Google Workspace Email: Domain Configuration

## Google Workspace: Professional Gmail Under Your Own Domain Google Workspace (formerly G Suite) is the most popular managed email solution for businesses of all sizes. It gives you Gmail's familiar interface, Google Drive, Meet, Calendar, and Docs — all tied to your own domain name. Instead of `[email protected]`, you get `[email protected]` while keeping everything you love about Google's ecosystem. This guide covers the complete technical setup: verifying domain ownership, configuring MX records, and adding SPF, DKIM, and DMARC authentication records. ## Before You Begin You'll need: - A Google Workspace account (start a trial at workspace.google.com) - Access to your domain's DNS (Domain Name System) management panel (through your Domain Registrar or a DNS provider like Cloudflare) - Approximately 30–60 minutes for DNS changes to propagate If you're not sure where your DNS is managed, use WHOIS Lookup Tool to look up your current nameservers, then log into whichever provider controls them. ## Step 1: Start the Google Workspace Setup Wizard After signing up for Google Workspace and entering your domain name, Google's setup wizard guides you through the process. Keep it open in one browser tab while you work in your DNS provider in another. Google will ask: **Do you already have a website?** Answer honestly — this affects which verification method they recommend (though the DNS TXT method works regardless). ## Step 2: Verify Domain Ownership Google requires proof that you control the domain before activating email service. The most reliable method is adding a TXT Record to your DNS (Domain Name System). ### Adding the Verification TXT Record In your DNS management panel, create a new TXT record: ``` Type: TXT Host: @ (or leave blank, or enter your bare domain — varies by provider) Value: google-site-verification=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TTL: 3600 ``` Google provides the exact verification string in the setup wizard. Copy it precisely — it's unique to your account. **Common DNS provider differences:** - **Cloudflare**: Host field is `@` - **Namecheap**: Host field is `@` - **GoDaddy**: Host field is left blank or `@` - **AWS Route 53**: Host field is your full domain name ending with a dot After saving the record, click **Verify** in the Google Workspace wizard. Verification typically works within a few minutes, but may take up to 30 minutes if your DNS provider's servers are slow to propagate. ## Step 3: Remove Existing MX Records Before adding Google's MX records, delete any existing MX records from your domain. This is the most commonly skipped step and causes split email delivery — some messages go to your old server, others to Google. Log into your DNS panel, find the MX records section, and delete all existing entries. If you're migrating from another email provider, first ensure you've exported any emails you want to keep. ## Step 4: Add Google's MX Records Add all five of Google's MX records: ``` Type Host Points to Priority MX @ ASPMX.L.GOOGLE.COM 1 MX @ ALT1.ASPMX.L.GOOGLE.COM 5 MX @ ALT2.ASPMX.L.GOOGLE.COM 5 MX @ ALT3.ASPMX.L.GOOGLE.COM 10 MX @ ALT4.ASPMX.L.GOOGLE.COM 10 ``` The priority numbers matter: lower means higher priority. Google's servers try the priority-1 server first, then fall back to priority-5 servers (load-balanced between ALT1 and ALT2), then priority-10 servers if needed. ### Setting TTL for Faster Propagation Set the TTL (Time To Live) to 300 (5 minutes) for these records during your initial setup. This allows changes to propagate quickly during testing. After everything is working correctly, raise the TTL to 3600 or higher to reduce DNS query load. Wait for DNS Propagation before testing — typically 15 minutes to 2 hours depending on your DNS provider. ## Step 5: Configure SPF SPF Record (Sender Policy Framework) tells receiving mail servers that Google is authorized to send email on behalf of your domain. Without it, your messages may be marked as spam. Add this TXT Record: ``` Type: TXT Host: @ Value: v=spf1 include:_spf.google.com ~all TTL: 3600 ``` **Important**: You can only have one SPF record per domain. If you already have an SPF record (from a previous email provider or your web host), you must merge them rather than create a second one: ``` v=spf1 include:_spf.google.com include:yourwebhost.com ~all ``` The `~all` at the end is a "soft fail" — email from unlisted servers is accepted but marked suspicious. Using `-all` (hard fail) is stricter and may cause delivery issues during transitions, so most administrators use `~all` initially and switch to `-all` after verifying all legitimate sending sources. ## Step 6: Configure DKIM DKIM (DomainKeys Identified Mail) adds a cryptographic signature to every outbound email from your domain. Receiving servers verify this signature against the public key published in your DNS, confirming the email wasn't altered in transit. ### Generating the DKIM Key in Google Workspace 1. Log into the Google Admin Console (admin.google.com) 2. Navigate to **Apps > Google Workspace > Gmail** 3. Click **Authenticate email** 4. Select your domain from the dropdown 5. Click **Generate new record** Google generates a 2048-bit RSA key pair. Keep the default selector name `google` unless you have multiple DKIM configurations. ### Adding the DKIM TXT Record Google provides the record value. Add it to your DNS: ``` Type: TXT Host: google._domainkey Value: v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQ... TTL: 3600 ``` The Host field `google._domainkey` is the DKIM selector. The `p=` value contains your public key — it will be a long string of characters. After adding the record, wait 5–10 minutes, then return to the Google Admin Console and click **Start authentication**. Google will verify the record is in place before activating DKIM signing. ## Step 7: Configure DMARC DMARC builds on SPF and DKIM to give you control over what happens when authentication fails. It also provides reporting so you can see who is sending email from your domain. Add this TXT Record: ``` Type: TXT Host: _dmarc Value: v=DMARC1; p=none; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=1 TTL: 3600 ``` Start with `p=none` (monitor-only mode). This means failing emails are still delivered, but you receive reports about authentication failures. After reviewing the reports and confirming legitimate email is authenticating correctly, advance to `p=quarantine` (send failing email to spam) and eventually `p=reject` (block failing email entirely). The `rua` address receives aggregate reports (daily summaries). The `ruf` address receives forensic reports (individual failure notifications). ## Step 8: Return to the Google Workspace Wizard Once your DNS records are in place, return to the Google Workspace setup wizard and complete the remaining steps: - **Verify domain** — Google checks that your TXT record is present - **Verify MX records** — The wizard confirms email routing is configured - **Complete account setup** — Set billing, add users, configure policies ## Step 9: Create User Accounts and Email Addresses In the Google Admin Console: 1. Navigate to **Directory > Users** 2. Click **Add new user** 3. Enter name and email address (the part before `@yourdomain.com`) 4. Set a temporary password You can also create **groups** (which function as email aliases or shared inboxes) and **aliases** (additional addresses that deliver to an existing user's inbox). ## Step 10: Test Email Delivery Send test emails in both directions: 1. **Outbound**: Send from your new Google Workspace address to a Gmail or Outlook.com account 2. **Inbound**: Send from an external account to your new address 3. **Check headers**: In Gmail, click the three dots → "Show original" to see authentication results You should see: ``` Authentication-Results: dkim=pass [email protected]; spf=pass (google.com: domain of [email protected] designates ...); dmarc=pass ``` If any authentication check fails, revisit the corresponding DNS record. Use DNS Record Helper to verify records are visible from external resolvers. ## Common Google Workspace DNS Mistakes **Using `ASPMX.L.GOOGLE.COM.` with a trailing dot**: Some DNS panels require trailing dots (FQDN format), others don't. If your provider requires it, add the dot. If you see errors about the record format, try removing or adding the trailing dot. **Adding DKIM before generating the key**: You must generate the key in Google Admin Console first, then copy the provided value to DNS. The value isn't predictable in advance. **Multiple SPF records**: DNS allows only one SPF TXT record per host. Combine all `include:` directives into a single record. **Wrong DKIM selector**: The Host field must exactly match what Google specifies — `google._domainkey` (with an underscore, not a dot). ## Google Workspace Plans at a Glance | Plan | Storage | Price | Best For | |---|---|---|---| | Business Starter | 30 GB pooled | $6/user/month | Small teams | | Business Standard | 2 TB pooled | $12/user/month | Growing teams | | Business Plus | 5 TB pooled | $18/user/month | Compliance needs | | Enterprise | Unlimited | Custom | Large orgs | Storage is now pooled across all users rather than per-user, which means a team of 10 on Business Starter shares 300 GB total. ## Next Steps With Google Workspace email running, explore: - **MX Records Deep Dive: Email Routing Explained** — Understand priority and failover in depth - **SPF, DKIM, DMARC: Email Authentication Trilogy** — The authentication trilogy explained - **Email Deliverability: How Domain Reputation Matters** — Maintaining strong sender reputation - **Email Forwarding vs Full Email Hosting** — When forwarding might be enough Google Workspace's combination of infrastructure reliability, familiar UI, and deep integration with other Google services makes it the default choice for millions of businesses. With your DNS configured correctly, you'll have professional email that's both trustworthy and powerful.