policy
Litemail pre-warmed GWS inboxes ship with all three pre-configured and verified. No manual DNS setup needed. If you're provisioning your own GWS inboxes, SPF is step one of three — not the complete authentication setup.
Get SPF, DKIM, and DMARC Pre-Configured — Litemail Pre-Warmed GWS Inboxes
Every Litemail GWS inbox ships with SPF, DKIM, and DMARC pre-configured and verified. No DNS setup required. Verify on mxtoolbox.com on delivery — all green, no action needed. $4.99/inbox.
Get Pre-Warmed GWS Inboxes from $4.99 →
SPF, DKIM, DMARC pre-configured · Verified Good/High reputation · Dedicated US and EU IPs · No minimum order
About Litemail — Litemail provides pre-warmed Google Workspace and Microsoft 365 inboxes for cold email outreach. From $4.99/inbox with automated DNS, dedicated US and EU IPs, and full admin access. View pre-warmed inbox plans →
Related reading:
SPF, DKIM, DMARC Setup Guide for Cold Email 2026 · SPF Record Errors Troubleshooting · SPF Record Not Working: Fix 2026 · SPF Record Exact Format for Cold Email 2026 · DMARC Not Working: Fix Guide 2026
Key Takeaways
The correct SPF record for Google Workspace cold email: v=spf1 include:_spf.google.com -all — published as a TXT record at @ on your sending domain.
Use -all (hard fail) not ~all (soft fail) for dedicated cold email domains. -all produces stronger deliverability outcomes for domains where you control all sending.
Only one SPF TXT record per domain. If you need multiple providers, combine them into one record — multiple SPF records cause SPF PERMERROR on all receiving servers.
The most common GWS SPF error: using include:google.com instead of include:_spf.google.com (note the underscore and spf. prefix). The wrong include produces SPF FAIL silently.
SPF alone is insufficient — DKIM and DMARC must also be configured. SPF is step one of three. Verify all three on mxtoolbox.com and through Gmail header inspection before running campaigns.
Litemail pre-warmed GWS inboxes ship with SPF (and DKIM and DMARC) pre-configured and verified. No DNS setup needed — check on mxtoolbox.com on delivery to confirm all green.
Frequently Asked Questions
What is the SPF record for Google Workspace?
v=spf1 include:_spf.google.com -all — this is the complete, correct SPF TXT record for a domain sending email exclusively from Google Workspace. Add it as a TXT record at @ (root domain) in your DNS settings. Note the underscore in _spf.google.com — using include:google.com (without the underscore and spf prefix) is a common error that causes SPF FAIL.
Should I use -all or ~all in my SPF record for cold email?
Use -all (hard fail) for dedicated cold email domains. This tells receiving servers to reject email that doesn't pass SPF authentication — the strongest enforcement signal and the better deliverability outcome for domains where you control all sending. ~all (soft fail) tells servers to treat non-matching email with suspicion but not reject it — a weaker stance that's less appropriate for cold email infrastructure.
Can I have two SPF records on the same domain?
No. Two SPF TXT records on the same domain causes SPF PERMERROR — a permanent error that makes SPF fail on all receiving servers. If you need to authorise multiple sending providers, combine them into a single SPF record: v=spf1 include:_spf.google.com include:[second-provider] -all. Delete the duplicate record — having one valid, combined record is the only correct approach.
How do I check if my Google Workspace SPF record is working?
Three checks: (1) mxtoolbox.com/spf — enter your domain and confirm "SPF Record Found" and "SPF Syntax Check: Pass". (2) Send a test email from your GWS inbox to Gmail, view Show Original in the received email, and confirm "spf=pass" in the Authentication-Results section. (3) Send to mail-tester.com and confirm 9/10 or 10/10 with no SPF-related deductions. All three should pass before running any cold email campaigns.
How long does it take for an SPF record to propagate?
Typically 15–60 minutes for most DNS providers, with the possibility of up to 24–48 hours in some cases. Cloudflare DNS propagates fastest — usually 1–5 minutes. GoDaddy and Namecheap typically take 30–60 minutes. After adding your SPF record, wait 30 minutes then check on mxtoolbox.com. If it's not showing yet, wait another hour and check again before concluding there's a configuration error.
Do Litemail pre-warmed GWS inboxes need manual SPF setup?
No. Litemail pre-warmed Google Workspace inboxes ship with SPF, DKIM, and DMARC all pre-configured and verified before delivery. The correct SPF record (v=spf1 include:_spf.google.com -all) is already in place. Verify on mxtoolbox.com within minutes of receiving your inbox credentials — you should see all DNS records green without any manual configuration needed.
SPF Record for Google Workspace Cold Email | Litemail
Pre-configured SPF, DKIM, and DMARC on every GWS inbox. No manual DNS setup. Verify green on mxtoolbox.com from delivery. $4.99/inbox.
View Plans & Pricing →
Related reading:
SPF, DKIM, DMARC Setup Guide · SPF Record Errors Troubleshooting · SPF Record Not Working Fix · SPF Exact Format 2026 · DMARC Not Working Fix Guide
