Fraud Blocker

Google Workspace DNS Records

Google Workspace DNS Records

When we work with customers to migrate them from various email platforms to Google Workspace, some of them prefer to make required DNS changes by themselves rather than sharing their DNS credentials with us. Let me explain how you can make these DNS changes by yourself.

Understanding Google Workspace DNS Records:

Before making any changes, let me help you understand why you should be making these changes, where you should make them, and how to do this the right way, as not doing it right may have consequences including putting your website and email down.

What are DNS Records, and Why change them to set up Google Workspace?

DNS or Domain Name System is similar to the post office. We use the post office to deliver our mail and parcels from one place to another, similarly DNS helps us deliver online information from one place to another.

Just like a post office has your physical address which helps them deliver mail to your house, DNS keeps your online address so information can be delivered to you.

For instance, If you have been using Godaddy Office 365, you have their address in the DNS system, so if an email comes for your mailbox, DNS helps to deliver it to you.

Now as you would be making the switch to Google Workspace, you would need to update this address in the DNS with Google’s information, similar to what you do at USPS when you move from one place to another.

Google Workspace DNS Records:

There are a few types of DNS records, let me explain which records should you be updating for Google Workspace as per Google’s best practices.

Domain Verification via TXT Record

  • Record Name : TXT Record
  • Reason for Creation : After you register your domain name with Google Workspace, Google wants you to verify that you own this domain.
  • How to create it: 
    • Once you are in the Google Workspace Administration console (admin.google.com). You can obtain a TXT record value. It’ll be a long string of text.
    • Now go to your DNS provider (e.g Godaddy, Hostinger etc), create a new DNS record with this value.

Email Routing via MX Records:

  • Record Name : MX Record (Mail Exchanger)
  • Reason for Creation : MX Records lists the email servers. It tells the DNS where to send emails for your domain. 
  • How to create it:
    • Go to your DNS provider, delete existing MX records and create new ones for Google Workspace where priority should be 1 and the value should be smtp.google.com.
  • Reference : You can also refer to our step by step instructions with screenshots here (Google Workspace MX Records Setup)

Email Authentication & Deliverability via SPF Record

  • Record Name : SPF Record (Senders Policy Framework)
  • Reason for Creation : In SPF record, you list all the email servers you want to authorize to send emails on your domain’s behalf (e.g to authorize Google mail servers to send emails on your domain’s behalf).
  • How to create it:
    • In your DNS control panel, you create a new TXT record (some DNS provider might have SPF as dedicated record type too) with Google Workspace’s SPF record value (e.g v=spf1 include:_spf.google.com ~all)
    • You would need to add more entries to this if you want to allow sending from other email servers like your bulk email marketing service).
  • Reference : At Googally, we have written a step by step article with screenshots about how to create SPF records for Google Workspace. This article goes into more details. You can read it here (Google Workspace SPF Record)

Email Authentication + Deliverability + Protection from Email Forging via DKIM Record

  • Record Name : DKIM Record (Domain Key Identified Mail)
  • Reason for Creation : You want to assure your recipient that the sent email came from you and not from a spammer who used your domain name to send spam.
  • How to create it:
    • Generate a DKIM key in your Google Workspace admin console (search for DKIM in top search bar)
    • Create a new TXT record with the DKIM host name and value you generated

Email Treatment via DMarc Record

  • Record Name : DMarc Record (Domain based Message Authentication, Reporting, and Conformance)
  • Reason for Creation : In DMarc record, you prescribe how the emails should be treated by your recipients if they pretend to come from your domain but not actually sent from your domain.
  • How to: DMarc provides flexibility and helps you write the strict or lenient prescription as you need. 
  • DMarc Components Table

Sample DMarc Records for Google Workspace:

  • v=DMARC1; p=none; rua=it-team@example.comsome text
    • Where version = version 1
    • Policy does not define whether to mark unauthenticated emails from our domain as quarantine or reject them, so its left to the recipient emails server on who to treat them.
    • Reports are sent to it-team@example.com
  • v=DMARC1; p=reject; rua=support@example.com, pct=100; adkim=s; aspf=ssome text
    • Version = 1
    • Policy = Reject emails where recipients couldn’t authenticate that these are sent from us (via SPF or DKIM checks).
    • Reports are sent to support@example.com email address
    • Prescription should be followed 100% of the time (remember % component)
    • Alignment mode for SPF and DKIM are strict

Related Posts

Explore Tips and Guides! Discover expert insights and practical guides for optimizing your Google Workspace experience with our informative resources.