Google Workspace and Cloudflare: Email DNS Setup Checklist
Set up Google Workspace email DNS in Cloudflare by checking MX records, SPF, DKIM, and DMARC without changing website records unnecessarily.
When Cloudflare is the active DNS host, Google Workspace records must be added in Cloudflare DNS even if the domain was purchased somewhere else.
The simplest path is to confirm Cloudflare nameservers first, then add or verify Google Workspace MX, SPF, DKIM, and DMARC records in the same DNS zone.
Start with Cloudflare nameservers
If the domain's nameservers point to Cloudflare, Cloudflare is the place that controls public DNS. Records added at the registrar may be ignored until nameservers change back.
This matters because many setup failures are not wrong values. They are correct values entered in the wrong DNS account.
Verify Google MX records
Google Workspace uses MX records for inbound mail routing. Your domain should not keep old MX records from a previous provider unless you are intentionally running a special migration setup.
If email does not arrive in Gmail, MX records are the first records to confirm.
Add SPF, DKIM, and DMARC carefully
SPF is a TXT record on the root domain. If another SPF record already exists, merge Google's include with the existing record instead of adding a second SPF record.
DKIM uses a selector generated inside Google Admin. DMARC belongs at _dmarc and can start with p=none while you confirm legitimate mail is authenticating.
Quick checklist
- Confirm the domain uses Cloudflare nameservers.
- Add Google Workspace MX records in Cloudflare DNS.
- Merge Google SPF into one root-domain SPF record.
- Generate DKIM in Google Admin and publish the selector record in Cloudflare.
- Add a basic DMARC record at _dmarc after SPF or DKIM is in place.