Setup domain records for G Suite Gmail
Gmail is an essentially core app of G Suite. However setup domain records for Gmail requires a few steps to ensure the service will work properly:
- Clear existing MX and SPF records
- Add MX record for G Suite Gmail
- Add SPF record
- Add DKIM record
- Add DMARC record
Failing to setup SPF, DKIM and DMARC records may make your organization emails marked as untrustworthy and end up in spam folder.
Clear existing MX and SPF records
When buying domain from a registar, certain registars may pre-set domain MX and SPF records to associate with their free email services. These records need to be removed before configuring MX records for Gmail:
- remove all records that has MX type
- remove TXT record that has value contain
spfstring
Add MX record for Gmail
Add the following MX records to your domain:
| Name/Host/Alias | Time to Live (TTL*) | Record Type | Priority | Value/Answer/Destination |
|---|---|---|---|---|
| @ or leave blank | 3600 | MX | 1 | ASPMX.L.GOOGLE.COM. |
| @ or leave blank | 3600 | MX | 5 | ALT1.ASPMX.L.GOOGLE.COM. |
| @ or leave blank | 3600 | MX | 5 | ALT2.ASPMX.L.GOOGLE.COM. |
| @ or leave blank | 3600 | MX | 10 | ALT3.ASPMX.L.GOOGLE.COM. |
| @ or leave blank | 3600 | MX | 10 | ALT4.ASPMX.L.GOOGLE.COM. |
Reference: https://support.google.com/a/answer/140034?hl=en
Authorize Google server with SPF record
SPF record prevent spammers from spoofing using your domain.
Add the following TXT record to domain:
- Name/Host/Alias: Enter
@or leave it blank. Your other DNS records might indicate which entry is correct. - Time to Live (TTL): Enter
3600or leave the default. - Value/Answer/Destination: Enter
v=spf1 include:_spf.google.com ~all
Reference: https://support.google.com/a/answer/33786?hl=en
Authenticate email with DKIM
DKIM helps prevent email spoofing on outgoing messages. It verifies message content is authentic and not changed.
To generate a DKIM key, go to Google Admin console -> Apps -> G Suite -> Gmail -> Authenticate email -> Generate new record
A TXT record name and value pair will be displayed. Use them to add a TXT record with following values:
- Name/Host/Alias: generated record name
- Value: generated record value
Then back to Google Admin and click Start Authentication
Reference: https://support.google.com/a/answer/174124?hl=en&ref_topic=2752442
Manage suspicious emails with DMARC
DMARC helps email senders and receivers verify messages and defines action on suspicious emails.
DMARC uses SPF and DKIM to verify messages so SPF and DKIM need to be configured before DMARC.
Create a TXT record with key _dmarc.your_domain.com
For value, DMARC has many options which is confusing so here are some examples for quick use.
No actions taken
v=DMARC1; p=none; rua=mailto:postmaster@your_domain.com
Quarantine message
v=DMARC1; p=quarantine; pct=5; rua=mailto:postmaster@your_domain.com
Reject message
v=DMARC1; p=reject; rua=mailto:postmaster@your_domain.com, mailto:dmarc@your_domain.com
Remember to replace postmaster and your_domain.com with your appropriate values.
Reference: https://support.google.com/a/answer/2466580?hl=en&ref_topic=2759254
Verify that all records work properly
Go to https://toolbox.googleapps.com/apps/checkmx/ fill in your domain name and check. An all green result indicates that all records are properly configured.
If there is any warnings, click on the link next to it to visit appropriate Google support doc and follow the instructions.