Guides • Last Updated 3rd April 2026 4 min read

DNS Records Required for Google Workspace (Complete Setup Guide)

Complete guide to Google Workspace DNS records including MX, SPF, DKIM, DMARC, and domain verification. Includes real record examples and setup best practices.

Tools For This Topic

Email Header Analysis

Analyze email headers for SPF, DKIM, DMARC, and routing clues.

Email Provider Setup Checker

Compare Google Workspace or Microsoft 365 mail DNS patterns.

Email Security Check

Review SPF, DMARC, DKIM, MTA-STS, TLS-RPT, and BIMI together.

Why Google Workspace needs several DNS records

A Google Workspace deployment relies on multiple DNS record types to function correctly, including domain verification, email routing, and email authentication.

Each of these components depends on DNS, meaning an incomplete or incorrect setup can lead to failed verification, broken mail flow, or poor email deliverability.

Google provides official guidance on required DNS configuration in their admin documentation.

For this reason, DNS setup should always be treated as a complete system rather than a single change.

Common records involved

  • TXT record for domain verification (google-site-verification)
  • MX records for inbound email routing to Google
  • TXT record for SPF (authorising Google mail servers)
  • DKIM record for signing outbound email
  • DMARC record for policy enforcement and reporting

MX records in Google Workspace

Google Workspace now supports a simplified standard MX configuration for new setups, using a single MX destination for inbound email.

Google's current documented MX value for Google Workspace is:

Priority 1 -> smtp.google.com

This is the current value documented by Google for setting up Gmail delivery in Google Workspace.

Google also notes that legacy MX values beginning with aspmx are still supported for older deployments, so some existing environments will still use the older five-record layout.

1 aspmx.l.google.com
5 alt1.aspmx.l.google.com
5 alt2.aspmx.l.google.com
10 alt3.aspmx.l.google.com
10 alt4.aspmx.l.google.com

If legacy MX records from a previous provider remain in place, or if old and new mail-routing designs are mixed incorrectly, mail routing can become inconsistent and cause intermittent delivery issues.

TXT records in Google Workspace

TXT records are used for two primary purposes in Google Workspace: domain verification and SPF.

Domain verification records typically look like:

google-site-verification=example-verification-token

SPF records define which servers are authorised to send email on behalf of your domain. A typical Google Workspace SPF record is:

v=spf1 include:_spf.google.com -all

It is important that only one SPF record exists. If multiple SPF records are published, SPF validation can fail completely.

DKIM configuration in Google Workspace

DKIM (DomainKeys Identified Mail) is used to cryptographically sign outgoing emails, allowing receiving servers to verify message integrity and authenticity.

In Google Workspace, DKIM is configured via the admin console, which generates a DNS TXT record and requires signing to be enabled after the DNS record is published.

google._domainkey.example.com TXT "v=DKIM1; k=rsa; p=PUBLICKEY"

The exact selector is not always literally google. You should always use the selector provided in the admin console.

DMARC configuration

DMARC builds on SPF and DKIM to define how receiving servers should handle authentication failures.

_dmarc.example.com TXT "v=DMARC1; p=none; rua=mailto:dmarc@example.com"

Policies can be strengthened over time from monitoring to enforcement as confidence increases.

What to check during setup

  • The verification TXT record is present and valid
  • The MX configuration matches your intended Google Workspace setup
  • If using the current Google setup, the MX destination is smtp.google.com with the documented priority
  • If using a legacy Google setup, all MX records match the older Google pattern exactly
  • SPF includes _spf.google.com and does not exceed SPF lookup limits
  • No legacy MX or SPF records remain from previous providers unless intentionally required
  • The DKIM record is published with the correct selector and signing is enabled
  • The DMARC record is present and aligned with your policy goals

Common mistakes

  • Leaving old MX records active alongside Google records
  • Mixing current and legacy Google MX designs incorrectly
  • Publishing multiple SPF records instead of merging them
  • Forgetting to enable DKIM after adding the DNS record
  • Skipping DMARC configuration entirely
  • Using the wrong DKIM selector hostname
  • Assuming setup is complete without validating live mail flow

How to validate your Google Workspace DNS setup

After configuring DNS, validation is critical to ensure everything is working as expected.

Start by checking MX, TXT, and DKIM records using a DNS lookup tool.

Send a test email and review the message headers to confirm SPF, DKIM, and DMARC all pass.

A properly configured setup should result in aligned authentication and consistent mail delivery.

Use These DNS Pro Tools

If you want to validate this topic in practice, these DNS Pro tools are the fastest next step.

Related Articles

DNS Records Required for Microsoft 365 (Complete Setup Guide)

Complete guide to Microsoft 365 DNS records including MX, SPF, CNAME, DKIM, and DMARC. Includes real record examples and migration best practices.

How to Tell Which Email Provider a Domain Uses

Learn how to tell whether a domain uses Google Workspace, Microsoft 365, or another mail provider by reading MX, SPF, DKIM, and related DNS patterns.

How to Check DKIM Selectors (Step-by-Step Guide)

Learn how to find and check DKIM selectors, query DNS correctly, and troubleshoot missing or invalid DKIM records with real examples.