Google Workspace as MX Record

In this tutorial, you will learn how to configure Google Workspace with Email Security as MX record.
To ensure changes made in this tutorial take effect quickly, update the Time to Live (TTL) value of the existing MX records on your domains to five minutes. Do this on all the domains you will be deploying.
Changing the TTL value instructs DNS servers on how long to cache this value before requesting an update from the responsible nameserver. You need to change the TTL value before changing your MX records to Email Security. This will ensure that changes take effect quickly and can also be reverted quickly if needed. If your DNS manager does not allow for a TTL of five minutes, set it to the lowest possible setting.
To check your existing TTL, open a terminal window and run the following command against your domain:
dig mx <YOUR_DOMAIN>; <<>> DiG 9.10.6 <<>> mx <YOUR_DOMAIN>;; global options: +cmd;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39938;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:; EDNS: version: 0, flags:; udp: 4096;; QUESTION SECTION:;<YOUR_DOMAIN>.    IN  MX
;; ANSWER SECTION:<YOUR_DOMAIN>.    300    IN    MX    10 mxa.global.inbound.cf-emailsecurity.net.<YOUR_DOMAIN>.    300    IN    MX    10 mxb.global.inbound.cf-emailsecurity.net.In the above example, TTL is shown in seconds as 300 (or five minutes).
If you are using Cloudflare for DNS, you can leave the TTL setting as Auto.
Below is a list with instructions on how to edit MX records for some popular services:
- Cloudflare: Set up email records
- GoDaddy: Edit an MX Record ↗
- AWS: Creating records by using the Amazon Route 53 console ↗
- Azure: Create DNS records in a custom domain for a web app ↗
- Provisioned Email Security account.
- Access to the Google administrator console (Google administrator console ↗ > Apps > Google Workspace > Gmail).
- Access to the domain nameserver hosting the MX records for the domains that will be processed by Email Security.
Set up Inbound Email Configuration ↗ with the following details:
- In Gateway IPs, select the Add link, and add the IPs mentioned in Egress IPs.
- Select Automatically detect external IP (recommended).
- Select Require TLS for connections from the email gateways listed above.
- Do not select Reject all mail not from gateway IPs. You will enable this option at a later time to ensure your mail flows.
- Select SAVE.
Set up an email quarantine ↗ with the following details:
- Name: Email Security Malicious.
- Description: Email Security Malicious.
- For the Inbound denial consequence, select Drop message.
- For the Outbound denial consequence, select Drop message.
- Select SAVE.
To access the newly created quarantine, select GO TO ADMIN QUARANTINE or access the quarantine directly by pointing your browser to https://email-quarantine.google.com/adminreview ↗.
Go to Compliance, and create a content compliance filter ↗ to send malicious messages to quarantine. Enter the following details:
- Content compliance: Add Quarantine Email Security Malicious.
- Email messages to affect: Select Inbound.
- Add expressions that describe the content you want to search for in each message:
- Select Add to add the condition.
- In Simple content match, select Advanced content match.
- In Location, select Full headers.
- In Match type, select Contains text.
- In Content, enter X-CFEmailSecurity-Disposition: MALICIOUS.
- Select SAVE to save the condition.
 
- If the above expression match, do the following, select Quarantine message and the Email Security Malicious quarantine that was created in the previous step.
- Select SAVE.
 
If you would like to quarantine the other dispositions, repeat the above steps and use the following strings for the other dispositions:
- X-CFEmailSecurity-Disposition: BULK
- X-CFEmailSecurity-Disposition: SUSPICIOUS
- X-CFEmailSecurity-Disposition: SPOOF
- X-CFEmailSecurity-Disposition: UCE(- UCEis the equivalent of- SPAM)
If desired, you can create a separate quarantine for each of the dispositions.
Now that you have completed the prerequisite steps, set up MX/Inline on the Cloudflare dashboard. Refer to Set up MX/Inline deployment for the next steps.
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Products
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark