Google Workspace DNS setup: Difference between revisions
Jump to navigation
Jump to search
Created page with "= Top level doc re: how to add and manage domains to work with Google Workspace: = https://support.google.com/a/topic/3540977 <br /> = Basic overview: = * Verify domain ownership (requires client creating custom TXT record) ** Add Google MX record ** Add Google SPF record ** Add DMARC record "p=none" *** Add DKIM record (optional, recommended, requires client creating custom TXT record) **** Change DMARC record to "p=reject" <br /> = Verify domain ownership: = https://su..." |
No edit summary |
||
| Line 1: | Line 1: | ||
= Top level doc re: how to add and manage domains to work with Google Workspace | = Top level doc re: how to add and manage domains to work with Google Workspace = | ||
https://support.google.com/a/topic/3540977 | https://support.google.com/a/topic/3540977 | ||
= Basic overview | = Basic overview = | ||
* Verify domain ownership (requires client creating custom TXT record) | * Verify domain ownership (requires client creating custom TXT record) | ||
** Add Google MX record | ** Add Google MX record | ||
| Line 9: | Line 9: | ||
*** Add DKIM record (optional, recommended, requires client creating custom TXT record) | *** Add DKIM record (optional, recommended, requires client creating custom TXT record) | ||
**** Change DMARC record to "p=reject" | **** Change DMARC record to "p=reject" | ||
= Verify domain ownership | = Verify domain ownership = | ||
https://support.google.com/a/topic/9196<br /> | https://support.google.com/a/topic/9196<br /> | ||
Typically domain ownership is verified with a DNS TXT record:<br /> | Typically domain ownership is verified with a DNS TXT record:<br /> | ||
| Line 18: | Line 18: | ||
Host: @ | Host: @ | ||
Value: "google-site-verification=..." | Value: "google-site-verification=..." | ||
= Add MX record | = Add MX record = | ||
Note that previously multiple "aspmx" records were used (and these are still supported for older domains) but going forward all domains can now use this single record: | Note that previously multiple "aspmx" records were used (and these are still supported for older domains) but going forward all domains can now use this single record: | ||
Type: MX | Type: MX | ||
Host: @ | Host: @ | ||
Value: smtp.google.com | Value: smtp.google.com | ||
= Add SPF record | = Add SPF record = | ||
This record is the same for all Google Workspace domains. Note that we have modified the Google default by adding "a" to the record to validate against any "A" records in DNS that point to JCI hosting and changing "~all" to "-all" for stricter enforcement. | This record is the same for all Google Workspace domains. Note that we have modified the Google default by adding "a" to the record to validate against any "A" records in DNS that point to JCI hosting and changing "~all" to "-all" for stricter enforcement. | ||
Type: TXT | Type: TXT | ||
Host: @ | Host: @ | ||
Value: "v=spf1 a include:_spf.google.com -all" | Value: "v=spf1 a include:_spf.google.com -all" | ||
= Add DMARC record | = Add DMARC record = | ||
https://support.google.com/a/answer/2466580<br /> | https://support.google.com/a/answer/2466580<br /> | ||
All Google Workspace domains can use the same DMARC record(s): | All Google Workspace domains can use the same DMARC record(s): | ||
| Line 43: | Line 43: | ||
Additional details from google on a phased rollout:<br /> | Additional details from google on a phased rollout:<br /> | ||
https://support.google.com/a/answer/10032473<br /> | https://support.google.com/a/answer/10032473<br /> | ||
= Add DKIM record | = Add DKIM record = | ||
Google DKIM setup requires generating a unique DKIM key pair via the Google Admin console:<br /> | Google DKIM setup requires generating a unique DKIM key pair via the Google Admin console:<br /> | ||
https://support.google.com/a/answer/174124<br /> | https://support.google.com/a/answer/174124<br /> | ||
Latest revision as of 14:07, 30 November 2025
Top level doc re: how to add and manage domains to work with Google Workspace[edit]
https://support.google.com/a/topic/3540977
Basic overview[edit]
- Verify domain ownership (requires client creating custom TXT record)
- Add Google MX record
- Add Google SPF record
- Add DMARC record "p=none"
- Add DKIM record (optional, recommended, requires client creating custom TXT record)
- Change DMARC record to "p=reject"
- Add DKIM record (optional, recommended, requires client creating custom TXT record)
Verify domain ownership[edit]
https://support.google.com/a/topic/9196
Typically domain ownership is verified with a DNS TXT record:
https://support.google.com/a/answer/16018515
DNS TEXT record to verify ownership will be unique for each domain and will look like:
Type: A Host: @ Value: "google-site-verification=..."
Add MX record[edit]
Note that previously multiple "aspmx" records were used (and these are still supported for older domains) but going forward all domains can now use this single record:
Type: MX Host: @ Value: smtp.google.com
Add SPF record[edit]
This record is the same for all Google Workspace domains. Note that we have modified the Google default by adding "a" to the record to validate against any "A" records in DNS that point to JCI hosting and changing "~all" to "-all" for stricter enforcement.
Type: TXT Host: @ Value: "v=spf1 a include:_spf.google.com -all"
Add DMARC record[edit]
https://support.google.com/a/answer/2466580
All Google Workspace domains can use the same DMARC record(s):
Type: TXT Name: _dmarc.example.com Initial Value: "v=DMARC1; p=none;" Final Value: "v=DMARC1; p=reject; pct=100; adkim=s; aspf=s;"
- Make sure the SPF TXT record is in place first, then add the initial "p=none" DMARC record.
- Next add DKIM, once that's in place change DMARC to the final "p=reject" version.
While techincally DMARC is optional it's highly recommneded.
Additional details from google on a phased rollout:
https://support.google.com/a/answer/10032473
Add DKIM record[edit]
Google DKIM setup requires generating a unique DKIM key pair via the Google Admin console:
https://support.google.com/a/answer/174124
The key will then look something like:
Type: TXT Host: google._domainkey.example.com Value: "v=DKIM1; k=rsa; p=..."