This guide explains how to configure the DNS records required for Google Workspace to work correctly with your domain: MX for receiving emails, SPF for authenticating senders, and DKIM for digitally signing messages.
Summary of Required Records
| Record | Type | Purpose |
|---|---|---|
| MX | MX | Directs incoming mail to Google servers |
| SPF | TXT | Specifies which servers can send mail on behalf of your domain |
| DKIM | TXT | Digitally signs emails to verify their authenticity |
1. MX Record
The MX record tells other mail servers where to deliver messages addressed to your domain.
MX Record Values
| Field | Value |
|---|---|
| Type | MX |
| Host | @ (or leave blank) |
| Priority | 1 |
| Value | smtp.google.com |
| TTL | 3600 (or default value) |
Important Notes
- Remove any previous MX records before adding Google's.
- Some providers require a trailing dot:
smtp.google.com. - Changes may take up to 24 hours to propagate.
2. SPF Record
SPF (Sender Policy Framework) prevents other servers from sending emails pretending to be your domain.
Basic SPF Record (Google Workspace only)
| Field | Value |
|---|---|
| Type | TXT |
| Host | @ |
| Value | v=spf1 include:_spf.google.com ~all |
| TTL | 3600 (or default value) |
Combined SPF Records
If you use other email services in addition to Google Workspace, combine the values:
| Services | SPF Record |
|---|---|
| Google Workspace + Mailchimp | v=spf1 include:_spf.google.com include:servers.mcsv.net ~all |
| Google Workspace + Microsoft 365 | v=spf1 include:_spf.google.com include:spf.protection.outlook.com ~all |
| Google Workspace + Salesforce | v=spf1 include:_spf.google.com include:_spf.salesforce.com ~all |
| Google Workspace + Zendesk | v=spf1 include:_spf.google.com include:mail.zendesk.com ~all |
| Google Workspace + Amazon SES | v=spf1 include:_spf.google.com include:amazonses.com ~all |
Important Notes
- Only one SPF record can exist per domain.
- An SPF record can have up to 10
include:tags. - The
~alltag at the end indicates that emails from unauthorized servers should be marked as spam.
3. DKIM Record
DKIM (DomainKeys Identified Mail) adds a digital signature to each outgoing email, allowing verification that the message was not altered.
Step 1: Generate the DKIM Key in Google Admin
- Sign in to the Google Admin Console.
- Go to Apps > Google Workspace > Gmail.
- Click Authenticate email.
- Select your domain from the dropdown menu.
- Click Generate new record.
- Select the key length:
- 2048 bits (recommended if your provider supports it)
- 1024 bits (if your provider doesn't support 2048)
- Leave the prefix as google (default).
- Click Generate.
Step 2: Add the DKIM Record to Your Domain
With the values generated by Google, create the TXT record:
| Field | Value |
|---|---|
| Type | TXT |
| Host | google._domainkey |
| Value | v=DKIM1; k=rsa; p=[generated public key] |
| TTL | 3600 (or default value) |
Step 3: Activate DKIM
- Return to the Google Admin Console.
- Go to Apps > Google Workspace > Gmail > Authenticate email.
- Click Start authentication.
- Wait up to 48 hours for authentication to become active.
Verify DKIM
Send an email to a Gmail account and check the message headers. You should see:
Authentication-Results: ... dkim=passRecord Verification
Recommended Tools
- Google Admin Toolbox (Dig): https://toolbox.googleapps.com/apps/dig/
- MXToolbox: https://mxtoolbox.com/
Terminal Commands to Verify
# Verify MX
dig MX yourdomain.com +short
# Verify SPF
dig TXT yourdomain.com +short | grep spf
# Verify DKIM
dig TXT google._domainkey.yourdomain.com +shortTroubleshooting
Emails not arriving after configuring MX:
- Verify that no old MX records exist.
- Wait for the full propagation time (Up to 24 hours).
- Confirm that Gmail is activated in the Admin Console.
Emails being marked as spam (SPF):
- Verify that the SPF record is correctly formatted.
- Make sure to include all services that send mail on your behalf.
- Confirm that only one SPF record exists on your domain.
DKIM won't activate:
- Wait up to 24 hours after activating Gmail before generating the key.
- Verify that the TXT record is published correctly.
- Confirm that the host value is exactly
google._domainkey.