Updated 20-Sep-2023
GSuite is the latest term Google is using for what used to be called Google Apps for Domains. Google Cloud is now a provider of GSuite (along with many other services). GSuite is akin to similar offerings by Microsoft, Yandex, and more anemically, Amazon Workmail/Workdocs, and Apple.
CNAME Records
calendar = ghs.google.com.
drive = ghs.google.com.
mail = ghs.google.com.
MX Records
aspmx.l.google.com. [1]
alt1.aspmx.l.google.com. [5]
alt2.aspmx.l.google.com. [5]
SPF, DKIM, DMARC Records
SPF Record
v=spf1 include:_spf.google.com ~all
If there is a need to add additional IP addresses for the domain, then as follows:
"v=spf1 ip4:1.2.3.4 ip4:5.6.7.8 include:_spf.google.com ~all"
Note: Change 1.2.3.4 and 5.6.7.8 to appropriate IP addresses, as needed
DKIM Record
For GSuite, a given domain's DKIM record can be generated. Then the record added to DNS. And then, enable DKIM on the domain in the GSuite admin. DKIM looks like:
google._domainkey = "v=DKIM1; k=rsa;
p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
gQCAAzcVQ93IuUdrFWizejuaC4b+zTeKj48R
A7y+PzdRZgHb0abfUUvZW8KR7oADkmxeGp/B
W6ZhJz8ytlZ2JJ+ubBB7o4Lb5QQIIIpR00Tt
fZa3WORctXRhU4wyIR7CqdbaPKK7+xSJK8BQ
/mzzJ22a59FVEgjzVdIquFN+N515fwIDAQAB"
Note some DNS does not take 2048 bit keys so have to go with 1024 bit.
DMARC Record
DMARC basically sets a policy based on verification of SPF and DKIM records (or their failure). They look something like:
_dmarc = "v=DMARC1; p=none; rua=mailto:[email protected]; adkim=r; aspf=r"
Note the p means policy and none basically means reporting only (work out the bugs first). adkim and aspf are set to r for relaxed so subdomains will pass without explicitly declaring them.