All DNS Records and Settings for Google Suite Domain

Complete Google Workspace DNS Configuration

Setting up Google Workspace (formerly G Suite) requires configuring multiple DNS records. This comprehensive guide covers everything from domain verification to email authentication, ensuring your domain is properly configured for Google’s services.

Overview of Required DNS Records

To fully configure Google Workspace, you need:

  1. TXT Record: Domain verification
  2. MX Records: Mail routing
  3. SPF Record: Sender authentication
  4. DKIM Record: Email signing
  5. DMARC Record: Email policy enforcement
  6. CNAME Records (optional): Custom URLs for services

Step 1: Domain Verification

Before using Google Workspace, you must verify domain ownership.

Verification TXT Record

Add this TXT record to your domain’s DNS:

Host: @
Type: TXT
Value: google-site-verification=YOUR_VERIFICATION_CODE
TTL: 3600

Where to find your verification code:

  1. Go to Google Admin Console
  2. Navigate to Domains > Manage domains
  3. Click Add a domain or select your domain
  4. Choose TXT verification method
  5. Copy the provided code

Verification time: Usually 15 minutes to 24 hours

Alternative Verification Methods

  • HTML file upload: Upload a file to your website root
  • Meta tag: Add a tag to your homepage
  • Google Analytics: Use existing Analytics tracking
  • Google Tag Manager: Use existing Tag Manager

Step 2: MX Records (Mail Exchange)

MX records tell other mail servers where to deliver your email.

Google Workspace MX Records

Add these MX records (remove existing MX records first):

Priority  Host   Points to                      TTL
1         @      ASPMX.L.GOOGLE.COM.            3600
5         @      ALT1.ASPMX.L.GOOGLE.COM.       3600
5         @      ALT2.ASPMX.L.GOOGLE.COM.       3600
10        @      ALT3.ASPMX.L.GOOGLE.COM.       3600
10        @      ALT4.ASPMX.L.GOOGLE.COM.       3600

Important notes:

  • Include the trailing dot (.) in the values
  • Lower priority numbers are tried first
  • Remove any existing MX records
  • Changes may take up to 48 hours to propagate

Verifying MX Records

Use Google’s MX record checker:

  1. Go to toolbox.googleapps.com/apps/checkmx
  2. Enter your domain
  3. Verify all five records are present and correct

Or use command line:

nslookup -type=MX yourdomain.com

Step 3: SPF Record (Sender Policy Framework)

SPF records specify which mail servers can send email on your domain’s behalf.

Basic Google Workspace SPF Record

Host: @
Type: TXT
Value: v=spf1 include:_spf.google.com ~all
TTL: 3600

SPF Record Explained

  • v=spf1: SPF version
  • include:_spf.google.com: Allow Google’s servers
  • ~all: Soft fail for unlisted servers

SPF for Multiple Email Services

If you use multiple email services (e.g., Google + SendGrid):

v=spf1 include:_spf.google.com include:sendgrid.net ~all

SPF with Custom Mail Server

If you also send from your own servers:

v=spf1 include:_spf.google.com ip4:203.0.113.10 ~all

SPF Best Practices

  1. Limit DNS lookups: SPF has a 10 DNS lookup limit
  2. Use include wisely: Each include counts as a lookup
  3. Avoid redundancy: Don’t duplicate includes
  4. Use ~all or -all: Soft fail (~all) or hard fail (-all)

Step 4: DKIM Record (DomainKeys Identified Mail)

DKIM adds a digital signature to your emails, verifying they came from your domain.

Generating DKIM Record

  1. Go to Google Admin Console
  2. Navigate to Apps > Google Workspace > Gmail
  3. Click Authenticate email
  4. Select your domain
  5. Click Generate new record
  6. Choose key length (2048-bit recommended)
  7. Copy the generated TXT record

Adding DKIM Record

Host: google._domainkey.yourdomain.com
Type: TXT
Value: v=DKIM1; k=rsa; p=MIIBIjANBgkqhki... (long key)
TTL: 3600

Format notes:

  • Host includes google._domainkey subdomain
  • Remove spaces from the provided key
  • Some DNS providers split long values into chunks

Activating DKIM

After adding the record:

  1. Return to Google Admin Console
  2. Click Start authentication
  3. Wait 24-48 hours for propagation
  4. Google will verify and activate DKIM

Verifying DKIM

Check DKIM status:

  1. Send a test email to a Gmail account
  2. Open the email in Gmail
  3. Click Show original
  4. Look for DKIM: 'PASS'

Or use command line:

nslookup -type=TXT google._domainkey.yourdomain.com

Step 5: DMARC Record

DMARC tells receiving servers what to do with emails that fail SPF or DKIM checks.

Basic DMARC Record

Host: _dmarc.yourdomain.com
Type: TXT
Value: v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com
TTL: 3600

DMARC Parameters Explained

  • v=DMARC1: DMARC version
  • p=none: Policy (none/quarantine/reject)
  • rua=: Email address for aggregate reports
  • ruf=: Email address for forensic reports
  • pct=: Percentage of emails to apply policy to
  • sp=: Policy for subdomains

DMARC Policy Levels

Start with monitoring:

p=none; rua=mailto:dmarc-reports@yourdomain.com

Move to quarantine:

p=quarantine; pct=25; rua=mailto:dmarc-reports@yourdomain.com

Enforce strict policy:

p=reject; rua=mailto:dmarc-reports@yourdomain.com
v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com; ruf=mailto:dmarc@yourdomain.com; pct=100; adkim=s; aspf=s
  • adkim=s: Strict DKIM alignment
  • aspf=s: Strict SPF alignment
  • pct=100: Apply to 100% of emails

Step 6: Additional Records (Optional)

Custom Gmail URL

Create a custom URL like mail.yourdomain.com:

Host: mail
Type: CNAME
Value: ghs.google.com.
TTL: 3600

Then configure in Google Admin Console under Apps > Gmail > End user access.

Calendar Custom URL

Host: calendar
Type: CNAME
Value: ghs.google.com.
TTL: 3600

Drive Custom URL

Host: drive
Type: CNAME
Value: ghs.google.com.
TTL: 3600

Sites Custom URL

Host: sites
Type: CNAME
Value: ghs.google.com.
TTL: 3600

Complete DNS Record Summary

Here’s a complete example for example.com:

# Domain Verification
@ TXT google-site-verification=abc123xyz

# MX Records (Mail)
@ MX 1  ASPMX.L.GOOGLE.COM.
@ MX 5  ALT1.ASPMX.L.GOOGLE.COM.
@ MX 5  ALT2.ASPMX.L.GOOGLE.COM.
@ MX 10 ALT3.ASPMX.L.GOOGLE.COM.
@ MX 10 ALT4.ASPMX.L.GOOGLE.COM.

# SPF Record
@ TXT v=spf1 include:_spf.google.com ~all

# DKIM Record
google._domainkey TXT v=DKIM1; k=rsa; p=MIIBIjAN...

# DMARC Record
_dmarc TXT v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com

# Custom URLs (Optional)
mail     CNAME ghs.google.com.
calendar CNAME ghs.google.com.
drive    CNAME ghs.google.com.

Verification and Testing

Check All Records

Use online DNS checking tools:

Command Line Verification

# Check MX records
nslookup -type=MX yourdomain.com

# Check SPF record
nslookup -type=TXT yourdomain.com

# Check DKIM record
nslookup -type=TXT google._domainkey.yourdomain.com

# Check DMARC record
nslookup -type=TXT _dmarc.yourdomain.com

Send Test Email

  1. Send an email from your Google Workspace account
  2. Send to an external address (Gmail, Yahoo, etc.)
  3. Check the email headers:
    • SPF should show “PASS”
    • DKIM should show “PASS”
    • DMARC should show “PASS”

Common Issues and Solutions

MX Records Not Working

  • Check priority numbers: Must be 1, 5, 5, 10, 10
  • Remove old records: Delete competing MX records
  • Add trailing dots: Ensure . at end of server names
  • Wait for propagation: Can take up to 48 hours

SPF Record Errors

  • Too many lookups: Flatten SPF records if over 10 lookups
  • Multiple SPF records: Only one SPF record allowed per domain
  • Syntax errors: Use SPF validation tools to check

DKIM Not Activating

  • Key too long: Some DNS providers can’t handle long values
  • Spaces in key: Remove all spaces from the DKIM key
  • Incorrect subdomain: Must be google._domainkey.yourdomain.com
  • Wait time: Can take 24-48 hours to verify

DMARC Reports Not Arriving

  • Check email address: Must be valid and monitored
  • Wait for reports: Sent daily, may take 24-48 hours
  • Use DMARC analyzer: Services like Postmark or Dmarcian can help

Best Practices

  1. Set up in order: Verification → MX → SPF → DKIM → DMARC
  2. Test thoroughly: Send test emails after each step
  3. Monitor reports: Review DMARC reports regularly
  4. Start lenient: Use p=none for DMARC initially
  5. Document changes: Keep records of your DNS configuration
  6. Set appropriate TTL: Use 3600 (1 hour) for testing, 86400 (24 hours) for production
  7. Use subdomain for testing: Test on a subdomain before applying to main domain

Conclusion

Proper DNS configuration is crucial for Google Workspace functionality and email deliverability. Follow this guide step-by-step, verify each record, and monitor your email authentication over time. With all records correctly configured, your emails will be properly authenticated, improving deliverability and protecting your domain from spoofing.