What MX record does Google Workspace use?

Google's current Workspace MX record value is `smtp.google.com` with priority 1 at the apex. Google says older `aspmx` MX records are still supported for legacy setups, so do not change a working legacy setup unless you are intentionally standardizing.

What SPF record should I use for Google Workspace only?

Google's documented Google Workspace-only SPF value is `v=spf1 include:_spf.google.com ~all`. If you also send through other services, include those services in the same SPF record instead of creating a second SPF record.

Where does the Google DKIM record go?

Google Admin console generates the selector and TXT value. The default selector is commonly `google`, which produces a name such as `google._domainkey`, but use the exact selector and value shown by Google.

Should I start DMARC at reject?

No. Start with `p=none`, review aggregate reports, then move to `quarantine` and `reject` after SPF and DKIM alignment is clean.

Can I keep old MX records?

Do not keep old MX records once you want Gmail to receive all new mail. Mixed MX records can route mail to the wrong provider during or after migration.

How long can Google DNS setup take?

Google's documentation says MX and TXT changes can take up to 72 hours to be recognized. Most changes resolve sooner, but plan migrations around the longest previous TTL and provider verification windows.

Email & TLSBeginner

Google Workspace DNS Setup

Set up Google Workspace DNS records on DNScale: domain verification, Gmail MX, SPF, DKIM, DMARC, verification commands, and migration checks.

Updated 29 June 2026

Start free Browse guides

Answer snapshot

Google Workspace DNS setup has five main records: a TXT record from Google Admin console for domain verification, one Gmail MX record at the apex pointing to `smtp.google.com`, one SPF TXT record such as `v=spf1 include:_spf.google.com ~all` when Google Workspace is your only sender, a DKIM TXT record generated in Google Admin console, and a staged DMARC TXT record at `_dmarc`. Remove old MX records only when you are ready for Gmail to receive new mail.

What you'll learn

Verify a domain for Google Workspace using a TXT record
Route inbound mail to Gmail with the current Google Workspace MX record
Publish SPF, DKIM, and DMARC records safely
Validate the setup with dig before completing migration
Avoid common Google Workspace DNS mistakes

Google Workspace uses DNS to prove domain ownership, receive Gmail mail, authenticate outgoing mail, and enforce anti-spoofing policy.

Use this guide when DNScale hosts the authoritative DNS zone for a domain you are adding to Google Workspace.

Official Google references:

Record Checklist

Purpose	Type	Name	Value
Domain verification	TXT	`@`	Exact `google-site-verification=...` value from Google Admin console
Gmail inbound mail	MX	`@`	`smtp.google.com` with priority `1`
SPF	TXT	`@`	`v=spf1 include:_spf.google.com ~all` if Google Workspace is the only sender
DKIM	TXT	`<selector>._domainkey`	Exact DKIM value generated by Google Admin console
DMARC	TXT	`_dmarc`	Start with `v=DMARC1; p=none; rua=mailto:dmarc@example.com`

Do not paste the example verification or DKIM values from this page into production. Those values are unique to your Google Workspace account and domain.

1. Verify the Domain

In Google Admin console, add the domain and choose TXT verification. Google gives you a unique TXT value, usually starting with:

google-site-verification=

Create the record in DNScale:

Type: TXT
Name: @
Content: google-site-verification=<value-from-google>
TTL: 3600

Verify from the command line:

dig TXT example.com +short

Then return to Google Admin console and confirm ownership.

Keep the verification TXT record unless Google explicitly says it can be removed. Verification records are low risk and help avoid account revalidation problems later.

2. Route Mail to Gmail

Google's current Google Workspace MX record is:

Type: MX
Name: @
Priority: 1
Target: smtp.google.com
TTL: 3600

Some DNS interfaces require a trailing dot:

smtp.google.com.

DNScale normalizes record names for you, but the target should still be the exact mail exchanger hostname.

If the domain already receives mail somewhere else, plan the cutover:

Create all Google Workspace users and mailboxes first.
Lower old MX TTLs 24-48 hours ahead if possible.
Remove old MX records when you are ready for Gmail to receive new mail.
Add the Google Workspace MX record.
Verify from multiple resolvers.

Check:

dig MX example.com +short
dig MX example.com @1.1.1.1 +short
dig MX example.com @8.8.8.8 +short

Google notes that legacy MX records beginning with aspmx are still supported for older Workspace setups. If mail is working on a legacy setup, do not change it during an unrelated DNS cleanup.

3. Publish SPF

If Google Workspace is the only system sending mail for the domain:

Type: TXT
Name: @
Content: v=spf1 include:_spf.google.com ~all
TTL: 3600

If other systems send mail too, keep one SPF record and add their includes or IP ranges to the same record:

v=spf1 include:_spf.google.com include:amazonses.com include:servers.mcsv.net ~all

Do not create multiple SPF TXT records at the same name. Receivers treat that as an SPF error.

Check:

dig TXT example.com +short

Then count lookups before adding more senders. SPF has a 10-DNS-lookup limit. See SPF Record Explained for lookup-count troubleshooting.

4. Enable DKIM

In Google Admin console:

Go to the Gmail authentication settings.
Select the domain.
Generate a DKIM record.
Choose a 2048-bit key when your DNS host supports long TXT records.
Copy the selector and TXT value exactly.

Google's default selector is commonly:

google

That produces this DNS name:

google._domainkey.example.com

Create the DNScale TXT record:

Type: TXT
Name: google._domainkey
Content: v=DKIM1; k=rsa; p=<public-key-from-google>
TTL: 3600

Use the exact selector from Google if it is not google.

Check:

dig TXT google._domainkey.example.com +short

After DNS resolves, return to Google Admin console and enable DKIM signing.

5. Roll Out DMARC

Start with monitoring:

Type: TXT
Name: _dmarc
Content: v=DMARC1; p=none; rua=mailto:dmarc@example.com
TTL: 3600

After reports show legitimate mail passes SPF or DKIM alignment, move in stages:

v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com

Then:

v=DMARC1; p=reject; rua=mailto:dmarc@example.com

Do not move to reject until marketing tools, CRMs, ticketing systems, ecommerce platforms, and website mail all pass alignment.

Check:

dig TXT _dmarc.example.com +short

For the deeper policy model, read DMARC Explained.

DNScale API Example

You can also create records through the DNScale API.

curl -X POST "https://api.dnscale.eu/v1/zones/$ZONE_ID/records" \
  -H "Authorization: Bearer $DNSCALE_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "@",
    "type": "MX",
    "content": "smtp.google.com.",
    "priority": 1,
    "ttl": 3600
  }'

Use the dashboard for one-off setup. Use the API, Terraform, or DNSControl when you need repeatable onboarding across many domains.

Migration Checklist

Before changing MX:

Google Workspace domain is verified.
Users and mailboxes exist.
Old provider export or migration is complete.
Old MX TTL has been lowered and aged out.
SPF includes every legitimate sender.
DKIM record exists and signing is enabled.
DMARC starts at p=none.
Support team knows the cutover window.

After changing MX:

dig MX returns only the intended Google Workspace MX.
Test inbound mail from an external mailbox.
Test outbound mail and inspect headers for SPF, DKIM, and DMARC.
Watch DMARC aggregate reports for unknown senders.

Common Mistakes

Keeping old MX records

Old MX records can route some mail to the previous provider. Remove old MX records once Gmail should receive all new mail.

Creating two SPF records

SPF must be one TXT record at the domain. Merge all senders into one value.

Copying DKIM examples

DKIM values are unique. Copy the value generated by Google Admin console.

Moving DMARC too fast

p=reject is the destination, not the starting point. Start with reports, fix legitimate senders, then enforce.

Frequently asked questions

What MX record does Google Workspace use?: Google's current Workspace MX record value is `smtp.google.com` with priority 1 at the apex. Google says older `aspmx` MX records are still supported for legacy setups, so do not change a working legacy setup unless you are intentionally standardizing.
What SPF record should I use for Google Workspace only?: Google's documented Google Workspace-only SPF value is `v=spf1 include:_spf.google.com ~all`. If you also send through other services, include those services in the same SPF record instead of creating a second SPF record.
Where does the Google DKIM record go?: Google Admin console generates the selector and TXT value. The default selector is commonly `google`, which produces a name such as `google._domainkey`, but use the exact selector and value shown by Google.
Should I start DMARC at reject?: No. Start with `p=none`, review aggregate reports, then move to `quarantine` and `reject` after SPF and DKIM alignment is clean.
Can I keep old MX records?: Do not keep old MX records once you want Gmail to receive all new mail. Mixed MX records can route mail to the wrong provider during or after migration.
How long can Google DNS setup take?: Google's documentation says MX and TXT changes can take up to 72 hours to be recognized. Most changes resolve sooner, but plan migrations around the longest previous TTL and provider verification windows.

Related guides

Ready to manage your DNS with confidence?

DNScale provides anycast DNS hosting with a global network, real-time analytics, and an easy-to-use API.

Start free

Record Checklist

1. Verify the Domain

2. Route Mail to Gmail

3. Publish SPF

4. Enable DKIM

5. Roll Out DMARC

DNScale API Example

Migration Checklist

Common Mistakes

Keeping old MX records

Creating two SPF records

Copying DKIM examples

Moving DMARC too fast

Related Guides

Frequently asked questions

Related guides

Ready to manage your DNS with confidence?