Google Workspace as MX Record
In this tutorial, you will learn how to configure Google Workspace with Email Security as MX record.
To ensure changes made in this tutorial take effect quickly, update the Time to Live (TTL) value of the existing MX records on your domains to five minutes. Do this on all the domains you will be deploying.
Changing the TTL value instructs DNS servers on how long to cache this value before requesting an update from the responsible nameserver. You need to change the TTL value before changing your MX records to Email Security. This will ensure that changes take effect quickly and can also be reverted quickly if needed. If your DNS manager does not allow for a TTL of five minutes, set it to the lowest possible setting.
To check your existing TTL, open a terminal window and run the following command against your domain:
dig mx <YOUR_DOMAIN>; <<>> DiG 9.10.6 <<>> mx <YOUR_DOMAIN>;; global options: +cmd;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39938;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:; EDNS: version: 0, flags:; udp: 4096;; QUESTION SECTION:;<YOUR_DOMAIN>. IN MX
;; ANSWER SECTION:<YOUR_DOMAIN>. 300 IN MX 10 mxa.global.inbound.cf-emailsecurity.net.<YOUR_DOMAIN>. 300 IN MX 10 mxb.global.inbound.cf-emailsecurity.net.In the above example, TTL is shown in seconds as 300 (or five minutes).
If you are using Cloudflare for DNS, you can leave the TTL setting as Auto.
Below is a list with instructions on how to edit MX records for some popular services:
- Cloudflare: Set up email records
- GoDaddy: Edit an MX Record ↗
- AWS: Creating records by using the Amazon Route 53 console ↗
- Azure: Create DNS records in a custom domain for a web app ↗
- Provisioned Email Security account.
- Access to the Google administrator console (Google administrator console ↗ > Apps > Google Workspace > Gmail).
- Access to the domain nameserver hosting the MX records for the domains that will be processed by Email Security.
Set up Inbound Email Configuration ↗ with the following details:
- In Gateway IPs, select the Add link, and add the IPs mentioned in Egress IPs.
- Select Automatically detect external IP (recommended).
- Select Require TLS for connections from the email gateways listed above.
- Do not select Reject all mail not from gateway IPs. You will enable this option at a later time to ensure your mail flows.
- Select SAVE.
Set up an email quarantine ↗ with the following details:
- Name: Email Security Malicious.
- Description: Email Security Malicious.
- For the Inbound denial consequence, select Drop message.
- For the Outbound denial consequence, select Drop message.
- Select SAVE.
To access the newly created quarantine, select GO TO ADMIN QUARANTINE or access the quarantine directly by pointing your browser to https://email-quarantine.google.com/adminreview ↗.
Go to Compliance, and create a content compliance filter ↗ to send malicious messages to quarantine. Enter the following details:
- Content compliance: Add
Quarantine Email Security Malicious. - Email messages to affect: Select Inbound.
- Add expressions that describe the content you want to search for in each message:
- Select Add to add the condition.
- In Simple content match, select Advanced content match.
- In Location, select Full headers.
- In Match type, select Contains text.
- In Content, enter
X-CFEmailSecurity-Disposition: MALICIOUS. - Select SAVE to save the condition.
- If the above expression match, do the following, select Quarantine message and the Email Security Malicious quarantine that was created in the previous step.
- Select SAVE.
If you would like to quarantine the other dispositions, repeat the above steps and use the following strings for the other dispositions:
X-CFEmailSecurity-Disposition: BULKX-CFEmailSecurity-Disposition: SPOOFX-CFEmailSecurity-Disposition: UCE(UCEis the equivalent ofSPAM)
If desired, you can create a separate quarantine for each of the dispositions.
Now that you have completed the prerequisite steps, set up MX/Inline on the Cloudflare dashboard. Refer to Set up MX/Inline deployment for the next steps.
One method of a DNS attack is to search for old MX records and send phishing emails directly to the mail server. To secure the email flow, you should enforce an email flow where inbound messages are accepted by Google Workspace only when they originate from Email Security. This can be done by adding a connector to only allow email from Email Security with TLS encryption. This step is optional but recommended.
After 72 hours, the MX record DNS update will have sufficiently propagated across the Internet. It is now safe to secure your email flow. This will ensure that Google Workspace only accepts messages that are first received by Email Security. This step is highly recommended to prevent threat actors from using cached MX entries to bypass Email Security by injecting messages directly into Google Workspace.
-
Access the Google Administrative Console ↗, then select Apps > Google Workspace > Gmail.
-
Select Spam, Phishing and Malware.
-
Go to Inbound gateway and select Edit Inbound gateway.
-
Enable Reject all mail not from gateway IPs and select Save.
-
Select Save once more to commit and activate the configuration change in the Gmail advanced configuration console.
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Products
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- © 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark