Google Workspace DNS setup

From JCWiki
Revision as of 14:07, 30 November 2025 by Matt (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Top level doc re: how to add and manage domains to work with Google Workspace

https://support.google.com/a/topic/3540977

Basic overview

  • Verify domain ownership (requires client creating custom TXT record)
    • Add Google MX record
    • Add Google SPF record
    • Add DMARC record "p=none"
      • Add DKIM record (optional, recommended, requires client creating custom TXT record)
        • Change DMARC record to "p=reject"

Verify domain ownership

https://support.google.com/a/topic/9196
Typically domain ownership is verified with a DNS TXT record:
https://support.google.com/a/answer/16018515
DNS TEXT record to verify ownership will be unique for each domain and will look like: 

Type: A
Host: @
Value: "google-site-verification=..."

Add MX record

Note that previously multiple "aspmx" records were used (and these are still supported for older domains) but going forward all domains can now use this single record: 

Type: MX
Host: @
Value: smtp.google.com

Add SPF record

This record is the same for all Google Workspace domains. Note that we have modified the Google default by adding "a" to the record to validate against any "A" records in DNS that point to JCI hosting and changing "~all" to "-all" for stricter enforcement. 

Type: TXT
Host: @
Value: "v=spf1 a include:_spf.google.com -all"

Add DMARC record

https://support.google.com/a/answer/2466580
All Google Workspace domains can use the same DMARC record(s): 

Type: TXT
Name: _dmarc.example.com
Initial Value: "v=DMARC1; p=none;"
Final Value: "v=DMARC1; p=reject; pct=100; adkim=s; aspf=s;"
  1. Make sure the SPF TXT record is in place first, then add the initial "p=none" DMARC record.
  2. Next add DKIM, once that's in place change DMARC to the final "p=reject" version.

While techincally DMARC is optional it's highly recommneded.
Additional details from google on a phased rollout:
https://support.google.com/a/answer/10032473

Add DKIM record

Google DKIM setup requires generating a unique DKIM key pair via the Google Admin console:
https://support.google.com/a/answer/174124
The key will then look something like: 

Type: TXT
Host: google._domainkey.example.com
Value: "v=DKIM1; k=rsa; p=..."
Retrieved from "https://wiki.jcihosting.com/index.php?title=Google_Workspace_DNS_setup&oldid=2299"