Setup domain records for G Suite Gmail


Gmail is an essentially core app of G Suite. However setup domain records for Gmail requires a few steps to ensure the service will work properly:

  • Clear existing MX and SPF records
  • Add MX record for G Suite Gmail
  • Add SPF record
  • Add DKIM record
  • Add DMARC record

Failing to setup SPF, DKIM and DMARC records may make your organization emails marked as untrustworthy and end up in spam folder.

Clear existing MX and SPF records

When buying domain from a registar, certain registars may pre-set domain MX and SPF records to associate with their free email services. These records need to be removed before configuring MX records for Gmail:

  • remove all records that has MX type
  • remove TXT record that has value contain spf string

Add MX record for Gmail

Add the following MX records to your domain:

Name/Host/Alias Time to Live (TTL*) Record Type Priority Value/Answer/Destination
@ or leave blank 3600 MX 1 ASPMX.L.GOOGLE.COM.
@ or leave blank 3600 MX 5 ALT1.ASPMX.L.GOOGLE.COM.
@ or leave blank 3600 MX 5 ALT2.ASPMX.L.GOOGLE.COM.
@ or leave blank 3600 MX 10 ALT3.ASPMX.L.GOOGLE.COM.
@ or leave blank 3600 MX 10 ALT4.ASPMX.L.GOOGLE.COM.

Reference: https://support.google.com/a/answer/140034?hl=en

Authorize Google server with SPF record

SPF record prevent spammers from spoofing using your domain.

Add the following TXT record to domain:

  • Name/Host/Alias: Enter @ or leave it blank. Your other DNS records might indicate which entry is correct.
  • Time to Live (TTL): Enter 3600 or leave the default.
  • Value/Answer/Destination: Enter v=spf1 include:_spf.google.com ~all

Reference: https://support.google.com/a/answer/33786?hl=en

Authenticate email with DKIM

DKIM helps prevent email spoofing on outgoing messages. It verifies message content is authentic and not changed.

To generate a DKIM key, go to Google Admin console -> Apps -> G Suite -> Gmail -> Authenticate email -> Generate new record

A TXT record name and value pair will be displayed. Use them to add a TXT record with following values:

  • Name/Host/Alias: generated record name
  • Value: generated record value

Then back to Google Admin and click Start Authentication

Reference: https://support.google.com/a/answer/174124?hl=en&ref_topic=2752442

Manage suspicious emails with DMARC

DMARC helps email senders and receivers verify messages and defines action on suspicious emails.

DMARC uses SPF and DKIM to verify messages so SPF and DKIM need to be configured before DMARC.

Create a TXT record with key _dmarc.your_domain.com

For value, DMARC has many options which is confusing so here are some examples for quick use.

No actions taken

v=DMARC1; p=none; rua=mailto:postmaster@your_domain.com

Quarantine message

v=DMARC1; p=quarantine; pct=5; rua=mailto:postmaster@your_domain.com

Reject message

v=DMARC1; p=reject; rua=mailto:postmaster@your_domain.com, mailto:dmarc@your_domain.com

Remember to replace postmaster and your_domain.com with your appropriate values.

Reference: https://support.google.com/a/answer/2466580?hl=en&ref_topic=2759254

Verify that all records work properly

Go to https://toolbox.googleapps.com/apps/checkmx/ fill in your domain name and check. An all green result indicates that all records are properly configured.

If there is any warnings, click on the link next to it to visit appropriate Google support doc and follow the instructions.