Complete tutorial on setting up Google Workspace and managing email
This article teaches you how to set up Google Workspace and manage email with professional methods, including configuring DNS, DKIM, SPF, and DMARC.

Complete tutorial on setting up Google Workspace and managing email

  • 6 views
  • 5 minute read
In this article, we'll walk you through setting up Google Workspace for enterprise domains and managing email. We'll walk you through the steps to add email accounts, configure DNS settings, and security tips including DKIM and SPF.
Elahe
  • December 24, 2025
0 Shares
0
0
0
0
0
Shares
0
0
0
0
  1. Getting Started: Create an Account and Add a Domain
  2. Add and verify domain
  3. Setting up MX, SPF, DKIM, and DMARC records
  4. MX records for Google Workspace
  5. SPF record (TXT)
  6. DKIM — Email Signature
  7. DMARC — Fraud Prevention and Reporting Policy
  8. Add users, groups, aliases, and shared mailboxes
  9. SMTP Relay settings and sending from your servers
  10. Migrate email to Google Workspace
  11. Client settings (IMAP/POP/Exchange)
  12. Security and Management (Best Practices)
  13. Tracking issues, logs, and troubleshooting
  14. Operational and Scalability Solutions
  15. Data backup and maintenance
  16. Tips for DevOps, Traders, and Gamers
  17. Practical Scenarios — Examples
  18. Conclusion and suggested solutions
  19. Frequently Asked Questions

Getting Started: Create an Account and Add a Domain

To set up Google Workspace, first go to admin.google.com Go and create an organizational account.

Enter your organization information, primary domain name, and owner information. Choose the appropriate plan based on your email, archive, and Vault needs (e.g. Business Starter, Standard, Plus, Enterprise).

Add and verify domain

From the admin console to the section Domains → Manage domains Go and select the option Add a domain Select.

Google offers several ways to verify ownership: a TXT record in DNS, an HTML file, or a meta tag. If your DNS is on our company's panel, log in to your DNS panel and add a TXT record with the value provided by Google.

dig TXT yourdomain.com +short
nslookup -type=TXT yourdomain.com

After the record is published (usually from a few minutes to 24 hours depending on the TTL), in the Admin console, click Verify Click.

Setting up MX, SPF, DKIM, and DMARC records

To receive and send email securely, you need records. MX, SPF, DKIM and DMARC Set.

MX records for Google Workspace

In your DNS, add the following MX records (enter the priorities as they are):

  • ASPMX.L.GOOGLE.COM. (priority 1)
  • ALT1.ASPMX.L.GOOGLE.COM. (priority 5)
  • ALT2.ASPMX.L.GOOGLE.COM. (priority 5)
  • ALT3.ASPMX.L.GOOGLE.COM. (priority 10)
  • ALT4.ASPMX.L.GOOGLE.COM. (priority 10)
dig MX yourdomain.com +short

SPF record (TXT)

Set up a TXT record to prevent sender spoofing. Basic example:

v=spf1 include:_spf.google.com ~all

In DNS: Type: TXT, Name: @, Value: “v=spf1 include:_spf.google.com ~all”

If you use internal servers or another forwarding service, add them to SPF, for example:

v=spf1 include:_spf.google.com ip4:203.0.113.5 ~all

DKIM — Email Signature

In the admin console: Apps → Google Workspace → Gmail → Authenticate email → Generate new record.

One selector Select (for example, google). Google creates a TXT record named google._domainkey.yourdomain.com and it will give you the value p=…. Add the record in DNS and then enable DKIM in the Admin console.

dig TXT google._domainkey.yourdomain.com +short

Note: From the key 2048-bit Use and turn the key periodically (e.g. every 6-12 months).

DMARC — Fraud Prevention and Reporting Policy

Add a DMARC record:

Type: TXT, Name: _dmarc, Sample Value (initial report mode):

“"v=DMARC1; p=none; rua=mailto:[email protected]; ruf=mailto:[email protected]; pct=100;"”

After reviewing the reports, you can p=quarantine Or p=reject Put it.

Add users, groups, aliases, and shared mailboxes

From the admin console → Users Use to create new accounts.

To receive a shared email, you can: Groups By type Collaborative Inbox Or from Delegated Mailbox Use.

Alias can be configured for each user; for example: support@ be added to a primary user. For team email, it is better to create a group with the necessary permissions (for example sales@ (as a group).

SMTP Relay settings and sending from your servers

For applications, devices, or application servers that need to send email, there are two main ways:

  • Using smtp-relay.gmail.com (Requires authorized IP address or authentication)
  • Using regular Gmail SMTP With an app account and password or OAuth2

Example Postfix configuration for sending via smtp-relay.gmail.com:

relayhost = [smtp-relay.gmail.com]:587
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_tls_security_level = encrypt
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt

In /etc/postfix/sasl_passwd:

[smtp-relay.gmail.com]:587    username:password
postmap /etc/postfix/sasl_passwd
systemctl restart postfix

To test TLS and connectivity:

openssl s_client -starttls smtp -crlf -connect smtp-relay.gmail.com:587

Or with swaks:

swaks --to [email protected] --server smtp-relay.gmail.com --port 587 --auth LOGIN --auth-user username --auth-password password --tls

Security tip: It is better than OAuth2/XOAuth2 Use for security and scalability; Google SMTP can also be used with app passwords if 2-step is enabled.

Migrate email to Google Workspace

Methods:

  • Data Migration Service in the Admin Console (for IMAP/Exchange)
  • Google Workspace Migration for Microsoft Exchange (GWMME) or GWMMO
  • IMAP tools like imapsync For custom transfers

Example of using imapsync:

imapsync --host1 oldmail.example.com --user1 [email protected] --password1 'oldpass' \
--host2 imap.gmail.com --user2 [email protected] --password2 'newpass' \
--ssl2

In large migrations, it is better to use servers with high bandwidth and locations close to users to increase transfer speed.

Client settings (IMAP/POP/Exchange)

Conventional settings:

  • IMAP (recommended): imap.gmail.com, SSL/TLS port 993
  • SMTP: smtp.gmail.com, STARTTLS port 587 or SSL port 465
  • POP3 (if needed): pop.gmail.com port 995

If SSO (SAML) is enabled, some clients may require an app password or OAuth.

Security and Management (Best Practices)

Some practical advice:

  • Activating 2-Step Verification And making Security Keys mandatory for administrators.
  • Activate Context-Aware Access and Device Management (MDM) For mobile phones.
  • Restricting legacy protocols (e.g. disabling POP/IMAP when not needed).
  • Implementing rules DLP and enabling Google Vault for legal archiving.
  • API access control and OAuth client whitelist management.
  • Set security alerts and monitor suspicious logins.

Tracking issues, logs, and troubleshooting

Tools and methods:

  • Message Log Search In the Admin console to track emails (delivery, spam, rejected).
  • Check DNS records with dig Or nslookup.
  • Use of swaks Or openssl To test SMTP connectivity.
  • Check for bounce messages and SMTP codes (e.g. 550, 421, 451).
  • Review DMARC Aggregate Reports for rejection and spoofing patterns.
openssl s_client -connect smtp.gmail.com:587 -starttls smtp -crlf

Operational and Scalability Solutions

Operational tips:

  • For bulk sending (newsletters, transactions), use specialized email sending services (such as SendGrid, Mailgun, Amazon SES); Google Workspace is suitable for everyday corporate emails but has daily limits.
  • If you need an SMTP relay with dedicated IP or warm-up, you can use cloud servers with dedicated IP and BGP infrastructure and anti-DDoS protection to improve deliverability.
  • For distributed teams, anycast DNS and CDN can increase the speed and availability of webmail and related APIs.

Data backup and maintenance

Google Vault is recommended for legal storage and archiving. For standalone backups, you can also use IMAP backup tools such as mbsync Or offlineimap Or use third-party backup services.

~/.mbsyncrc:
IMAPAccount remote
Host imap.gmail.com
User [email protected]
PassCmd "gpg2 --quiet --for-your-eyes-only --no-tty -d ~/.passwords/imap.gpg"
SSLType IMAPS
...
mbsync -a

Tips for DevOps, Traders, and Gamers

DevOps: Use OAuth2 for services instead of simple passwords; monitor quotas and API permissions; integrate with enterprise IAM and SIEM.

Traders: Choosing a server location close to the broker for email notifications and alert systems with the lowest latency.

Gamers: Use strong DKIM for account-related emails and notifications to prevent messages from going to the spam folder; using a nearby location is important to reduce latency in multi-factor authentication.

Practical Scenarios — Examples

Scenario 1: Quick launch for a startup — Register a domain, create a Google Workspace Business Starter, add 10 users, set up MX/SPF/DKIM, enable 2-Step Verification, and basic Google Vault.

Scenario 2: Migrating from cPanel — Use imapsync or Data Migration Service, change MX records at key times after synchronization, and test receive/send before disabling the old service.

Scenario 3: Sending service logs from a cloud server — Set up Postfix on a cloud server with relayhost to smtp-relay.gmail.com or transactional service, configure TLS and auth, add server IP to whitelist in Admin console.

Conclusion and suggested solutions

With the correct DNS settings (MX/SPF/DKIM/DMARC), strong authentication, streamlined migration, and use of Google Workspace management features, you can create a secure, reliable, and scalable email platform.

For organizations that require low latency and global reach, leveraging cloud and VPS servers with multiple locations, CDN, BGP, dedicated IP, and anti-DDoS protection can improve email performance and deliverability.

Frequently Asked Questions

In this article:
Post written by:
Follow
Previous Article
Next Article
You May Also Like