Bespoke Software Solutions

Bespoke Software

Tag: DMARC

How to Securely Configure Google Workspace Email on Cloudflare DNS

Written by

malcolm

in

How to Securely Configure Google Workspace

  • Estimated reading time: 12–15 minutes

    Estimated implementation time: 45–90 minutes (starting immediately after registering for Google Workspace)

    Who is this for?

    Technically confident individuals who understand DNS concepts but have never configured Google Workspace email authentication before. This guide provides everything needed for a clean, secure, first‑time setup without guesswork.

    Overview

    Setting up Google Workspace email correctly is essential for deliverability, security, and preventing spoofing. When DNS is hosted on Cloudflare, the process requires precise manual configuration — especially for businesses with strict security requirements.

    This guide walks through the full process using example.com instead of a live client domain. It covers SPF, DKIM, DMARC, MTA-STS, TLS-RPT, and includes a testing protocol and AI-assisted verification.

    Why Manual DNS Configuration Matters

    Google Workspace will offer to automatically configure your DNS when adding a new domain. Do not allow this. Always choose manual configuration.

    Manual control ensures:

    • DNS settings never get overwritten
    • Cloudflare security features remain intact
    • You maintain consistent SPF, DKIM, DMARC, and MTA-STS policies

    Step 1 — Verify the Domain in Google Workspace

    In the Google Admin Console:

    1. Go to Apps → Google Workspace → Gmail → Setup
    2. Copy the verification TXT record
    3. Add it to Cloudflare DNS:

    Name: @

    Type: TXT

    Value: google-site-verification=xxxxxxxxx

    Step 2 — Add Google Workspace MX Records

    Use the modern single-record MX provided by Google:

    Name: @

    Type: MX

    Priority: 1

    Value: smtp.google.com

    TTL: Auto

    Proxy: DNS Only

    Step 3 — Configure SPF (with Optional Web Host Include)

    SPF specifies which mail servers are authorised to send email for your domain.

    If you also send mail through your web host (e.g., transactional mail from forms), include its SPF entry. If not, omit it.

    Basic Google Workspace SPF

    Name: @

    Type: TXT

    Value: v=spf1 include:_spf.google.com -all

    Google Workspace + Optional Web Host

    Name: @

    Type: TXT

    Value: v=spf1 include:_spf.google.com include:_spf.examplehost.com -all

    Notes:

    • Only one SPF record may exist.
    • Use -all for strong anti-spoofing.

    Step 4 — Enable and Publish DKIM

    1. In Admin Console: Gmail → Authenticate Email
    2. Select 2048-bit DKIM key
    3. Google generates a TXT record:

    Name: google._domainkey

    Type: TXT

    Value: (DKIM public key)

    1. Add it to Cloudflare
    2. Click Start Authentication

    Step 5 — Add a DMARC Policy

    DMARC prevents spoofing and requires alignment between SPF/DKIM and the From domain.

    Name: _dmarc

    Type: TXT

    Value: v=DMARC1; p=reject; adkim=r; aspf=r; pct=100

    Notes:

    • Relaxed alignment (r) avoids issues when Gmail rewrites headers.
    • Strict alignment (s) provide maximum enforcement but may cause DMARC failures if aliasing or forwarding is involved. We have been unable to use strict alignment with Google Workspace and avoid emails dropping into SPAM.

    Step 6 — Configure MTA-STS (Recommended for High-Security Domains)

    MTA-STS enforces TLS during SMTP delivery and prevents downgrade/MITM attacks.

    Step 6.1 — Add TXT Declaration

    Name: _mta-sts

    Type: TXT

    Value: v=STSv1; id=20250101

    Step 6.2 — Create the HTTPS Policy File

    Create a folder structure on your computer:

    mta-sts/

        .well-known/

            mta-sts.txt

    Inside mta-sts.txt:

    version: STSv1

    mode: enforce

    mx: smtp.google.com

    max_age: 604800

    Step 6.3 — Deploy via Cloudflare Pages

    1. Go to Workers & Pages → Pages → Create a Project
    2. Choose Upload Assets
    3. Upload the mta-sts folder
    4. Deploy
    5. Add a custom domain: mta-sts.example.com

    Step 6.4 — Add CNAME in Cloudflare DNS

    Name: mta-sts

    Type: CNAME

    Value: <yourproject>.pages.dev

    Proxy: Proxied (orange)

    Step 6.5 — Verify

    Visit:

    https://mta-sts.example.com/.well-known/mta-sts.txt

    Use:

    • https://www.hardenize.com
    • https://ssl-tools.net/mta-sts

    Step 7 — TLS Reporting (Optional)

    Name: _smtp._tls

    Type: TXT

    Value: v=TLSRPTv1

    If you want reports:

    v=TLSRPTv1; rua=mailto:tls@example.com

    Step 8 — Testing Protocol (Critical)

    8.1 Send a Baseline Test Email

    From user@example.com to a Gmail address.

    Check:

    • Does it arrive?
    • Does it land in the Inbox or Spam?

    8.2 Analyse Headers in Gmail

    1. Open the message → three dots → Show original
    2. Confirm:
      • SPF: PASS
      • DKIM: PASS
      • DMARC: PASS

    8.3 AI-Assisted Authentication & DNS Analysis

    Email Header Analysis

    Download full header and original email source → paste into AI → ask:

    • Why did SPF/DKIM/DMARC pass/fail?
    • Are domains aligned?
    • Any forwarding or alias issues?

    DNS Zone File Analysis

    1. Cloudflare → DNS → Export
    2. Upload zone file to AI
    3. Ask it to review:
      • Duplicate/conflicting SPF records
      • DMARC placement (_dmarc)
      • DKIM selector presence
      • MTA-STS records and CNAMEs
      • TXT formatting issues

    8.4 Re-test After Any Change

    Send a fresh email with a new subject (Test 2, Test 3) until:

    • SPF = PASS
    • DKIM = PASS
    • DMARC = PASS
    • Inbox placement is consistent

    Example Cloudflare DNS Configuration (Using 

    example.com)

    ;; MX

    example.com.                      IN MX 1 smtp.google.com.

    ;; SPF

    example.com.                      IN TXT "v=spf1 include:_spf.google.com -all"

    ;; DKIM

    google._domainkey.example.com.    IN TXT "v=DKIM1; k=rsa; p=MIIBI..."

    ;; DMARC

    _dmarc.example.com.               IN TXT "v=DMARC1; p=reject; adkim=r; aspf=r; pct=100"

    ;; MTA-STS

    _mta-sts.example.com.             IN TXT "v=STSv1; id=20250101"

    mta-sts.example.com.              IN CNAME mta-sts-example.pages.dev.

    ;; TLS-RPT

    _smtp._tls.example.com.           IN TXT "v=TLSRPTv1"

    ;; Google verification

    example.com.                      IN TXT "google-site-verification=xxxxxxx"

    Conclusion

    By following these steps, you ensure:

    • Fully authenticated outgoing email
    • Protection against spoofing and phishing
    • TLS-enforced mail transport
    • High deliverability to Gmail, Outlook, Microsoft 365, Yahoo, and more
    • A hardened configuration suitable for security-sensitive organisations

    This setup represents our best-practice Google Workspace email configuration when using Cloudflare as your DNS provider.

    Important Caveat

    Technical standards, Google Workspace authentication rules, and Cloudflare DNS behaviours change over time. Although this guide reflects what we believe to be a correct and working configuration at the time of writing, email security protocols evolve, and configuration errors can occur.

    Readers should:

    Verify all SPF, DKIM, DMARC, MTA-STS, and TLS-RPT records before deployment

    Check the current Google Workspace documentation

    Check Cloudflare’s latest DNS guidance

    Validate settings with external tools (Hardenize, MXToolbox, SSL Tools)

    Always double‑check before applying changes to a production environment. Your deliverability and domain security depend on accuracy.