Bespoke Software Solutions

Bespoke Software

Category: Security & Compliance

Best practices for keeping your data safe and compliant. Topics include GDPR, database replication, monitoring, and secure coding methods for peace of mind.

How to Securely Configure Google Workspace Email on Cloudflare DNS

Written by

malcolm

in

How to Securely Configure Google Workspace

  • Estimated reading time: 12–15 minutes

    Estimated implementation time: 45–90 minutes (starting immediately after registering for Google Workspace)

    Who is this for?

    Technically confident individuals who understand DNS concepts but have never configured Google Workspace email authentication before. This guide provides everything needed for a clean, secure, first‑time setup without guesswork.

    Overview

    Setting up Google Workspace email correctly is essential for deliverability, security, and preventing spoofing. When DNS is hosted on Cloudflare, the process requires precise manual configuration — especially for businesses with strict security requirements.

    This guide walks through the full process using example.com instead of a live client domain. It covers SPF, DKIM, DMARC, MTA-STS, TLS-RPT, and includes a testing protocol and AI-assisted verification.

    Why Manual DNS Configuration Matters

    Google Workspace will offer to automatically configure your DNS when adding a new domain. Do not allow this. Always choose manual configuration.

    Manual control ensures:

    • DNS settings never get overwritten
    • Cloudflare security features remain intact
    • You maintain consistent SPF, DKIM, DMARC, and MTA-STS policies

    Step 1 — Verify the Domain in Google Workspace

    In the Google Admin Console:

    1. Go to Apps → Google Workspace → Gmail → Setup
    2. Copy the verification TXT record
    3. Add it to Cloudflare DNS:

    Name: @

    Type: TXT

    Value: google-site-verification=xxxxxxxxx

    Step 2 — Add Google Workspace MX Records

    Use the modern single-record MX provided by Google:

    Name: @

    Type: MX

    Priority: 1

    Value: smtp.google.com

    TTL: Auto

    Proxy: DNS Only

    Step 3 — Configure SPF (with Optional Web Host Include)

    SPF specifies which mail servers are authorised to send email for your domain.

    If you also send mail through your web host (e.g., transactional mail from forms), include its SPF entry. If not, omit it.

    Basic Google Workspace SPF

    Name: @

    Type: TXT

    Value: v=spf1 include:_spf.google.com -all

    Google Workspace + Optional Web Host

    Name: @

    Type: TXT

    Value: v=spf1 include:_spf.google.com include:_spf.examplehost.com -all

    Notes:

    • Only one SPF record may exist.
    • Use -all for strong anti-spoofing.

    Step 4 — Enable and Publish DKIM

    1. In Admin Console: Gmail → Authenticate Email
    2. Select 2048-bit DKIM key
    3. Google generates a TXT record:

    Name: google._domainkey

    Type: TXT

    Value: (DKIM public key)

    1. Add it to Cloudflare
    2. Click Start Authentication

    Step 5 — Add a DMARC Policy

    DMARC prevents spoofing and requires alignment between SPF/DKIM and the From domain.

    Name: _dmarc

    Type: TXT

    Value: v=DMARC1; p=reject; adkim=r; aspf=r; pct=100

    Notes:

    • Relaxed alignment (r) avoids issues when Gmail rewrites headers.
    • Strict alignment (s) provide maximum enforcement but may cause DMARC failures if aliasing or forwarding is involved. We have been unable to use strict alignment with Google Workspace and avoid emails dropping into SPAM.

    Step 6 — Configure MTA-STS (Recommended for High-Security Domains)

    MTA-STS enforces TLS during SMTP delivery and prevents downgrade/MITM attacks.

    Step 6.1 — Add TXT Declaration

    Name: _mta-sts

    Type: TXT

    Value: v=STSv1; id=20250101

    Step 6.2 — Create the HTTPS Policy File

    Create a folder structure on your computer:

    mta-sts/

        .well-known/

            mta-sts.txt

    Inside mta-sts.txt:

    version: STSv1

    mode: enforce

    mx: smtp.google.com

    max_age: 604800

    Step 6.3 — Deploy via Cloudflare Pages

    1. Go to Workers & Pages → Pages → Create a Project
    2. Choose Upload Assets
    3. Upload the mta-sts folder
    4. Deploy
    5. Add a custom domain: mta-sts.example.com

    Step 6.4 — Add CNAME in Cloudflare DNS

    Name: mta-sts

    Type: CNAME

    Value: <yourproject>.pages.dev

    Proxy: Proxied (orange)

    Step 6.5 — Verify

    Visit:

    https://mta-sts.example.com/.well-known/mta-sts.txt

    Use:

    • https://www.hardenize.com
    • https://ssl-tools.net/mta-sts

    Step 7 — TLS Reporting (Optional)

    Name: _smtp._tls

    Type: TXT

    Value: v=TLSRPTv1

    If you want reports:

    v=TLSRPTv1; rua=mailto:tls@example.com

    Step 8 — Testing Protocol (Critical)

    8.1 Send a Baseline Test Email

    From user@example.com to a Gmail address.

    Check:

    • Does it arrive?
    • Does it land in the Inbox or Spam?

    8.2 Analyse Headers in Gmail

    1. Open the message → three dots → Show original
    2. Confirm:
      • SPF: PASS
      • DKIM: PASS
      • DMARC: PASS

    8.3 AI-Assisted Authentication & DNS Analysis

    Email Header Analysis

    Download full header and original email source → paste into AI → ask:

    • Why did SPF/DKIM/DMARC pass/fail?
    • Are domains aligned?
    • Any forwarding or alias issues?

    DNS Zone File Analysis

    1. Cloudflare → DNS → Export
    2. Upload zone file to AI
    3. Ask it to review:
      • Duplicate/conflicting SPF records
      • DMARC placement (_dmarc)
      • DKIM selector presence
      • MTA-STS records and CNAMEs
      • TXT formatting issues

    8.4 Re-test After Any Change

    Send a fresh email with a new subject (Test 2, Test 3) until:

    • SPF = PASS
    • DKIM = PASS
    • DMARC = PASS
    • Inbox placement is consistent

    Example Cloudflare DNS Configuration (Using 

    example.com)

    ;; MX

    example.com.                      IN MX 1 smtp.google.com.

    ;; SPF

    example.com.                      IN TXT "v=spf1 include:_spf.google.com -all"

    ;; DKIM

    google._domainkey.example.com.    IN TXT "v=DKIM1; k=rsa; p=MIIBI..."

    ;; DMARC

    _dmarc.example.com.               IN TXT "v=DMARC1; p=reject; adkim=r; aspf=r; pct=100"

    ;; MTA-STS

    _mta-sts.example.com.             IN TXT "v=STSv1; id=20250101"

    mta-sts.example.com.              IN CNAME mta-sts-example.pages.dev.

    ;; TLS-RPT

    _smtp._tls.example.com.           IN TXT "v=TLSRPTv1"

    ;; Google verification

    example.com.                      IN TXT "google-site-verification=xxxxxxx"

    Conclusion

    By following these steps, you ensure:

    • Fully authenticated outgoing email
    • Protection against spoofing and phishing
    • TLS-enforced mail transport
    • High deliverability to Gmail, Outlook, Microsoft 365, Yahoo, and more
    • A hardened configuration suitable for security-sensitive organisations

    This setup represents our best-practice Google Workspace email configuration when using Cloudflare as your DNS provider.

    Important Caveat

    Technical standards, Google Workspace authentication rules, and Cloudflare DNS behaviours change over time. Although this guide reflects what we believe to be a correct and working configuration at the time of writing, email security protocols evolve, and configuration errors can occur.

    Readers should:

    Verify all SPF, DKIM, DMARC, MTA-STS, and TLS-RPT records before deployment

    Check the current Google Workspace documentation

    Check Cloudflare’s latest DNS guidance

    Validate settings with external tools (Hardenize, MXToolbox, SSL Tools)

    Always double‑check before applying changes to a production environment. Your deliverability and domain security depend on accuracy.

  • For many businesses, security and compliance are treated as a box-ticking exercise. A policy is written, a plugin is added, and the subject is shelved until the next audit. But in practice, compliance and security are not things you can bolt onto a system at the end. They need to be built in from the start — woven into the design of workflows, hosting, and data management.

    At Tekate, we approach compliance as an enabler rather than a burden. When systems are secure and compliant by design, they not only reduce legal risk but also enhance overall security and operational efficiency. They build trust with clients, improve resilience, and make day-to-day operations more reliable.

    The Risks SMEs Face

    Small and medium-sized enterprises (SMEs) often underestimate their exposure to risk. Common issues include:

    • Fragmented systems – customer data spread across spreadsheets, SaaS tools, and email.
    • Inconsistent handling – different teams managing personal data in different ways.
    • Weak access controls – too many people with administrator privileges or shared logins.
    • Lack of audit trails – no clear record of who accessed what, and when.

    These gaps are not just theoretical risks. They can lead to data breaches, fines under the GDPR, and reputational damage that is far more difficult to repair.

    Compliance by Design

    Rather than retrofitting security, we embed compliance into every stage of system design. That includes:

    • Access control and permissions – ensuring users only see the data they need. Role-based access is a core part of every workflow application.
    • Audit trails – automatic logging of key actions, from client record updates to invoice approvals. These provide accountability and help with investigations.
    • Secure hosting – servers built on Oracle Linux, OpenLiteSpeed, and MySQL replication, with data backed up, monitored, and encrypted in transit.
    • Cookie consent and GDPR workflows – ensuring client-facing systems capture consent, honour subject access requests, and handle data deletion properly.
    • Integration safeguards – when linking to platforms like Xero, Shopify, or Google Workspace, connections are secured with tokens and monitored for unusual activity.

    The goal is not to make compliance visible at every turn, but to ensure it happens automatically in the background.

    Examples in Practice

    Consider an employment agency handling sensitive client details. A compliant system ensures that:

    • CVs and applications are stored securely with access limited to authorised staff.
    • Terms and conditions are digitally accepted and recorded as part of the audit trail.
    • Data retention rules automatically remove or anonymise records when they are no longer needed.

    In logistics, compliance takes a different shape:

    • Shipment tracking must be visible to clients without exposing other customers’ data.
    • Multi-currency transactions must meet financial reporting standards.
    • Integrations with shipping providers require careful management of personal delivery information.

    Across sectors, the principle remains the same: compliance must align with the real workflow, not sit alongside it as an afterthought.

    Common Pitfalls

    Businesses often fall into traps when tackling compliance:

    • Treating it as a one-off project – compliance is an ongoing process, not a task to complete and forget.
    • Overreliance on plugins – especially in WordPress, where a cookie banner plugin is sometimes seen as enough. True compliance requires deeper integration.
    • Ignoring staff training – even the best systems fail if staff don’t understand how to handle data securely.
    • Underestimating third-party risk – every integration, from email to e-commerce, is another potential vulnerability.

    Recognising these pitfalls early helps avoid costly mistakes later.

    Future Challenges

    The compliance landscape is evolving. AI adds new complexities around transparency and explainability. International data transfers face shifting legal requirements. Cyber threats continue to grow in sophistication.

    For SMEs, the challenge is staying ahead without dedicating entire teams to compliance. That’s why systems designed with security at their core are so valuable — they provide a strong foundation that can adapt as laws and risks change.

    Final Reflection

    Compliance is often framed as a legal necessity, but it is more than that. It is a foundation of trust, both with clients and within teams. When systems are secure and compliant by design, staff can work confidently, customers can share data without hesitation, and businesses can scale without fear of hidden vulnerabilities.

    For Tekate, this isn’t about adding layers of bureaucracy. It’s about building systems that are safe, reliable, and fit for the future — from the very beginning.