{"id":1808,"date":"2020-04-13T14:30:21","date_gmt":"2020-04-13T12:30:21","guid":{"rendered":"https:\/\/bornoe.org\/blog\/?p=1808"},"modified":"2021-10-16T12:25:44","modified_gmt":"2021-10-16T11:25:44","slug":"import-g-suite-mx-records-into-cloudflare-dns-using-zone-files","status":"publish","type":"post","link":"https:\/\/bornoe.org\/blog\/2020\/04\/import-g-suite-mx-records-into-cloudflare-dns-using-zone-files\/","title":{"rendered":"Import G Suite MX records into Cloudflare DNS using zone files"},"content":{"rendered":"\n

The Cloudflare authoritative DNS<\/a> product is a great DNS solution running on one of the world\u2019s fastest infrastructures with high availability. The good part is that they offer a free tier that will suit the needs of most personal and business domains. If you are managing several domains and often need to add G Suite MX records this process can be somewhat trivial. Unfortunately, Cloudflare does not offer the possibility to define zone templates or similar through the web interface. They do offer API access, but a lot of users will find interaction with the API to be excessive in terms of both needs and technical knowledge.<\/p>\n\n\n\n

As a middle ground, Cloudflare has implemented the option to import BIND formatted DNS zone files<\/a> through either the web interface or the API. This is easy to learn and an effective approach for importing DNS records.<\/p>\n\n\n\n

This approach does have some drawbacks. One important one being that DNS zone files are not designed to modify or remove existing records. Removal of potential existing MX records has to be done through other means such as the web interface.<\/p>\n\n\n\n

BIND formatted DNS zone files adding G Suite MX records<\/h2>\n\n\n\n

In the following sections, I have included some BIND formatted DNS zones files that are ready to use and an explanation of two approaches for importing the zone files. The zone files will add MX records and the default G Suite SPF record.<\/p>\n\n\n\n

You can either save the text into a file or download the ready to upload DNS zone files. Remember to delete existing MX records if such exist. This can be done before or after importing a zone file. <\/p>\n\n\n\n

Both zone files include the basics and use default values. The zone files will assign the Time To Live (TTL) value to the Cloudflare default value “Auto.”<\/em> This is by Cloudflare defined to be 300 seconds or 5 minutes.<\/p>\n\n\n\n

Verifying domain ownership.<\/h3>\n\n\n\n

If the domain is not yet verified with G Suite, you will need to verify ownership before or after you have configured the DNS records. See Googles instructions about verifying domain ownership<\/a>. One method is to add a unique verification TXT record. See Googles instructions about how to verify your domain with a TXT record<\/a>. You can include the TXT record in your zone file, but the text string is unique for each domain.<\/p>\n\n\n\n

DMARC and DKIM records<\/h3>\n\n\n\n

The zone files only contain the MX and SPF records. Often you will want to add additionally e-mail related DNS records such as TXT records for DMARC, DKIM settings, etc. You can add the additional records through the web interface or add them to the zone file. Since several of these records are not generic and need customization, it is not possible to include them in a generic zone file template. Google has published documentation about setting up DMARC<\/a> and DKIM<\/a>.<\/p>\n\n\n\n

Zone file adding G Suite DNSSEC MX records<\/h3>\n\n\n\n

While not officially recognized or documented, Google has made a set of DNSSEC MX records available for G Suite hosted domains. This zone file will import the four MX records into Cloudflare.<\/p>\n\n\n\n

;; G Suite - https:\/\/gsuite.google.com\/\n\n;; Adds G Suite DNSSEC MX records.\n\n;; Adds the default G Suite SPF as a TXT record.\n;; Documentation\n;; https:\/\/support.google.com\/a\/answer\/33786\n\n;; MX Records\n@\t1\tIN\tMX\t20 mx4.smtp.goog.\n@\t1\tIN\tMX\t10 mx3.smtp.goog.\n@\t1\tIN\tMX\t5 mx2.smtp.goog.\n@\t1\tIN\tMX\t1 mx1.smtp.goog.\n\n;; TXT Records\n@\t1\tIN\tTXT\t\"v=spf1 include:_spf.google.com ~all\"<\/code><\/pre>\n\n\n\n
Download as a txt file.<\/a><\/p>\n\n\n\n
Zone file adding default G Suite MX records<\/h3>\n\n\n\n
This zone file will import the five default G Suite MX records<\/a> into Cloudflare. The MX records are not DNSSEC signed.<\/p>\n\n\n\n
;; G Suite - https:\/\/gsuite.google.com\/\n\n;; Adds G Suite MX records\n;; Documentation\n;; https:\/\/support.google.com\/a\/answer\/140034\n\n;; Adds the default G Suite SPF as a TXT record.\n;; Documentation\n;; https:\/\/support.google.com\/a\/answer\/33786\n\n;; MX Records\n@\t1\tIN\tMX\t10 alt4.aspmx.l.google.com.\n@\t1\tIN\tMX\t10 alt3.aspmx.l.google.com.\n@\t1\tIN\tMX\t5 alt2.aspmx.l.google.com.\n@\t1\tIN\tMX\t5 alt1.aspmx.l.google.com.\n@\t1\tIN\tMX\t1 aspmx.l.google.com.\n\n;; TXT Records\n@\t1\tIN\tTXT\t\"v=spf1 include:_spf.google.com ~all\"<\/code><\/pre>\n\n\n\n
Download as a txt file.<\/a><\/p>\n\n\n\n
How to import a DNS zone file<\/h2>\n\n\n\n
You can import a BIND formatted zone files through either the Cloudflare web interface or API.<\/p>\n\n\n\n
Import through the web interface<\/h3>\n\n\n\n
To import a DNS zone file through the web interface follow these steps:<\/p>\n\n\n\n
  1.  Log into the Cloudflare Dashboard at https:\/\/dash.cloudflare.com\/<\/a><\/li>
  2. Click on the domain<\/em> in question, e.g. example.com.<\/li>
  3. Click the menu item “DNS”<\/strong><\/li>
  4. Click on “Advanced”<\/strong><\/li>
  5. Either click on “Select a file”<\/strong> or drag the DNS zone file into the upload area<\/em>.<\/li>
  6. Click “Upload”<\/strong><\/li><\/ol>\n\n\n\n
    The DNS records are now activated. Remember to remove preexisting MX records if you have not already done so. Having MX records from several different providers will most likely break the setup and result in undeliverable e-mails.<\/p>\n\n\n\n
    Import through the API using curl<\/h3>\n\n\n\n
    A neat feature is that you can import a BIND formatted DNS zone file through the Cloudflare API<\/a>. Below is an example of how this can be done using curl<\/a>. curl is preinstalled on macOS and a lot of Linux distributions. If you don’t have curl you can install it through your Linux distribution’s package manager, or download it from https:\/\/curl.haxx.se\/<\/a><\/p>\n\n\n\n
    curl -X POST \"https:\/\/api.cloudflare.com\/client\/v4\/zones\/CF-ZONE-ID\/dns_records\/import\" \\\n     -H \"X-Auth-Email: CF-ACCOUNT-EMAIL\" \\\n     -H \"X-Auth-Key: CF-API-KEY\" \\\n     --form 'file=@FILE-NAME' \\\n     --form 'proxied=false'<\/code><\/pre>\n\n\n\n
    You need to customize the API call by editing the four values described below:<\/p>\n\n\n\n