Import G Suite MX records into Cloudflare DNS using zone files

The Cloudflare authoritative DNS product is a great DNS solution running on one of the world’s fastest infrastructures with high availability. The good part is that they offer a free tier that will suit the needs of most personal and business domains. If you are managing several domains and often need to add G Suite MX records this process can be somewhat trivial. Unfortunately, Cloudflare does not offer the possibility to define zone templates or similar through the web interface. They do offer API access, but a lot of users will find interaction with the API to be excessive in terms of both needs and technical knowledge.

As a middle ground, Cloudflare has implemented the option to import BIND formatted DNS zone files through either the web interface or the API. This is easy to learn and an effective approach for importing DNS records.

This approach does have some drawbacks. One important one being that DNS zone files are not designed to modify or remove existing records. Removal of potential existing MX records has to be done through other means such as the web interface.

BIND formatted DNS zone files adding G Suite MX records

In the following sections, I have included some BIND formatted DNS zones files that are ready to use and an explanation of two approaches for importing the zone files. The zone files will add MX records and the default G Suite SPF record.

You can either save the text into a file or download the ready to upload DNS zone files. Remember to delete existing MX records if such exist. This can be done before or after importing a zone file.

Both zone files include the basics and use default values. The zone files will assign the Time To Live (TTL) value to the Cloudflare default value “Auto.” This is by Cloudflare defined to be 300 seconds or 5 minutes.

The zone files only contain the MX and SPF records. Often you will want to add additionally e-mail related DNS records such as TXT records for DMARC, DKIM settings, etc. You can add the additional records through the web interface or add them to the zone file. Since several of these records are not generic and need customization, it is not possible to include them in a generic zone file template. Google has published documentation about setting up DMARC and DKIM.

If the domain is not yet verified with G Suite, you will need to add a unique verification TXT record. See Googles instructions about how to verify your domain with a TXT record.

Zone file adding G Suite DNSSEC MX records

While not officially recognized or documented, Google has made a set of DNSSEC MX records available for G Suite hosted domains. This zone file will import the four MX records into Cloudflare.

;; G Suite - https://gsuite.google.com/

;; Adds G Suite DNSSEC MX records.

;; Adds the default G Suite SPF as a TXT record.
;; Documentation
;; https://support.google.com/a/answer/33786

;; MX Records
@	1	IN	MX	20 mx4.smtp.goog.
@	1	IN	MX	10 mx3.smtp.goog.
@	1	IN	MX	5 mx2.smtp.goog.
@	1	IN	MX	1 mx1.smtp.goog.

;; TXT Records
@	1	IN	TXT	"v=spf1 include:_spf.google.com ~all"

Download as a txt file.

Zone file adding default G Suite MX records

This zone file will import the five default G Suite MX records into Cloudflare. The MX records are not DNSSEC signed.

;; G Suite - https://gsuite.google.com/

;; Adds G Suite MX records
;; Documentation
;; https://support.google.com/a/answer/140034

;; Adds the default G Suite SPF as a TXT record.
;; Documentation
;; https://support.google.com/a/answer/33786

;; MX Records
@	1	IN	MX	10 alt4.aspmx.l.google.com.
@	1	IN	MX	10 alt3.aspmx.l.google.com.
@	1	IN	MX	5 alt2.aspmx.l.google.com.
@	1	IN	MX	5 alt1.aspmx.l.google.com.
@	1	IN	MX	1 aspmx.l.google.com.

;; TXT Records
@	1	IN	TXT	"v=spf1 include:_spf.google.com ~all"

Download as a txt file.

How to import a DNS zone file

You can import a BIND formatted zone files through either the Cloudflare web interface or API.

Import through the web interface

To import a DNS zone file through the web interface follow these steps:

  1. Log into the Cloudflare Dashboard at https://dash.cloudflare.com/
  2. Click on the domain in question.
  3. Click the menu item “DNS”
  4. Click on “Advanced”
  5. Either click on “Select a file” or drag the DNS zone file into the upload area.
  6. Click “Upload”

The DNS records are now activated. Remember to remove preexisting MX records if you have not already done so. Having MX records from several different providers will most likely break the setup and result in undeliverable e-mails.

Import through the API using curl

A neat feature is that you can import a BIND formatted DNS zone file through the Cloudflare API. Below is an example of how this can be done using curl. curl is preinstalled on macOS and a lot of Linux distributions.

curl -X POST "https://api.cloudflare.com/client/v4/zones/CF-ZONE-ID/dns_records/import" \
     -H "X-Auth-Email: CF-ACCOUNT-EMAIL" \
     -H "X-Auth-Key: CF-API-KEY" \
     --form 'file=@FILE-NAME' \
     --form 'proxied=false'

You need to customize the API call by editing the four values described below:

  • CF-ZONE-ID: All domains have a unique ID number called a “Zone ID”. You can retrieve a zone ID by logging into the Cloudflare Dashboard at https://dash.cloudflare.com/, then clicking on the domain in question, and finally finding “Zone ID.”
  • CF-ACCOUNT-EMAIL: Your Cloudflare login e-mail address.
  • CF-API-KEY: Your API-key can be found by clicking “View” under “Global API Key” in the subsection “API Tokens”: https://dash.cloudflare.com/profile/api-tokens/
  • FILE-NAME: The name of the file containing your DNS zone data, e.g., domain.txt. In this example, the file is assumed to be presented in the same directory from which you are calling curl. Otherwise, you will need to include the full path to the file.

Remember to remove preexisting MX records if you have not already done so. This can be archived through the web interface. Having MX records from several different providers will most likely break e-mail deliverability

Leave a Reply

Your email address will not be published. Required fields are marked *