Google Workspace Infrastructure Setup Guide

The Sovereign Stack. You don’t rent your email; you own your infrastructure. This guide details the Proscris Two-Account System (Owner vs. System), creating a separation of concerns that protects your digital assets from lockout, loss, or vendor capture. Covering Google Workspace, Cloud Identity, and role-based access control, this is the blueprint for digital sovereignty. Build your house on rock, not sand.

πŸ“‹ GOOGLE INFRASTRUCTURE SETUP GUIDE

Domain Ownership Β· Google Workspace Β· The Two-Account System Β· Business Email Β· DNS Authentication Β· GA4 Β· GTM Β· YouTube

Proscris Agency β€” Client Onboarding Document 3

Prepared by:

Scope: Domain Ownership β†’ Google Workspace β†’ Business Email Authentication β†’ Analytics β†’ Search Console β†’ Tag Manager β†’ YouTube β†’ Google Business Profile β†’ Agency Access

⚠️ Read This First β€” Before You Touch Anything:

This document covers your entire Google infrastructure β€” the digital backbone that every other part of your online business depends on. It is not a checklist to rush through. Each section builds on the one before it. A mistake made in Part 1 can break everything in Part 5. Read it end to end first, then execute in order. This infrastructure is among the most critical assets your business will ever own.

PART 1: THE FOUNDATION β€” Understanding Your Domain Name

Your domain name β€” yourbusiness.com β€” is your address on the internet. But a domain is simply a name. What that name points to is controlled by DNS (Domain Name System).

The DNS Record Types You Need to Know

Record Type What It Does Real-World Analogy
A Record Points your domain to an IP address (your website's server) The street address of your building
MX Record Tells the internet which servers handle email for your domain The mailbox where your mail gets delivered
CNAME Record Creates an alias β€” points one name to another name A nickname that redirects to your main address
TXT Record Stores text-based instructions β€” verification & security A certificate proving you own and authorize something
NS Record Nameserver record β€” tells the internet which DNS provider is authority The address of the phone book itself
DKIM Record A digital signature that authenticates your outgoing emails A wax seal on an envelope proving it came from you

PART 2: REGISTERING YOUR DOMAIN β€” GoDaddy vs. Cloudflare

Cloudflare β€” The Recommendation

Feature GoDaddy Cloudflare
WHOIS Privacy Extra charge (~$9.99/yr) Free on all domains
DNSSEC Optional / extra cost Default β€” automatic
DDoS Protection Not default Free, integrated
DNS Network Speed Standard World's fastest
Renewal Pricing Often higher after first year At-cost β€” no markup

To register on Cloudflare: Go to cloudflare.com β†’ Create Account (with 2FA) β†’ Domain Registration β†’ Register Domains.

PART 3: THE TWO-ACCOUNT SYSTEM β€” The Architecture Before Everything Else

You will operate two Google Workspace accounts. Both are mission-critical. Neither replaces the other.

The Strategy: Register every platform (Meta, Canva, HubSpot, Zoom) using "Sign in with Google" via the System Account. When a team member leaves, revoke access to the System Account, and access to everything is revoked instantly.

PART 4: GOOGLE WORKSPACE β€” Your Professional Email & Business Platform

Step 4.1 β€” Sign Up

Go to workspace.google.com. Recommended plan: Business Standard (2TB storage, meeting recordings).

Step 4.2 β€” Create the System Account

  1. Log into admin.google.com with your owner account.
  2. Go to Directory β†’ Users β†’ Add New User.
  3. Create system@yourbusiness.com.
  4. Assign Role: Super Admin.
  5. Enable 2FA immediately.

PART 6: MAKING EMAIL WORK β€” The Four DNS Records Google Requires

Without these, your email is unprofessional, insecure, and likely to land in spam.

Record 1: MX Records (Mail Exchange)

Add these 5 records to Cloudflare DNS:

  • Priority 1: ASPMX.L.GOOGLE.COM
  • Priority 5: ALT1.ASPMX.L.GOOGLE.COM
  • Priority 5: ALT2.ASPMX.L.GOOGLE.COM
  • Priority 10: ALT3.ASPMX.L.GOOGLE.COM
  • Priority 10: ALT4.ASPMX.L.GOOGLE.COM

Record 2: SPF (Sender Policy Framework)

Type: TXT | Name: @ | Value: v=spf1 include:_spf.google.com ~all

Record 3: DKIM (DomainKeys Identified Mail)

Generate this in Admin Console β†’ Apps β†’ Google Workspace β†’ Gmail β†’ Authenticate Email. Add the provided TXT record to Cloudflare.

Record 4: DMARC (Enforcement)

Type: TXT | Name: _dmarc | Value: v=DMARC1; p=none; rua=mailto:system@yourbusiness.com

PART 8: GOOGLE ANALYTICS 4 β€” Measuring Your Website Traffic

Create property at analytics.google.com under the System Account.

Access Protocol

  • Owner Account: Administrator
  • System Account: Administrator (Creator)
  • Proscris Agency: Editor

PART 9: GOOGLE SEARCH CONSOLE β€” Your Presence in Google Search

Verify domain property at search.google.com/search-console via DNS TXT record.

Access Protocol

  • Owner Account: Owner
  • System Account: Owner
  • Proscris Agency: Full

PART 10: GOOGLE TAG MANAGER β€” Your Website's Tracking Command Center

The Solution: Install ONE container code on your website. Manage all future pixels, tags, and tracking via the GTM interface without touching website code again.

Step 10.2 β€” Install the GTM Code

  • Snippet 1: In <head> (high up).
  • Snippet 2: After opening <body> tag.

Access Protocol

  • Owner Account: Admin / Publish
  • Proscris Agency: User / Publish

PART 11: YOUTUBE β€” The Platform You Cannot Ignore

Create a Brand Account under the System Account at youtube.com. This allows multiple managers without sharing the login.

Access Protocol

  • Owner Account: Manager
  • Proscris Agency: Manager

PART 14: GOOGLE DRIVE, SHARED ASSETS & THE COMPLETE ACCESS PICTURE

The Permission Hierarchy

SYSTEM ACCOUNT (system@yourbusiness.com)
└── Creates all shared Drive folders and files
    β”œβ”€β”€ Invites: Owner Account (yourname@yourbusiness.com) β†’ Editor
    β”œβ”€β”€ Invites: Proscris Agency Account β†’ Editor
    └── Invites: Additional team members β†’ Editor/Viewer

The Revocability Principle: Every single access grant made through this system can be revoked completely and instantly at any time via the System Account.

PART 15: ONBOARDING CHECKLIST β€” DOCUMENT 3

Phase 1: Domain & Workspace

  • ☐ Domain registered/transferred to Cloudflare
  • ☐ Google Workspace created (Business Standard)
  • ☐ Owner & System accounts created
  • ☐ 2FA enabled on all accounts

Phase 2: Authentication

  • ☐ MX Records updated
  • ☐ SPF Record added
  • ☐ DKIM Record generated & added
  • ☐ DMARC Record added

Phase 3: Platform Setup

  • ☐ GA4 Property created & access granted
  • ☐ Search Console verified & access granted
  • ☐ GTM Container created, installed & access granted
  • ☐ YouTube Brand Channel created & verified
  • ☐ Google Business Profile claimed & verified

APPENDIX: KEY TERMS GLOSSARY

Term Definition
DNS Domain Name System β€” translates domain names to server addresses.
MX Record Mail Exchange β€” directs email to the correct server.
SPF Sender Policy Framework β€” authorizes servers to send email.
DKIM DomainKeys Identified Mail β€” digital signature for email authenticity.
DMARC Domain-based Message Authentication β€” enforcement policy for SPF/DKIM.
System Account IT-admin account (system@) for owning infrastructure.
GTM Container Single code block installed on site to manage all tags.
Brand Account YouTube channel type allowing multiple managers.
2FA Two-Factor Authentication β€” mandatory security layer.

πŸ“Œ The Closing Frame:

The infrastructure covered in this document is not exciting. It does not generate leads directly. But it is the bedrock that every other part of your digital business is built on. Your domain is your name. Your Google accounts are the master keys. Your DNS records are the rules. Get this right once, and it works silently, reliably, and securely for years.

Sources