Domain Email DoctorScan my domain
Back to guides

Google Workspace and Cloudflare: Email DNS Setup Checklist

Set up Google Workspace email DNS in Cloudflare with a practical checklist for MX, SPF, DKIM, DMARC, domain verification, Gmail activation, and common setup mistakes.

Set up Google Workspace with Cloudflare - 18 min

When your domain uses Cloudflare for DNS, Google Workspace email records must be published in Cloudflare, even if the domain was purchased somewhere else.

Google Workspace can host your Gmail inboxes, but DNS controls whether the internet knows to deliver mail to Google and whether your outgoing messages pass authentication.

This guide walks through the practical Cloudflare DNS checklist for Google Workspace: nameservers, MX, SPF, DKIM, DMARC, domain verification, Gmail activation, and the common mistakes that make setup look complete when it is not.

On this page

Quick answer: Google Workspace DNS records in Cloudflare

For a normal Google Workspace email setup in Cloudflare, check these records and setup steps first:

StepWhat to checkWhy it matters
1Cloudflare nameserversConfirms Cloudflare is the active DNS host
2Google domain verificationGoogle may require a TXT or CNAME value from Google Admin before activating services
3Google Workspace MXRoutes incoming email to Gmail
4Gmail activationGoogle Admin still needs Gmail activated after DNS is added
5SPFAuthorizes Google to send mail for your domain
6DKIMLets Google sign outgoing mail with your domain
7DMARCPublishes a safe domain-level policy for authentication failures
8Old provider recordsOld MX/SPF/DKIM values can keep mail routed to the wrong place

For new Google Workspace setups, the current Google MX record is:

Type: MX
Name: @
Mail server: smtp.google.com
Priority: 1

Older legacy Google MX records beginning with ASPMX are still supported if they are already working, but new setups should follow the current Google Admin instructions.

Before you edit DNS: confirm Cloudflare is authoritative

The most common setup mistake is adding correct Google records in the wrong DNS account.

If your domain uses Cloudflare nameservers, Cloudflare controls the public DNS zone. Records added only at your registrar, website host, or old DNS provider usually will not affect live DNS.

Check the domain's nameservers first. If they point to Cloudflare, make the Google Workspace MX, SPF, DKIM, DMARC, and verification changes inside Cloudflare DNS.

A common setup looks like this:

RoleProvider
RegistrarNamecheap, GoDaddy, Squarespace, or another registrar
DNS hostCloudflare
Website hostVercel, Shopify, Wix, WordPress, or another website platform
Email providerGoogle Workspace

In that setup, Cloudflare is the place to edit email DNS.

Cloudflare DNS-only note for email records

Cloudflare proxy settings are for web traffic. Email DNS records are different.

MX and TXT records are DNS-only in Cloudflare. You do not orange-cloud MX, SPF, DMARC, or verification TXT records.

For Google Workspace email setup, focus on whether the records exist with the right name, type, value, and priority. Do not try to route email through Cloudflare's HTTP proxy.

Record typeCloudflare proxy behavior
MXDNS-only
TXTDNS-only
DKIM TXTDNS-only
DKIM CNAMEUsually DNS-only for provider validation
Website A/AAAA/CNAMEMay be proxied when it is serving web traffic

Step 1: Add or confirm Google domain verification

Google Workspace may ask you to verify that you own the domain before Gmail can be fully activated.

The verification value must come from Google Admin or Google's setup tool. Do not copy a verification TXT or CNAME value from another guide, another domain, or another account.

In Cloudflare, this verification record is usually one of these:

Record typeWhere the value comes fromWhere to add it
TXTGoogle AdminCloudflare DNS
CNAMEGoogle AdminCloudflare DNS

After adding the verification record in Cloudflare, return to Google Admin and continue the verification flow.

Step 2: Add the current Google Workspace MX record

MX records tell the internet where to deliver incoming email for your domain. For new Google Workspace setups, use Google's current single MX value unless Google Admin gives you different instructions for your account.

Cloudflare fieldValue
TypeMX
Name@ or the root domain
Mail serversmtp.google.com
Priority1
TTLAuto or the default value Cloudflare provides

Some DNS interfaces add a trailing dot automatically. Cloudflare normally accepts smtp.google.com as the mail server value.

If your Google Admin instructions show older Google MX hosts that begin with ASPMX, those legacy values are still supported when already working. For a new setup, follow the current Google Admin instructions and use smtp.google.com with priority 1 when that is what Google shows.

Step 3: Remove old or conflicting MX records

Your domain should normally route incoming mail to one email provider.

If you are moving from another provider to Google Workspace, old MX records can keep mail going to the wrong system.

Common old MX sources include:

  • cPanel hosting email
  • Zoho Mail
  • Microsoft 365
  • Proton Mail
  • Fastmail
  • Email forwarding services
  • A website host that previously handled email

For a completed Google Workspace setup, remove old MX records unless you are intentionally running a migration or special routing setup.

MX stateLikely result
Only Google Workspace MXIncoming mail should route to Gmail
No MX recordsIncoming mail may bounce or fail
Old provider MX remainsMail may still route to the old provider
Mixed provider MX recordsMail routing can be unpredictable

Step 4: Activate Gmail in Google Admin

Adding the MX record in Cloudflare is not always the final step. Google Admin may still require you to activate Gmail for the domain.

After adding or fixing MX records, return to Google Admin and complete the Gmail activation flow for the domain.

If Gmail activation still fails, check:

  • Cloudflare is the active DNS host
  • The MX record was added at the root domain
  • The mail server is smtp.google.com
  • The priority is 1
  • Old MX records were removed
  • Google domain verification is complete
  • Enough time has passed for DNS changes to be recognized

Step 5: Add or merge Google SPF

SPF authorizes sending services for your domain. If Google Workspace sends email for your domain, the SPF record should include Google.

A common Google Workspace SPF record is:

v=spf1 include:_spf.google.com ~all

Publish SPF as a TXT record on the root domain.

Cloudflare fieldValue
TypeTXT
Name@ or the root domain
Contentv=spf1 include:_spf.google.com ~all when Google is your only sender

Do not create two SPF records. If your domain already has SPF for another legitimate sender, merge Google into the existing SPF record instead of adding a second v=spf1 TXT record.

For example, this is wrong because it creates duplicate SPF policies:

v=spf1 include:_spf.google.com ~all
v=spf1 include:send.example.com ~all

A merged record keeps one SPF policy:

v=spf1 include:_spf.google.com include:send.example.com ~all

Only include third-party senders that actually send email for your domain.

Step 6: Generate and publish Google DKIM

DKIM lets Google sign outgoing email with your domain. Receiving mail servers can verify that signature against a DNS record.

The DKIM value must come from Google Admin. Do not invent a DKIM selector or copy another domain's DKIM value.

The usual workflow is:

  1. Open Google Admin.
  2. Find the Gmail authentication or DKIM setup area.
  3. Generate the DKIM record for your domain.
  4. Copy the selector/name and value exactly as Google provides them.
  5. Add the record in Cloudflare DNS.
  6. Return to Google Admin and enable or start DKIM authentication.

Depending on Google's instructions, the DKIM record may appear as a TXT record using a _domainkey hostname.

Common DKIM mistakes include:

MistakeResult
DKIM not generated in Google AdminThere is no correct value to publish
DKIM value copied from another domainAuthentication fails
Wrong selector or hostnameGoogle may not find the record
Record added outside Cloudflare while Cloudflare is authoritativePublic DNS does not change
DNS exists but DKIM not enabled in Google AdminMessages may not be signed

Step 7: Add a safe DMARC record

DMARC publishes a domain-level policy for messages that fail authentication and alignment checks.

DMARC belongs at _dmarc as a TXT record.

A safe starter DMARC record is:

v=DMARC1; p=none;
Cloudflare fieldValue
TypeTXT
Name_dmarc
Contentv=DMARC1; p=none;

p=none is a monitoring policy. It is a safer starting point while you confirm Google SPF, Google DKIM, and any third-party senders are authenticating correctly.

Do not move straight to p=reject unless you know legitimate mail from Google Workspace and other senders passes DMARC.

Step 8: Check Gmail users, aliases, and groups

DNS can route mail to Google Workspace, but DNS does not create mailboxes.

If MX is correct but a specific address still bounces, check whether the address exists in Google Workspace as:

  • A user mailbox
  • An alias
  • A Google Group
  • A routing rule
  • A catch-all address if your setup uses one

For example, hello@example.com will not receive mail just because MX points to Google. The address also needs to exist or route somewhere inside Google Workspace.

Common Cloudflare mistakes with Google Workspace

MistakeWhy it breaks setup
Adding records at the registrar instead of CloudflareCloudflare nameservers make Cloudflare the active DNS host
Leaving old MX recordsIncoming mail may route to the wrong provider
Using duplicate SPF recordsSPF can fail because there are multiple policies
Copying DKIM from another guideDKIM values must come from Google Admin
Skipping Gmail activationDNS may be present but Gmail may not be active
Adding DMARC at the root domainReceivers look for DMARC at _dmarc
Using p=reject too earlyLegitimate mail may be rejected
Changing website A/CNAME recordsYou can break a working website while fixing email

If your website uses Cloudflare too

A working website does not prove Google Workspace DNS is correct.

Website records usually involve A, AAAA, or CNAME records. Google Workspace email uses MX and TXT/CNAME authentication records.

If the website already works, do not change website A, AAAA, or CNAME records unless the website itself is the issue.

Record familyPurpose
A/AAAA/CNAMEWebsite routing
MXIncoming email routing
SPF TXTOutgoing sender authorization
DKIM TXT/CNAMEOutgoing email signing
DMARC TXTDomain-level authentication policy
Google verification TXT/CNAMEDomain ownership verification

Troubleshooting: Google Admin still says Gmail is not active

If Google Admin still reports that Gmail is not active after you add DNS records in Cloudflare, check these items:

  1. Confirm the domain uses Cloudflare nameservers.
  2. Confirm the MX record exists in Cloudflare, not only at the registrar.
  3. Confirm the MX record uses smtp.google.com with priority 1 for a current setup.
  4. Remove old non-Google MX records unless you are intentionally migrating.
  5. Confirm Google domain verification is complete.
  6. Wait for DNS changes to be recognized.
  7. Return to Google Admin and run the Gmail activation check again.

Troubleshooting: incoming email still bounces

If Gmail is active but incoming mail bounces, DNS may not be the only issue.

Check:

  • The recipient mailbox, alias, or group exists in Google Workspace
  • The user has the needed Google Workspace license
  • MX points only to the intended Google Workspace destination
  • The sender is testing from an external mailbox
  • Any bounce message for clues about the failing address or route

A correct MX record tells other mail systems where to deliver mail. It does not guarantee every address exists inside Google Workspace.

Troubleshooting: outgoing mail lands in spam

If receiving works but outgoing mail lands in spam, look at authentication next.

Check:

  1. SPF includes Google and is not duplicated.
  2. DKIM is generated, published in Cloudflare, and enabled in Google Admin.
  3. DMARC exists at _dmarc with a safe policy.
  4. Third-party senders are authenticated if they send as your domain.
  5. The domain is not sending sudden high-volume or low-quality campaigns.

MX fixes receiving. SPF, DKIM, and DMARC help with outbound trust.

Migration checklist: moving email to Google Workspace

If you are moving from another email provider to Google Workspace, plan the DNS change carefully.

  1. Confirm Cloudflare is the active DNS host.
  2. Verify the domain in Google Admin.
  3. Create users, aliases, or groups in Google Workspace.
  4. Add Google Workspace MX in Cloudflare.
  5. Remove old MX records when ready to route mail to Google.
  6. Add or merge Google SPF.
  7. Generate and publish Google DKIM.
  8. Add a safe DMARC record.
  9. Activate Gmail in Google Admin.
  10. Test incoming and outgoing mail.

If the old email provider is still in use during a transition, be careful with timing. For a normal completed setup, inbound mail should route to the intended Google Workspace MX record.

What not to do

Avoid these mistakes while setting up Google Workspace in Cloudflare:

  • Do not add Google records only at the registrar if Cloudflare nameservers are active.
  • Do not keep old MX records after the domain should route to Google.
  • Do not create duplicate SPF records.
  • Do not invent Google verification or DKIM values.
  • Do not orange-cloud MX or TXT records.
  • Do not change website records while troubleshooting email unless the website is broken.
  • Do not move DMARC straight to p=reject before testing.
  • Do not assume DNS creates Gmail users, aliases, or groups.

Final Google Workspace Cloudflare checklist

Before you consider setup complete, confirm:

  • Cloudflare nameservers are active.
  • Google domain verification is complete.
  • Google Workspace MX uses smtp.google.com with priority 1 for a current setup.
  • Old MX records are removed unless intentionally needed for migration.
  • Gmail is activated in Google Admin.
  • SPF exists as one TXT record and includes Google.
  • DKIM is generated in Google Admin, published in Cloudflare, and enabled.
  • DMARC exists at _dmarc with a safe starter policy if unsure.
  • Users, aliases, or groups exist for addresses that should receive mail.
  • Incoming and outgoing test emails work.

Run an email DNS check

Use Domain Email Doctor to scan your domain's public DNS records before changing more settings in Cloudflare or Google Admin.

A scan can help you separate Google Workspace MX issues from SPF, DKIM, DMARC, nameserver, and provider setup problems.

Start with the records that affect email, and avoid changing website DNS that is already working.

Quick checklist

Next step: Run a Google Workspace DNS check before changing Cloudflare records, so you can review public mail records without touching unrelated website settings. Domain Email Doctor reads public DNS only and keeps the first step simple: enter an email or domain.
Run an email DNS check