What DNS Records Should Be for Google Workspace?

What DNS Records Should Be for Google Workspace?

To send and receive email through Google Workspace (formerly G Suite), you need to add Google's servers to your SPF record using include:_spf.google.com, add Google's DKIM record at google._domainkey.yourdomain.com, configure DMARC, and set MX records to Google's mail servers. These DNS records authenticate emails and ensure proper email delivery through Google Workspace.

Quick Answer

For Google Workspace, add include:_spf.google.com to your SPF record, add Google's DKIM record at google._domainkey.yourdomain.com, configure DMARC, and set MX records to Google's mail servers (aspmx.l.google.com). These records authenticate emails and ensure proper email delivery.

Understanding Google Workspace DNS Records

Google Workspace (formerly G Suite) is a business email and productivity suite that handles both sending and receiving email for your domain. To ensure emails are properly authenticated and achieve maximum deliverability, you need to configure specific DNS records that authorize Google's servers and verify email authenticity.

Required DNS Records for Google Workspace

1. SPF Record (Sender Policy Framework)

What it does: The SPF record authorizes Google's mail servers to send email on behalf of your domain. Without this, receiving servers may reject or filter emails sent through Google Workspace.

How to configure:

1. Log into your DNS provider's dashboard (where you manage your domain)
2. Find your existing SPF record (TXT record for your domain)
3. Add Google's include statement to your SPF record

Example SPF record with Google Workspace:

If you only use Google Workspace:

v=spf1 include:_spf.google.com ~all

If you use Google Workspace with other services (like Mailchimp):

v=spf1 include:_spf.google.com include:servers.mcsv.net ~all

Important notes:

• You can only have one SPF record per domain
• If you already have an SPF record, add include:_spf.google.com to it
• Don't create a new SPF record—modify your existing one
• The ~all at the end means "soft fail" for unauthorized servers

2. DKIM Record (DomainKeys Identified Mail)

What it does: DKIM adds a digital signature to emails sent through Google Workspace, proving they're authentic and haven't been tampered with during transit.

How to configure:

1. Log into your Google Admin console
2. Go to Apps → Google Workspace → Gmail → Authenticate email
3. Select your domain
4. Google will provide you with a DKIM record (TXT record)
5. Add this record to your DNS at google._domainkey.yourdomain.com

Example DKIM record format:

v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC...

Important notes:

• Google provides the exact DKIM record value—copy it exactly
• The record must be added at google._domainkey.yourdomain.com
• Wait for DNS propagation (1-4 hours) before Google can verify it
• Google will verify the record is correctly configured in the Admin console

3. DMARC Record (Domain-based Message Authentication, Reporting & Conformance)

What it does: DMARC tells receiving servers how to handle emails that fail SPF or DKIM authentication and provides reporting on email authentication performance.

How to configure:

1. Create a DMARC record at _dmarc.yourdomain.com (TXT record)
2. Start with a monitoring policy (p=none) to see how your emails are performing
3. Gradually move to stricter policies (p=quarantine or p=reject) after monitoring

Example DMARC record:

v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com; ruf=mailto:dmarc@yourdomain.com; fo=1

Important notes:

• Start with p=none to monitor without affecting delivery
• Set rua= to an email address where you want aggregate reports
• Set ruf= to an email address for forensic reports (optional)
• After monitoring for a few weeks, consider moving to p=quarantine or p=reject

4. MX Records (Mail Exchange)

What it does: MX records specify which mail servers are responsible for receiving email messages for your domain. For Google Workspace, these must point to Google's mail servers.

How to configure:

1. Log into your DNS provider's dashboard
2. Remove or update any existing MX records
3. Add Google Workspace MX records with the following priorities:

Google Workspace MX Records:

Priority 1: aspmx.l.google.com
Priority 5: alt1.aspmx.l.google.com
Priority 5: alt2.aspmx.l.google.com
Priority 10: alt3.aspmx.l.google.com
Priority 10: alt4.aspmx.l.google.com

Important notes:

• Lower priority numbers = higher priority
• All MX records must point to Google's servers for proper email delivery
• Remove any old MX records pointing to other mail servers
• These records are essential for receiving email through Google Workspace

Step-by-Step Setup Guide

Step 1: Set Up Google Workspace

1. Sign up for Google Workspace or log into your existing account
2. Verify domain ownership through Google's verification process
3. Complete the Google Workspace setup wizard

Step 2: Update Your SPF Record

1. Log into your DNS provider's dashboard
2. Find your existing SPF record (TXT record for your domain)
3. If you don't have an SPF record, create one:

   v=spf1 include:_spf.google.com ~all
   

4. If you already have an SPF record, add Google Workspace to it:

   v=spf1 include:_spf.google.com include:servers.mcsv.net ~all
   

5. Save the changes

Step 3: Add DKIM Record

1. Log into Google Admin console
2. Navigate to Apps → Google Workspace → Gmail → Authenticate email
3. Select your domain and click Start authentication
4. Copy the DKIM record value provided by Google
5. In your DNS provider's dashboard, create a new TXT record
6. Set the hostname/subdomain to google._domainkey
7. Paste the DKIM record value exactly as provided
8. Save the record
9. Return to Google Admin console and click Authenticate

Step 4: Configure MX Records

1. In your DNS provider's dashboard, remove any existing MX records
2. Add the following MX records with the specified priorities:

Priority 1: aspmx.l.google.com
Priority 5: alt1.aspmx.l.google.com
Priority 5: alt2.aspmx.l.google.com
Priority 10: alt3.aspmx.l.google.com
Priority 10: alt4.aspmx.l.google.com

3. Save all MX records

Step 5: Configure DMARC (Recommended)

1. In your DNS provider's dashboard, create a new TXT record
2. Set the hostname to _dmarc
3. Add the DMARC record value:

   v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com
   

4. Replace dmarc@yourdomain.com with your email address
5. Save the record

Step 6: Verify Configuration

1. Wait 1-4 hours for DNS propagation
2. Check Google Admin console for authentication status
3. Use MailMoxie's DNS Record Checker to verify all records are present
4. Send a test email to verify both sending and receiving work

Common Configuration Scenarios

Scenario 1: Google Workspace Only

If you only use Google Workspace for email:

SPF:

v=spf1 include:_spf.google.com ~all

DKIM: Use Google's provided record at google._domainkey.yourdomain.com

DMARC:

v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com

MX Records: All five Google Workspace MX records

Scenario 2: Google Workspace + Marketing Services

If you use Google Workspace for business email and other services (Mailchimp, SendGrid) for marketing:

SPF:

v=spf1 include:_spf.google.com include:servers.mcsv.net include:sendgrid.net ~all

DKIM: Add Google's DKIM and DKIM records from other services

DMARC:

v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com

MX Records: All five Google Workspace MX records (for receiving email)

Verifying Your Configuration

After adding DNS records, verify they're working correctly:

1. Use MailMoxie's DNS Record Checker: Enter your domain to see all DNS records
2. Check Google Admin Console: Verify SPF, DKIM, and MX record status
3. Send a test email: Send a test email and check the authentication headers
4. Receive a test email: Have someone send you an email to verify MX records work
5. Review DMARC reports: Check your DMARC report email for authentication statistics

Common Questions

Q: Do I need to add Google Workspace to my SPF record if I already have other services?

A: Yes, you need to add include:_spf.google.com to your existing SPF record. You can only have one SPF record per domain, so combine all services using multiple include: statements.

Q: How long does it take for DNS records to work with Google Workspace?

A: DNS changes typically take 1-4 hours to propagate, but can take up to 48 hours. After adding records, wait a few hours before verifying in Google Admin console.

Q: Can I use Google Workspace without adding DNS records?

A: No, DNS records are required for Google Workspace to function properly. Without MX records, you can't receive email. Without SPF and DKIM, your emails may be filtered into spam.

Q: What if Google can't verify my DKIM record?

A: Double-check that you copied the DKIM record exactly as provided by Google, including the subdomain google._domainkey. Wait for DNS propagation and try verifying again. Use MailMoxie's DNS Record Checker to confirm the record is present.

Q: Do I need DMARC for Google Workspace?

A: DMARC is highly recommended but not strictly required. It provides additional authentication and reporting that helps improve deliverability and protect your domain from spoofing.

Q: What happens if I have multiple SPF records?

A: Having multiple SPF records will cause authentication failures. You must combine all services into a single SPF record using multiple include: statements.

Q: Can I use Google Workspace with other email providers?

A: You can use Google Workspace alongside marketing email services (Mailchimp, SendGrid), but you should use Google Workspace MX records for receiving email. Add other services to your SPF record using include: statements.

Q: How do I know if my Google Workspace DNS records are working?

A: Check Google Admin console for authentication status. You can also send a test email and check the email headers for SPF and DKIM pass results. Verify MX records by having someone send you an email.

Q: What if I'm using a subdomain for Google Workspace?

A: If you're using a subdomain (e.g., mail.yourdomain.com), add the DNS records to that subdomain instead of your main domain. Google Workspace supports subdomain configuration.

Q: Can I keep my old email provider's MX records?

A: No, you should remove old MX records and use only Google Workspace MX records. Having multiple sets of MX records can cause email delivery issues.

Key Takeaways

• Add include:_spf.google.com to your SPF record to authorize Google's mail servers
• Add Google's DKIM record at google._domainkey.yourdomain.com
• Configure DMARC for additional authentication and reporting
• Set all five MX records to Google's mail servers for proper email delivery
• You can only have one SPF record—combine all services using multiple include: statements
• Wait 1-4 hours for DNS propagation before verifying in Google Admin console
• Use MailMoxie's DNS Record Checker to verify all records are configured correctly
• Proper DNS configuration is essential for Google Workspace email functionality and deliverability
• Start with DMARC policy p=none to monitor, then gradually move to stricter policies