Google Workspace and Cloudflare: Email DNS Setup Checklist
Set up Google Workspace email DNS in Cloudflare with a practical checklist for MX, SPF, DKIM, DMARC, domain verification, Gmail activation, and common setup mistakes.
When your domain uses Cloudflare for DNS, Google Workspace email records must be published in Cloudflare, even if the domain was purchased somewhere else.
Google Workspace can host your Gmail inboxes, but DNS controls whether the internet knows to deliver mail to Google and whether your outgoing messages pass authentication.
This guide walks through the practical Cloudflare DNS checklist for Google Workspace: nameservers, MX, SPF, DKIM, DMARC, domain verification, Gmail activation, and the common mistakes that make setup look complete when it is not.
On this page
Quick answer: Google Workspace DNS records in Cloudflare
For a normal Google Workspace email setup in Cloudflare, check these records and setup steps first:
| Step | What to check | Why it matters |
|---|---|---|
| 1 | Cloudflare nameservers | Confirms Cloudflare is the active DNS host |
| 2 | Google domain verification | Google may require a TXT or CNAME value from Google Admin before activating services |
| 3 | Google Workspace MX | Routes incoming email to Gmail |
| 4 | Gmail activation | Google Admin still needs Gmail activated after DNS is added |
| 5 | SPF | Authorizes Google to send mail for your domain |
| 6 | DKIM | Lets Google sign outgoing mail with your domain |
| 7 | DMARC | Publishes a safe domain-level policy for authentication failures |
| 8 | Old provider records | Old MX/SPF/DKIM values can keep mail routed to the wrong place |
For new Google Workspace setups, the current Google MX record is:
Type: MX
Name: @
Mail server: smtp.google.com
Priority: 1Older legacy Google MX records beginning with ASPMX are still supported if they are already working, but new setups should follow the current Google Admin instructions.
Before you edit DNS: confirm Cloudflare is authoritative
The most common setup mistake is adding correct Google records in the wrong DNS account.
If your domain uses Cloudflare nameservers, Cloudflare controls the public DNS zone. Records added only at your registrar, website host, or old DNS provider usually will not affect live DNS.
Check the domain's nameservers first. If they point to Cloudflare, make the Google Workspace MX, SPF, DKIM, DMARC, and verification changes inside Cloudflare DNS.
A common setup looks like this:
| Role | Provider |
|---|---|
| Registrar | Namecheap, GoDaddy, Squarespace, or another registrar |
| DNS host | Cloudflare |
| Website host | Vercel, Shopify, Wix, WordPress, or another website platform |
| Email provider | Google Workspace |
In that setup, Cloudflare is the place to edit email DNS.
Cloudflare DNS-only note for email records
Cloudflare proxy settings are for web traffic. Email DNS records are different.
MX and TXT records are DNS-only in Cloudflare. You do not orange-cloud MX, SPF, DMARC, or verification TXT records.
For Google Workspace email setup, focus on whether the records exist with the right name, type, value, and priority. Do not try to route email through Cloudflare's HTTP proxy.
| Record type | Cloudflare proxy behavior |
|---|---|
| MX | DNS-only |
| TXT | DNS-only |
| DKIM TXT | DNS-only |
| DKIM CNAME | Usually DNS-only for provider validation |
| Website A/AAAA/CNAME | May be proxied when it is serving web traffic |
Step 1: Add or confirm Google domain verification
Google Workspace may ask you to verify that you own the domain before Gmail can be fully activated.
The verification value must come from Google Admin or Google's setup tool. Do not copy a verification TXT or CNAME value from another guide, another domain, or another account.
In Cloudflare, this verification record is usually one of these:
| Record type | Where the value comes from | Where to add it |
|---|---|---|
| TXT | Google Admin | Cloudflare DNS |
| CNAME | Google Admin | Cloudflare DNS |
After adding the verification record in Cloudflare, return to Google Admin and continue the verification flow.
Step 2: Add the current Google Workspace MX record
MX records tell the internet where to deliver incoming email for your domain. For new Google Workspace setups, use Google's current single MX value unless Google Admin gives you different instructions for your account.
| Cloudflare field | Value |
|---|---|
| Type | MX |
| Name | @ or the root domain |
| Mail server | smtp.google.com |
| Priority | 1 |
| TTL | Auto or the default value Cloudflare provides |
Some DNS interfaces add a trailing dot automatically. Cloudflare normally accepts smtp.google.com as the mail server value.
If your Google Admin instructions show older Google MX hosts that begin with ASPMX, those legacy values are still supported when already working. For a new setup, follow the current Google Admin instructions and use smtp.google.com with priority 1 when that is what Google shows.
Step 3: Remove old or conflicting MX records
Your domain should normally route incoming mail to one email provider.
If you are moving from another provider to Google Workspace, old MX records can keep mail going to the wrong system.
Common old MX sources include:
- cPanel hosting email
- Zoho Mail
- Microsoft 365
- Proton Mail
- Fastmail
- Email forwarding services
- A website host that previously handled email
For a completed Google Workspace setup, remove old MX records unless you are intentionally running a migration or special routing setup.
| MX state | Likely result |
|---|---|
| Only Google Workspace MX | Incoming mail should route to Gmail |
| No MX records | Incoming mail may bounce or fail |
| Old provider MX remains | Mail may still route to the old provider |
| Mixed provider MX records | Mail routing can be unpredictable |
Step 4: Activate Gmail in Google Admin
Adding the MX record in Cloudflare is not always the final step. Google Admin may still require you to activate Gmail for the domain.
After adding or fixing MX records, return to Google Admin and complete the Gmail activation flow for the domain.
If Gmail activation still fails, check:
- Cloudflare is the active DNS host
- The MX record was added at the root domain
- The mail server is
smtp.google.com - The priority is
1 - Old MX records were removed
- Google domain verification is complete
- Enough time has passed for DNS changes to be recognized
Step 5: Add or merge Google SPF
SPF authorizes sending services for your domain. If Google Workspace sends email for your domain, the SPF record should include Google.
A common Google Workspace SPF record is:
v=spf1 include:_spf.google.com ~allPublish SPF as a TXT record on the root domain.
| Cloudflare field | Value |
|---|---|
| Type | TXT |
| Name | @ or the root domain |
| Content | v=spf1 include:_spf.google.com ~all when Google is your only sender |
Do not create two SPF records. If your domain already has SPF for another legitimate sender, merge Google into the existing SPF record instead of adding a second v=spf1 TXT record.
For example, this is wrong because it creates duplicate SPF policies:
v=spf1 include:_spf.google.com ~all
v=spf1 include:send.example.com ~allA merged record keeps one SPF policy:
v=spf1 include:_spf.google.com include:send.example.com ~allOnly include third-party senders that actually send email for your domain.
Step 6: Generate and publish Google DKIM
DKIM lets Google sign outgoing email with your domain. Receiving mail servers can verify that signature against a DNS record.
The DKIM value must come from Google Admin. Do not invent a DKIM selector or copy another domain's DKIM value.
The usual workflow is:
- Open Google Admin.
- Find the Gmail authentication or DKIM setup area.
- Generate the DKIM record for your domain.
- Copy the selector/name and value exactly as Google provides them.
- Add the record in Cloudflare DNS.
- Return to Google Admin and enable or start DKIM authentication.
Depending on Google's instructions, the DKIM record may appear as a TXT record using a _domainkey hostname.
Common DKIM mistakes include:
| Mistake | Result |
|---|---|
| DKIM not generated in Google Admin | There is no correct value to publish |
| DKIM value copied from another domain | Authentication fails |
| Wrong selector or hostname | Google may not find the record |
| Record added outside Cloudflare while Cloudflare is authoritative | Public DNS does not change |
| DNS exists but DKIM not enabled in Google Admin | Messages may not be signed |
Step 7: Add a safe DMARC record
DMARC publishes a domain-level policy for messages that fail authentication and alignment checks.
DMARC belongs at _dmarc as a TXT record.
A safe starter DMARC record is:
v=DMARC1; p=none;| Cloudflare field | Value |
|---|---|
| Type | TXT |
| Name | _dmarc |
| Content | v=DMARC1; p=none; |
p=none is a monitoring policy. It is a safer starting point while you confirm Google SPF, Google DKIM, and any third-party senders are authenticating correctly.
Do not move straight to p=reject unless you know legitimate mail from Google Workspace and other senders passes DMARC.
Step 8: Check Gmail users, aliases, and groups
DNS can route mail to Google Workspace, but DNS does not create mailboxes.
If MX is correct but a specific address still bounces, check whether the address exists in Google Workspace as:
- A user mailbox
- An alias
- A Google Group
- A routing rule
- A catch-all address if your setup uses one
For example, hello@example.com will not receive mail just because MX points to Google. The address also needs to exist or route somewhere inside Google Workspace.
Common Cloudflare mistakes with Google Workspace
| Mistake | Why it breaks setup |
|---|---|
| Adding records at the registrar instead of Cloudflare | Cloudflare nameservers make Cloudflare the active DNS host |
| Leaving old MX records | Incoming mail may route to the wrong provider |
| Using duplicate SPF records | SPF can fail because there are multiple policies |
| Copying DKIM from another guide | DKIM values must come from Google Admin |
| Skipping Gmail activation | DNS may be present but Gmail may not be active |
| Adding DMARC at the root domain | Receivers look for DMARC at _dmarc |
Using p=reject too early | Legitimate mail may be rejected |
| Changing website A/CNAME records | You can break a working website while fixing email |
If your website uses Cloudflare too
A working website does not prove Google Workspace DNS is correct.
Website records usually involve A, AAAA, or CNAME records. Google Workspace email uses MX and TXT/CNAME authentication records.
If the website already works, do not change website A, AAAA, or CNAME records unless the website itself is the issue.
| Record family | Purpose |
|---|---|
| A/AAAA/CNAME | Website routing |
| MX | Incoming email routing |
| SPF TXT | Outgoing sender authorization |
| DKIM TXT/CNAME | Outgoing email signing |
| DMARC TXT | Domain-level authentication policy |
| Google verification TXT/CNAME | Domain ownership verification |
Troubleshooting: Google Admin still says Gmail is not active
If Google Admin still reports that Gmail is not active after you add DNS records in Cloudflare, check these items:
- Confirm the domain uses Cloudflare nameservers.
- Confirm the MX record exists in Cloudflare, not only at the registrar.
- Confirm the MX record uses
smtp.google.comwith priority1for a current setup. - Remove old non-Google MX records unless you are intentionally migrating.
- Confirm Google domain verification is complete.
- Wait for DNS changes to be recognized.
- Return to Google Admin and run the Gmail activation check again.
Troubleshooting: incoming email still bounces
If Gmail is active but incoming mail bounces, DNS may not be the only issue.
Check:
- The recipient mailbox, alias, or group exists in Google Workspace
- The user has the needed Google Workspace license
- MX points only to the intended Google Workspace destination
- The sender is testing from an external mailbox
- Any bounce message for clues about the failing address or route
A correct MX record tells other mail systems where to deliver mail. It does not guarantee every address exists inside Google Workspace.
Troubleshooting: outgoing mail lands in spam
If receiving works but outgoing mail lands in spam, look at authentication next.
Check:
- SPF includes Google and is not duplicated.
- DKIM is generated, published in Cloudflare, and enabled in Google Admin.
- DMARC exists at
_dmarcwith a safe policy. - Third-party senders are authenticated if they send as your domain.
- The domain is not sending sudden high-volume or low-quality campaigns.
MX fixes receiving. SPF, DKIM, and DMARC help with outbound trust.
Migration checklist: moving email to Google Workspace
If you are moving from another email provider to Google Workspace, plan the DNS change carefully.
- Confirm Cloudflare is the active DNS host.
- Verify the domain in Google Admin.
- Create users, aliases, or groups in Google Workspace.
- Add Google Workspace MX in Cloudflare.
- Remove old MX records when ready to route mail to Google.
- Add or merge Google SPF.
- Generate and publish Google DKIM.
- Add a safe DMARC record.
- Activate Gmail in Google Admin.
- Test incoming and outgoing mail.
If the old email provider is still in use during a transition, be careful with timing. For a normal completed setup, inbound mail should route to the intended Google Workspace MX record.
What not to do
Avoid these mistakes while setting up Google Workspace in Cloudflare:
- Do not add Google records only at the registrar if Cloudflare nameservers are active.
- Do not keep old MX records after the domain should route to Google.
- Do not create duplicate SPF records.
- Do not invent Google verification or DKIM values.
- Do not orange-cloud MX or TXT records.
- Do not change website records while troubleshooting email unless the website is broken.
- Do not move DMARC straight to
p=rejectbefore testing. - Do not assume DNS creates Gmail users, aliases, or groups.
Final Google Workspace Cloudflare checklist
Before you consider setup complete, confirm:
- Cloudflare nameservers are active.
- Google domain verification is complete.
- Google Workspace MX uses
smtp.google.comwith priority1for a current setup. - Old MX records are removed unless intentionally needed for migration.
- Gmail is activated in Google Admin.
- SPF exists as one TXT record and includes Google.
- DKIM is generated in Google Admin, published in Cloudflare, and enabled.
- DMARC exists at
_dmarcwith a safe starter policy if unsure. - Users, aliases, or groups exist for addresses that should receive mail.
- Incoming and outgoing test emails work.
Run an email DNS check
Use Domain Email Doctor to scan your domain's public DNS records before changing more settings in Cloudflare or Google Admin.
A scan can help you separate Google Workspace MX issues from SPF, DKIM, DMARC, nameserver, and provider setup problems.
Start with the records that affect email, and avoid changing website DNS that is already working.
Quick checklist
- Cloudflare nameservers are active.
- Google domain verification is complete.
- Google Workspace MX uses
smtp.google.comwith priority1for a current setup. - Old MX records are removed unless intentionally needed for migration.
- Gmail is activated in Google Admin.
- SPF exists as one TXT record and includes Google.
- DKIM is generated in Google Admin, published in Cloudflare, and enabled.
- DMARC exists at
_dmarcwith a safe starter policy if unsure. - Users, aliases, or groups exist for addresses that should receive mail.
- Incoming and outgoing test emails work.