Setup Google Workspace

Info

This page provides step-by-step instructions (with screenshots) on how to setup Google Workspace for your domains, and is the companion of my Migrating to Google Workspace: Solving Email Routing Challenge blog post

Create a Google Workspace Account

Create an account

1. Go to the Google Workspace website and select Get Started Now
2. Enter the business name, number of users, region, and click Next
3. Enter your contact information and click Next
4. Confirm you have a domain you can use for the setup
5. Enter the domain you want to use as Primary Domain and click Next
6. Provide a secondary email address to be used as recovery email and click Next
7. Choose a username and password for the admin account
8. Provide a phone number to verify your identity, then enter the verification code (without the G- prefix)
9. Accept the terms and conditions and click I understand

Pick a subscription

1. Enter your contact/billing information.
   • Notice that Google will try to put you in a more expensive Business Plus plan by default. We will change it later.
2. Go to Billing > Subscriptions > Add or upgrade subscription
3. Pick the Plan that you prefer (I chose Business Starter) and click SWITCH
   • You can find the breakdown of the different plans here
4. Pick a payment plan (I chose Annual), then CHECKOUT

Verify your Primary Domain

1. In the Admin Console's homepage you should have a banner prompting you to verify your domain
2. Add the TXT record of the verification code to your DNS provider
   • For example, if you use Cloudflare and Terraform, you could add the following resource:

     resource "cloudflare_record" "google_workspace_verification" {
         zone_id = cloudflare_zone.xxxxx.id
         name    = "example.com"
         value   = "google-site-verification=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
         type    = "TXT"
         proxied = "false"
         ttl     = 86400
         comment = "Google Workspace"
     }
     

3. Once ready, select Verify my domain

Harden the Admin user

1. In the top-right corner, click on your profile picture and select Manage your Google Account
2. Add MFA
3. Add Passkeys
4. Enrol in the Advanced Protection Program

Setup Gmail for the Primary Domain

Create Aliases

1. In the Admin Console, go to Directory > Users and select the user you want to create an alias for
2. Click on Add Alternative Emails, and enter the aliases you want to create

Setup the MX records

1. In the Admin Console's homepage you should have a banner prompting you to setup the MX records
2. Confirm you are ready to transfer the MX records
3. Add the MX records to your DNS provider
   • For example, if you use Cloudflare and Terraform, that's the process:
     • Add the following resources to your Terraform, but do no apply yet:

       resource "cloudflare_record" "google_workspace_mx" {
           zone_id = cloudflare_zone.xxxxx.id
           name     = "example.com"
           value    = "XXXXXX"
           type     = "MX"
           proxied  = "false"
           ttl      = 3600
           priority = 1
           comment  = "Google Workspace MX"
       }
       
       resource "cloudflare_record" "google_workspace_alt_1" {
           zone_id = cloudflare_zone.xxxxx.id
           name     = "example.com"
           value    = "XXXXXX"
           type     = "MX"
           proxied  = "false"
           ttl      = 3600
           priority = 5
           comment  = "Google Workspace MX"
       }
       
       # And so on for the other alternative records...
       

     • Remove the Cloudflare MX records from your Terraform, but do not apply yet
     • In the Cloudflare Dashboard, select your domain then Email > Email Routing > Settings
     • Select the ... button, then Disable Email Routing > Unlock but keep records
     • Apply your Terraform changes
4. Go back to the Admin Console, and once ready select Activate Gmail

Setup a Catch-All Address

1. In the Admin Console, go to Apps > Google Workspace > Gmail > Default Routing
2. Click on Configure
3. In the configuration settings, change the selection to All Recipients to ensure that emails sent to any address are captured by the catch-all address
4. Under Envelope Recipient, select Change envelope recipient > Replace recipient, and add the email address you want to use as catch-all

Authenticate outgoing emails (DKIM)

1. In the Admin Console, go to Apps > Google Workspace > Gmail > Authenticate email
2. Select your primary domain, then GENERATE NEW RECORD
3. Add the TXT record to your DNS provider
   • For example, if you use Cloudflare and Terraform, you could add the following resource:

     resource "cloudflare_record" "google_workspace_dkim" {
         zone_id = cloudflare_zone.xxxxx.id
         name    = "google._domainkey"
         value   = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
         type    = "TXT"
         proxied = "false"
         ttl     = 600
         comment = "DKIM for Google Workspace"
     }
     

4. Once ready, select START AUTHENTICATION

Setup an Outbound Gateway

1. In order to allow aliases to send emails, you need to setup an Outbound Gateway
2. In the Admin Console, go to Apps > Google Workspace > Gmail > End User Access
3. In the Allow per-user outbound gateways section, select Allow users to send mail through an external SMTP server when configuring a "from" address hosted outside your email domains

Setup Gmail for the Secondary Domains

Verify Secondary Domain

1. In the Admin Console, go to Account > Domains > Manage domains and select Add a domain ¹
2. Enter the name of the domain you are adding, and select a domain type (I chose User alias domain) ²
3. Select Add domain and start verification
4. Add the TXT record of the verification code to your DNS provider
5. Once ready, select Verify my domain

Setup the MX records

1. In the Admin Console, go to Account > Domains > Manage domains
2. Select Activate Gmail for the domain you just added
3. Confirm you are ready to transfer the MX records (similar to the Primary setup)
4. Add the MX records to your DNS provider (similar to the Primary setup)
   • Add the new MX records to your Terraform, but do no apply yet
   • Remove the Cloudflare MX records from your Terraform, but do not apply yet
   • In the Cloudflare Dashboard, select your domain then Email > Email Routing > Settings
   • Select the ... button, then Disable Email Routing > Unlock but keep records
   • Apply your Terraform changes
5. Go back to the Admin Console, and once ready select Activate Gmail (similar to the Primary setup)

Authenticate outgoing emails (DKIM)

1. In the Admin Console, go to Apps > Google Workspace > Gmail > Authenticate email
2. Select the domain you just added, then GENERATE NEW RECORD (similar to the Primary setup)
3. Add the TXT record to your DNS provider (similar to the Primary setup)
4. Once ready, select START AUTHENTICATION

Configure Gmail client for outbound

1. In Gmail, go to Settings > Accounts > Send mail as and add the new email (tick treat as alias)

---

1. FAQ for multiple domains ↩

2. Add a user alias domain or secondary domain ↩