How to Define MX, SPF, DKIM and DMARC Records in Google Workspace Domain
Complete step-by-step guide to configuring essential DNS records for Google Workspace email security and delivery. Master MX, SPF, DKIM, and DMARC setup to ensure reliable email communication and protection against spoofing.
Perfect for: Perfect for: IT administrators, business owners, and anyone managing Google Workspace email domains who need bulletproof email security and deliverability.
Prerequisites Before You Start
Ensure you have the necessary access and knowledge before configuring DNS records for Google Workspace.
Domain Control
Administrative access to your domain registrar or DNS provider
Google Workspace Admin
Super admin access to Google Workspace Admin Console
DNS Management Skills
Basic understanding of DNS record types and management
Active Google Workspace
Valid Google Workspace subscription with email services enabled
Important Notes
- • DNS changes can take 24-48 hours to propagate globally
- • Incorrect DNS records can disrupt email delivery entirely
- • Always backup existing DNS records before making changes
- • Test email functionality thoroughly after implementing changes
- • DKIM requires activation in Google Workspace Admin Console
Step-by-Step Guide to Adding Secondary Domain
Follow these detailed steps to successfully add and configure your secondary domain in Google Workspace.
Configure MX Records
Set up Mail Exchange records to route emails through Google's servers
Detailed Steps:
- Access your DNS provider's management panel
- Delete any existing MX records for your domain
- Add Google's MX records with correct priorities (see technical section)
- Save changes and wait for DNS propagation
Create SPF Record
Set up Sender Policy Framework to prevent email spoofing
Detailed Steps:
- Create a new TXT record for your domain
- Use the hostname: @ (or your domain name)
- Enter SPF value: v=spf1 include:_spf.google.com ~all
- Save the record and verify it's active
Enable DKIM in Google Workspace
Activate DomainKeys Identified Mail authentication
Detailed Steps:
- Sign in to Google Admin Console (admin.google.com)
- Navigate to Apps > Google Workspace > Gmail > Authenticate email
- Click on your domain name
- Click 'Start Authentication' and generate DKIM key
- Copy the generated DKIM record details
Add DKIM DNS Record
Configure the DKIM TXT record in your DNS settings
Detailed Steps:
- In your DNS provider, create a new TXT record
- Use the hostname provided by Google (usually google._domainkey)
- Paste the DKIM key value from Google Admin Console
- Save the record and wait for propagation
Activate DKIM Authentication
Turn on DKIM signing in Google Workspace
Detailed Steps:
- Return to Google Admin Console > Gmail > Authenticate email
- Click on your domain
- Click 'Start Authentication' to enable DKIM signing
- Verify the status shows 'Authenticating email'
Configure DMARC Policy
Set up Domain-based Message Authentication policy
Detailed Steps:
- Create a TXT record with hostname: _dmarc
- Start with a monitoring policy: v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com
- Gradually move to stricter policies (quarantine, then reject)
- Monitor DMARC reports to ensure legitimate email isn't blocked
Essential DNS Records Configuration
Copy these exact DNS record configurations for your Google Workspace domain setup.
- • Always remove conflicting existing records before adding new ones
- • DNS propagation can take up to 48 hours worldwide
- • Use DNS checker tools to verify record accuracy
- • Test email sending/receiving after each configuration step
Common Issues & Solutions
Troubleshoot common problems when adding secondary domains to Google Workspace.
Emails Going to Spam
Solution:
Verify SPF record syntax, ensure DKIM is properly configured and authenticated, check DMARC alignment
Prevention:
Implement all three authentication methods (SPF, DKIM, DMARC) and monitor email reputation
DKIM Authentication Failed
Solution:
Check DKIM DNS record is correctly formatted, ensure Google Workspace DKIM is enabled, verify DNS propagation
Prevention:
Copy DKIM record exactly as provided by Google Admin Console
DMARC Policy Too Strict
Solution:
Change DMARC policy from 'reject' to 'quarantine' or 'none' temporarily
Prevention:
Always start with 'p=none' and gradually increase strictness while monitoring reports
DNS Changes Not Taking Effect
Solution:
Wait longer for propagation (up to 48 hours), check TTL values, flush DNS cache
Prevention:
Lower TTL values before making changes, use multiple DNS checker tools
SPF Record Too Long
Solution:
Use include mechanisms instead of listing all IPs, split into multiple lookups if needed
Prevention:
Keep SPF record under 255 characters, limit DNS lookups to 10 or fewer
Need Help Adding Your Secondary Domain?
While this guide covers the technical steps, domain setup can be tricky with DNS propagation, verification issues, and configuration complexities. Our Google Workspace experts can handle the entire process for you.
Quick Setup
Complete secondary domain setup in 24-48 hours
Zero Risk
No downtime or email disruption during setup
Free Support
Ongoing support included at no extra cost
Frequently Asked Questions
Common questions about adding secondary domains to Google Workspace.
What happens if I don't configure these DNS records?
Without proper DNS records, your emails may be marked as spam, rejected by recipient servers, or could be easily spoofed by malicious actors. MX records are essential for email delivery, while SPF, DKIM, and DMARC provide crucial security and deliverability benefits.
Can I use the same DKIM key for multiple domains?
No, each domain requires its own unique DKIM key pair. Google Workspace automatically generates separate DKIM keys for each domain in your organization. You must configure the DKIM DNS record for each domain individually.
How often should I update my DMARC policy?
Start with 'p=none' for monitoring, then gradually move to 'p=quarantine' after 1-2 weeks of clean reports, and finally to 'p=reject' after another 1-2 weeks. Review DMARC reports regularly and adjust based on your email patterns.
What's the difference between SPF hard fail (-all) and soft fail (~all)?
Soft fail (~all) marks suspicious emails but doesn't reject them, while hard fail (-all) instructs receiving servers to reject emails that fail SPF checks. Google recommends using soft fail (~all) to avoid blocking legitimate emails during initial setup.
How can I test if my DNS records are working correctly?
Use tools like MXToolbox, Google's CheckMX tool, or DMARC Analyzer to verify your records. Send test emails to different providers (Gmail, Outlook, Yahoo) and check headers for authentication results.
Do I need all four record types (MX, SPF, DKIM, DMARC)?
MX records are essential for email to work at all. SPF, DKIM, and DMARC are highly recommended for security and deliverability. While not technically required, modern email providers expect these authentication records.
Can I have multiple SPF records for one domain?
No, you can only have one SPF record per domain. If you need to authorize multiple email services, use the 'include' mechanism within a single SPF record (e.g., v=spf1 include:_spf.google.com include:_spf.otherprovider.com ~all).
What should I do if DKIM generation fails in Google Workspace?
Ensure you have super admin privileges, check that your domain is verified in Google Workspace, and try generating the key again. If it continues to fail, contact Google Workspace support or check for any domain-specific restrictions.