Google Workspace Client Setup

What

Use this SOP when a Tekton client needs professional business email on their own domain through Google Workspace.

Common outcome:

name@clientdomain.com
info@clientdomain.com
sales@clientdomain.com

By the end, the client should have a Google Workspace account that they own, working branded email, domain verification complete, MX/SPF/DKIM/DMARC configured, basic security enabled, and a clean handoff.

This is an internal operations SOP. Do not send this page to clients as-is. Use the client-safe script at the bottom when explaining the work.

Who owns it

Primary owner: Operations

Supporting roles:

• CSM: client communication, timing, handoff, and approval.
• Website Specialist: DNS checks, DNS record changes, Cloudflare/provider coordination.
• Operations: account ownership, security, access, and final closeout.

Important ownership rule: the client should own the Google Workspace account and be the primary admin. Tekton can be added as a temporary helper/admin if needed, but should not be the long-term owner unless Nick approves it.

Steps

1. Choose the setup path

If the client already has a domain and website, use Google Workspace directly:

https://workspace.google.com/

Verify the existing domain through DNS, then add Google’s email records in the current DNS provider.

If the client does not have a domain or website yet, they can buy a domain during setup or through a hosting provider, but only if that matches the broader website plan.

The source video used Hostinger because it was aimed at beginners who do not already have a domain. For Tekton clients, do not route through Hostinger just because the video does. Choose the path based on where the client website and DNS should live long-term.

2. Gather client info

Collect:

• Business legal/name.
• Domain.
• Main contact.
• Main contact email.
• Main phone.
• Business address.
• Current website provider.
• Current DNS provider.
• Current email provider, if any.

Clarify desired addresses:

Person / Function	Address	Type	Notes
Owner	owner@domain.com	Paid user	Usually Super Admin
Office	office@domain.com	User / group / alias	Confirm who receives it
Info	info@domain.com	Alias / group	Usually not a paid inbox
Sales	sales@domain.com	Alias / group	Optional
Support	support@domain.com	Alias / group	Optional

Decide whether each address should be a paid user inbox, an alias on an existing user, or a Google Group/shared address.

3. Audit existing DNS and email before making changes

Before creating or switching anything, inspect current DNS.

Check:

• MX records.
• SPF TXT record.
• DKIM TXT/CNAME records.
• DMARC TXT record.
• Website records for apex and www.
• CRM, email marketing, invoicing, or scheduling tools using the domain.
• Existing provider: GoDaddy, Microsoft 365, Zoho, old web host, cPanel, Squarespace, Wix, SiteGround, etc.

If email is already active, do not overwrite MX records without a cutover plan.

4. Create the Google Workspace account

Create the account with:

• Client business name.
• Client country.
• Client contact info.
• Existing business domain.
• First admin user under the client domain when possible.

Recommended first admin:

owner@clientdomain.com

Avoid creating the first admin as Tekton unless Nick approves it.

5. Verify domain ownership

Google will provide a TXT verification record.

Add it at the DNS provider.

Example:

Type	Name	Value
TXT	@	google-site-verification=...

Then return to Google Workspace and click verify.

DNS propagation can take a few minutes. Some providers take longer.

6. Create users, aliases, and groups

Inside Google Admin:

https://admin.google.com

Go to:

Directory → Users

Create paid inboxes only for people who need their own mailbox/login.

Use aliases when one person needs to receive or send from multiple addresses.

Example primary user:

wilson@3routdoor.com

Possible aliases:

• info@3routdoor.com
• sales@3routdoor.com
• contact@3routdoor.com

Alias path:

Directory → Users → select user → User information → Alternate email addresses / Email aliases

Use Google Groups when multiple people need to receive the same address, such as:

• office@domain.com
• sales@domain.com
• support@domain.com

Group path:

Directory → Groups

7. Set MX records

Only do this after confirming the email cutover timing.

Use the MX records shown inside the Google Admin setup screen. Current Google Workspace setup may show:

Priority	Server
1	SMTP.GOOGLE.COM

Older Google documentation may show multiple ASPMX records. Use whatever Google provides in the active setup wizard.

Remove old MX records only after the client is ready to move email to Google.

8. Add or merge SPF

SPF authorizes Google to send mail for the domain.

If the domain has no SPF record, add:

v=spf1 include:_spf.google.com ~all

If the domain already has SPF, merge Google into the existing record. Do not create a second SPF record.

Example with another sender:

v=spf1 include:_spf.google.com include:sendgrid.net ~all

There should only be one SPF TXT record per root domain.

9. Set up DKIM

In Google Admin:

Apps → Google Workspace → Gmail → Authenticate email

Select the domain, generate a DKIM record, then add the record to DNS.

Typical record:

Type	Name	Value
TXT	google._domainkey	Long DKIM value from Google

After DNS propagates, click Start authentication.

10. Add DMARC

Start with a monitoring policy unless the client already has mature email authentication.

Example:

Type	Name	Value
TXT	_dmarc	v=DMARC1; p=none; rua=mailto:admin@domain.com

If there is no monitored mailbox for reports, either use an address the client controls or skip rua until a proper reporting destination is chosen.

Do not jump straight to p=reject unless SPF/DKIM alignment is verified and all legitimate senders are accounted for.

11. Configure Gmail send-as for aliases

Aliases allow receiving email, but Gmail may need send-as configuration before sending as that alias.

In Gmail:

Gear icon → See all settings → Accounts → Send mail as → Add another email address

Add the alias address and display name.

Example:

• Display name: Customer Service
• Email: customer-service@domain.com

Then test composing a message and confirm the alias appears in the From dropdown.

12. Create Shared Drives where needed

Use Shared Drives for company files that should not disappear when one employee leaves.

Path:

https://drive.google.com → Shared drives → New

Good examples:

• Company Documents
• Marketing Assets
• Job Photos
• Training Manuals
• Website Assets

Set permissions intentionally:

Role	Use case
Viewer	Can view only
Commenter	Can comment
Contributor	Can add/edit files
Content manager	Can organize content
Manager	Can manage members/settings

For most clients, keep this simple. Only create Shared Drives that match a real operational need.

13. Test email

Test sending from the new Workspace email to:

• A personal Gmail.
• A non-Gmail address if available.
• Tekton email.

Confirm:

• Message sends.
• Display name is correct.
• Signature is acceptable.
• No warning banners.
• Reply-to is correct.

Then reply back to the new business email and confirm:

• Message arrives in Gmail.
• No bounce.
• Old provider is not still receiving mail.

14. Secure the account

Have the client owner turn on 2-Step Verification.

Path:

Google Account → Security → 2-Step Verification

Supported options:

• Google Prompt.
• Authenticator app.
• Text/call backup.
• Backup codes.
• Security key/passkey.

In Google Admin, review 2-Step Verification settings:

Directory → Users → select user → Security

For businesses, recommend enforcing 2FA once all users are ready.

Do not lock users out by enforcing 2FA before they have enrolled.

15. Review Gemini / AI features

Google Workspace may include Gemini features depending on the plan and rollout.

Useful client-safe explanation:

• Gmail can summarize some email threads.
• Docs/Sheets may include AI writing or summary support.
• Gemini may be available as a business assistant.

Do not sell Gemini as the reason to buy Workspace. Treat it as a bonus. The real core is professional email, admin control, security, Drive, Calendar, and collaboration.

16. Complete the client handoff

Send the client:

• Gmail login URL: https://mail.google.com
• Admin URL if they are an owner/admin: https://admin.google.com
• Their email address.
• Temporary password delivery path, if applicable.
• Instruction to change password immediately.
• Note that DNS/email cutover is complete.
• Reminder to enable 2FA.

Do not send passwords in public Discord channels.

Use secure delivery or have the client set/reset their own password.

Definition of done

The setup is done when:

• Client owns the Workspace account.
• Domain is verified.
• Admin user is created.
• Required users are created.
• Aliases are configured.
• Groups are configured where needed.
• MX records are updated.
• SPF is added or merged.
• DKIM is enabled.
• DMARC is added.
• Gmail send-as is configured for aliases.
• Shared Drives are created only if needed.
• Send test passed.
• Receive test passed.
• Recovery email/phone is added.
• 2FA is enabled or rollout plan is set.
• Admin access is documented.
• Client handoff is sent.

Common mistakes

Creating the account under Tekton

Bad. The client should own it.

Buying or moving the domain unnecessarily

Bad. If the client already has a domain and site, use the existing DNS provider unless there is a separate approved migration reason.

Adding two SPF records

Bad. SPF must be one TXT record.

Switching MX records too early

Can break active email. Confirm cutover timing.

Forgetting DKIM

Email may work, but deliverability is weaker.

Making every address a paid user

Many addresses can be aliases or groups.

Forgetting send-as setup for aliases

Receiving as an alias does not always mean the client can send from it cleanly.

Losing admin recovery access

Always confirm recovery email/phone.

Client-safe explanation

If a client asks what we are doing:

We’re setting up Google Workspace so your business email runs through Gmail using your own domain. Once it’s done, you’ll be able to send and receive from your professional email address, and we’ll make sure the DNS records are set up correctly so email deliverability is protected.

Cutover warning

Before MX cutover, use this internally:

Switching MX records moves the domain’s email delivery. If the client currently receives email somewhere else, that system may stop receiving new mail after cutover. Confirm timing and backup access first.

Source notes

Source video:

• Google Workspace Tutorial For Small Business 2025 - Professional Email, AI, Collaboration & Tools
• Santrel Media
• https://www.youtube.com/watch?v=7YE7jX1Xg7g

The video covered:

• Direct Google Workspace setup vs Hostinger/domain-first setup.
• Business Starter as the common beginner plan.
• Buying a domain through Hostinger when the business does not already have one.
• Admin Console basics at admin.google.com.
• Adding users.
• Creating aliases for extra addresses without extra paid users.
• Google Groups for addresses that multiple people need to receive.
• Domain verification with TXT and CNAME records.
• Shared Drives for team file sharing.
• Gmail send-as setup for aliases.
• 2-Step Verification setup and admin enforcement.
• Gemini/AI features as a Workspace add-on/rolling feature.

Tekton adjustment: for active clients with existing websites/domains, skip the Hostinger-first beginner path unless we are also intentionally moving their domain/website stack.