How to Setup Google Workspace (G Suite) Emails - Step by Step [VIDEO INCLUDED] (MX, DKIM, DMARC, SPF Records)
Setting up Google-anything is an awful experience - especially for the technically-normal-not-elite-IT-guy.
Hopefully, this video makes it easier for you.
Watch it and follow along and you can ignore reading this article! Yipeeee!
Email authentication protocols like DKIM, DMARC, and SPF are essential for businesses using Google Workspace. They help protect your domain from email spoofing, phishing attacks, and improve email deliverability. This comprehensive guide will walk you through setting up these critical email authentication protocols for your Google Workspace domain.
Before diving into the technical setup, it's important to understand why these email authentication methods are crucial:
- DKIM (DomainKeys Identified Mail): Adds a digital signature to your emails that verifies they were sent by an authorized sender
- DMARC (Domain-based Message Authentication, Reporting & Conformance): Tells receiving mail servers what to do with messages that fail authentication
- SPF (Sender Policy Framework): Specifies which mail servers are authorized to send email from your domain
Together, these protocols significantly enhance your email security posture and help ensure your messages reach their intended recipients.
Before configuring DKIM and DMARC, you need to properly set up MX records for your domain:
- Log into your Google Workspace admin console
- Navigate to Account > Domains > Manage domains
- Click Add domain if adding a new domain, or select your existing domain
- Choose Secondary domain if you want to send emails from this domain
- Verify domain ownership:
- Select TXT record verification
- Add the provided TXT record to your DNS provider
- Return to Google Workspace and click Verify my domain
- After verification, click Activate Gmail
- Add Google's MX records to your DNS provider with the following values:
| Type | Name | Value | Priority |
|---|---|---|---|
| MX | @ (or blank) | aspmx.l.google.com | 1 |
| MX | @ (or blank) | alt1.aspmx.l.google.com | 5 |
| MX | @ (or blank) | alt2.aspmx.l.google.com | 5 |
| MX | @ (or blank) | alt3.aspmx.l.google.com | 10 |
| MX | @ (or blank) | alt4.aspmx.l.google.com | 10 |
DKIM adds a digital signature to emails sent from your domain, helping receiving servers verify that the message is legitimate. Here's how to set up DKIM for Google Workspace:
- Log into your Google Workspace admin console
- Navigate to Apps > Google Workspace > Gmail > Authenticate email
- From the dropdown menu, select the domain you want to configure
- You'll see the status showing "Not authenticating" for a new setup
- Click on Generate new record
- Set selector prefix to "google" and key length to 2048-bit (recommended)
- Click Generate
- Google will generate a TXT record with a very long string value
- Copy this record and add it to your DNS provider:
- Record Type: TXT
- Name/Host: google._domainkey (exactly as shown)
- Value/Content: [paste the long string Google provided]
- Return to the Google Workspace admin console and click Start authentication
Note that it may take up to 48 hours for DNS changes to propagate fully, though many providers update much faster.
DMARC builds upon DKIM and SPF to provide clear instructions to receiving mail servers about what to do with messages that fail authentication. Here's how to set up DMARC:
- Log into your DNS provider's management console
- Create a new TXT record with these specifications:
- Record Type: TXT
- Name/Host: _dmarc
- Value/Content:
v=DMARC1; p=none; rua=mailto:[email protected]
This basic DMARC record uses:
v=DMARC1: Specifies the DMARC versionp=none: Policy set to monitor only (no action taken on failing messages)rua=mailto:[email protected]: Specifies where aggregate reports should be sent
As you grow more confident in your configuration, you can adjust the policy from p=none to p=quarantine (send suspicious emails to spam) or p=reject (block suspicious emails entirely).
SPF (Sender Policy Framework) specifies which mail servers are authorized to send email from your domain:
- Access your DNS provider's management console
- Create a new TXT record with these specifications:
- Record Type: TXT
- Name/Host: @ (or blank, representing your root domain)
- Value/Content:
v=spf1 include:_spf.google.com ~all
This SPF record authorizes Google's servers to send email on behalf of your domain, with a soft fail (~all) for all other servers.
After setting up all records, it's important to verify everything is working correctly:
-
Use Google Admin Toolbox:
- Visit Google Admin Toolbox
- Select the Dig tool
- Enter your domain prefixed with the appropriate record name (e.g.,
_dmarc.yourdomain.com) - Check that your records appear correctly
-
Use Google's MX Check Tool:
- Visit Google MX Check
- Enter your domain name
- Verify all checks pass with green checkmarks
If you encounter problems with your email authentication setup, consider these common issues:
- DNS propagation delays: Changes can take 24-48 hours to fully propagate
- Formatting errors: Ensure there are no extra spaces or characters in your DNS records
- Incorrect record names: Double-check the exact naming format (especially for DKIM and DMARC)
- Conflicting records: Look for and remove any duplicate records
Properly configuring DKIM, DMARC, and SPF for your Google Workspace domain is essential for maintaining email security and deliverability. By following this guide, you've taken significant steps toward protecting your domain from email spoofing and ensuring your messages reach their intended recipients.
Remember to regularly check your DMARC reports and gradually increase your policy strictness from p=none to p=quarantine or p=reject as you confirm legitimate emails are passing authentication.
Need more help? Contact your Google Workspace administrator or visit Google Workspace Support