Bespoke Software Solutions

Bespoke Software

How to Securely Configure Google Workspace Email on Cloudflare DNS

Written by

malcolm

in

How to Securely Configure Google Workspace

Estimated reading time: 12–15 minutes

Estimated implementation time: 45–90 minutes (starting immediately after registering for Google Workspace)

Who is this for?

Technically confident individuals who understand DNS concepts but have never configured Google Workspace email authentication before. This guide provides everything needed for a clean, secure, first‑time setup without guesswork.

Overview

Setting up Google Workspace email correctly is essential for deliverability, security, and preventing spoofing. When DNS is hosted on Cloudflare, the process requires precise manual configuration — especially for businesses with strict security requirements.

This guide walks through the full process using example.com instead of a live client domain. It covers SPF, DKIM, DMARC, MTA-STS, TLS-RPT, and includes a testing protocol and AI-assisted verification.

Why Manual DNS Configuration Matters

Google Workspace will offer to automatically configure your DNS when adding a new domain. Do not allow this. Always choose manual configuration.

Manual control ensures:

  • DNS settings never get overwritten
  • Cloudflare security features remain intact
  • You maintain consistent SPF, DKIM, DMARC, and MTA-STS policies

Step 1 — Verify the Domain in Google Workspace

In the Google Admin Console:

  1. Go to Apps → Google Workspace → Gmail → Setup
  2. Copy the verification TXT record
  3. Add it to Cloudflare DNS:

Name: @

Type: TXT

Value: google-site-verification=xxxxxxxxx

Step 2 — Add Google Workspace MX Records

Use the modern single-record MX provided by Google:

Name: @

Type: MX

Priority: 1

Value: smtp.google.com

TTL: Auto

Proxy: DNS Only

Step 3 — Configure SPF (with Optional Web Host Include)

SPF specifies which mail servers are authorised to send email for your domain.

If you also send mail through your web host (e.g., transactional mail from forms), include its SPF entry. If not, omit it.

Basic Google Workspace SPF

Name: @

Type: TXT

Value: v=spf1 include:_spf.google.com -all

Google Workspace + Optional Web Host

Name: @

Type: TXT

Value: v=spf1 include:_spf.google.com include:_spf.examplehost.com -all

Notes:

  • Only one SPF record may exist.
  • Use -all for strong anti-spoofing.

Step 4 — Enable and Publish DKIM

  1. In Admin Console: Gmail → Authenticate Email
  2. Select 2048-bit DKIM key
  3. Google generates a TXT record:

Name: google._domainkey

Type: TXT

Value: (DKIM public key)

  1. Add it to Cloudflare
  2. Click Start Authentication

Step 5 — Add a DMARC Policy

DMARC prevents spoofing and requires alignment between SPF/DKIM and the From domain.

Name: _dmarc

Type: TXT

Value: v=DMARC1; p=reject; adkim=r; aspf=r; pct=100

Notes:

  • Relaxed alignment (r) avoids issues when Gmail rewrites headers.
  • Strict alignment (s) provide maximum enforcement but may cause DMARC failures if aliasing or forwarding is involved. We have been unable to use strict alignment with Google Workspace and avoid emails dropping into SPAM.

Step 6 — Configure MTA-STS (Recommended for High-Security Domains)

MTA-STS enforces TLS during SMTP delivery and prevents downgrade/MITM attacks.

Step 6.1 — Add TXT Declaration

Name: _mta-sts

Type: TXT

Value: v=STSv1; id=20250101

Step 6.2 — Create the HTTPS Policy File

Create a folder structure on your computer:

mta-sts/

    .well-known/

        mta-sts.txt

Inside mta-sts.txt:

version: STSv1

mode: enforce

mx: smtp.google.com

max_age: 604800

Step 6.3 — Deploy via Cloudflare Pages

  1. Go to Workers & Pages → Pages → Create a Project
  2. Choose Upload Assets
  3. Upload the mta-sts folder
  4. Deploy
  5. Add a custom domain: mta-sts.example.com

Step 6.4 — Add CNAME in Cloudflare DNS

Name: mta-sts

Type: CNAME

Value: <yourproject>.pages.dev

Proxy: Proxied (orange)

Step 6.5 — Verify

Visit:

https://mta-sts.example.com/.well-known/mta-sts.txt

Use:

  • https://www.hardenize.com
  • https://ssl-tools.net/mta-sts

Step 7 — TLS Reporting (Optional)

Name: _smtp._tls

Type: TXT

Value: v=TLSRPTv1

If you want reports:

v=TLSRPTv1; rua=mailto:tls@example.com

Step 8 — Testing Protocol (Critical)

8.1 Send a Baseline Test Email

From user@example.com to a Gmail address.

Check:

  • Does it arrive?
  • Does it land in the Inbox or Spam?

8.2 Analyse Headers in Gmail

  1. Open the message → three dots → Show original
  2. Confirm:
    • SPF: PASS
    • DKIM: PASS
    • DMARC: PASS

8.3 AI-Assisted Authentication & DNS Analysis

Email Header Analysis

Download full header and original email source → paste into AI → ask:

  • Why did SPF/DKIM/DMARC pass/fail?
  • Are domains aligned?
  • Any forwarding or alias issues?

DNS Zone File Analysis

  1. Cloudflare → DNS → Export
  2. Upload zone file to AI
  3. Ask it to review:
    • Duplicate/conflicting SPF records
    • DMARC placement (_dmarc)
    • DKIM selector presence
    • MTA-STS records and CNAMEs
    • TXT formatting issues

8.4 Re-test After Any Change

Send a fresh email with a new subject (Test 2, Test 3) until:

  • SPF = PASS
  • DKIM = PASS
  • DMARC = PASS
  • Inbox placement is consistent

Example Cloudflare DNS Configuration (Using 

example.com)

;; MX

example.com.                      IN MX 1 smtp.google.com.

;; SPF

example.com.                      IN TXT "v=spf1 include:_spf.google.com -all"

;; DKIM

google._domainkey.example.com.    IN TXT "v=DKIM1; k=rsa; p=MIIBI..."

;; DMARC

_dmarc.example.com.               IN TXT "v=DMARC1; p=reject; adkim=r; aspf=r; pct=100"

;; MTA-STS

_mta-sts.example.com.             IN TXT "v=STSv1; id=20250101"

mta-sts.example.com.              IN CNAME mta-sts-example.pages.dev.

;; TLS-RPT

_smtp._tls.example.com.           IN TXT "v=TLSRPTv1"

;; Google verification

example.com.                      IN TXT "google-site-verification=xxxxxxx"

Conclusion

By following these steps, you ensure:

  • Fully authenticated outgoing email
  • Protection against spoofing and phishing
  • TLS-enforced mail transport
  • High deliverability to Gmail, Outlook, Microsoft 365, Yahoo, and more
  • A hardened configuration suitable for security-sensitive organisations

This setup represents our best-practice Google Workspace email configuration when using Cloudflare as your DNS provider.

Important Caveat

Technical standards, Google Workspace authentication rules, and Cloudflare DNS behaviours change over time. Although this guide reflects what we believe to be a correct and working configuration at the time of writing, email security protocols evolve, and configuration errors can occur.

Readers should:

Verify all SPF, DKIM, DMARC, MTA-STS, and TLS-RPT records before deployment

Check the current Google Workspace documentation

Check Cloudflare’s latest DNS guidance

Validate settings with external tools (Hardenize, MXToolbox, SSL Tools)

Always double‑check before applying changes to a production environment. Your deliverability and domain security depend on accuracy.

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *