Custom Domain & DNS Setup

Lesson 7 · Cloudflare Workers · ~12 minutes

Your Worker is running on *.workers.dev — but you want it on your own domain. This lesson covers two things: pointing a subdomain from your Google Workspace domain to Cloudflare, and attaching it to your Worker with automatic SSL.

The Two Approaches

There are two ways to use your domain with Cloudflare Workers:

ApproachHowWhen to Use
Full setup (recommended)Move your domain's nameservers to CloudflareYou want all Cloudflare features (DDoS, WAF, caching, Workers) on the whole domain
CNAME setup (partial)Keep existing DNS, add a CNAME for your subdomainYou can't or don't want to move nameservers (enterprise DNS locked, etc.)

For most people with a Google Workspace domain, the full setup is better — you get the complete security and speed layer for free. Google Workspace (Gmail, Calendar, Drive) will keep working because you'll add the required MX and CNAME records in Cloudflare's DNS.

Option A: Full Setup (Move Nameservers to Cloudflare)

This gives you the most value — your entire domain gets Cloudflare's DDoS protection, caching, and DNS performance.

Step 1: Add Your Domain to Cloudflare

  1. Sign in to the Cloudflare dashboard
  2. Click Add a site
  3. Enter your domain (e.g., yourdomain.com)
  4. Select the Free plan
  5. Cloudflare will scan your existing DNS records and import them
Review Imported Records

Cloudflare auto-imports your DNS records, but verify that your Google Workspace records are all present before changing nameservers. Check for: MX records (mail), CNAME records (mail, calendar, drive), TXT records (SPF, DKIM, domain verification).

Step 2: Verify Google Workspace Records

Make sure these records exist in Cloudflare's DNS after import:

TypeNameValuePurpose
MX@aspmx.l.google.com (priority 1)Gmail
MX@alt1.aspmx.l.google.com (priority 5)Gmail backup
MX@alt2.aspmx.l.google.com (priority 5)Gmail backup
MX@alt3.aspmx.l.google.com (priority 10)Gmail backup
MX@alt4.aspmx.l.google.com (priority 10)Gmail backup
TXT@v=spf1 include:_spf.google.com ~allSPF (email auth)
CNAMEmailghs.googlehosted.comGmail web (if custom URL)
TXT@Google site verification stringDomain ownership
MX Records Must Be DNS-Only

MX records cannot be proxied through Cloudflare. They must be set to DNS only (grey cloud). This happens automatically for MX records — Cloudflare won't proxy mail traffic.

Step 3: Change Nameservers at Your Registrar

Cloudflare will give you two nameservers (e.g., ada.ns.cloudflare.com and bob.ns.cloudflare.com). Update these at your domain registrar:

Propagation takes anywhere from a few minutes to 48 hours (usually under 1 hour).

Step 4: Add a Subdomain for Your Worker

Once your domain is active in Cloudflare, you don't need to manually create DNS records for Worker subdomains. Custom Domains handle this automatically.

Option B: CNAME Setup (Keep Existing DNS)

If you don't want to move your nameservers (or can't), you can add a CNAME record for just your subdomain at your current DNS provider:

# At your current DNS provider (e.g., Google Domains):
Type:  CNAME
Name:  app              (this creates app.yourdomain.com)
Value: your-worker.your-account.workers.dev
Limitations of CNAME Setup

With CNAME-only, you don't get Cloudflare's DDoS protection, WAF, or caching on that subdomain. You only get the Worker execution. For the full security layer, use the full nameserver setup (Option A).

Attaching Your Custom Domain to the Worker

Once your domain is in Cloudflare (Option A), connecting a subdomain to your Worker is one step:

Via Wrangler (recommended)

In your wrangler.jsonc:

{
  "name": "my-app",
  "main": "src/index.js",
  "routes": [
    {
      "pattern": "app.yourdomain.com",
      "custom_domain": true
    }
  ]
}

Then deploy:

npx wrangler deploy

That's it. Cloudflare will:

Via Dashboard

  1. Go to Workers & Pages → select your Worker
  2. SettingsDomains & RoutesAddCustom Domain
  3. Enter app.yourdomain.com
  4. Click Add Custom Domain

Updating Your OAuth Redirect URI

Now that your Worker has a custom domain, update your Google OAuth credentials:

  1. Go to Google Cloud Console → Credentials
  2. Edit your OAuth client
  3. Add https://app.yourdomain.com/auth/callback to Authorized redirect URIs
  4. Your OAuth Worker automatically picks up the new domain because it uses url.origin to construct the redirect URI
Multiple Domains

You can attach multiple custom domains to the same Worker. This is useful for staging vs. production: staging.yourdomain.com and app.yourdomain.com can both point to the same Worker (or different ones).

Restricting OAuth to Your Workspace Domain

If you only want users from your Google Workspace (e.g., @yourcompany.com) to sign in, add a check after fetching user info in your OAuth callback:

// In the /auth/callback handler, after fetching user info:
const user = await userRes.json();

// Restrict to your Google Workspace domain
if (!user.email.endsWith("@yourcompany.com")) {
  return new Response("Access denied. Must use @yourcompany.com account.", {
    status: 403,
  });
}

Alternatively, you can use Google's hd (hosted domain) parameter when constructing the auth URL to pre-filter the account picker:

const params = new URLSearchParams({
  client_id: env.GOOGLE_CLIENT_ID,
  redirect_uri: REDIRECT_URI,
  response_type: "code",
  scope: "openid email profile",
  hd: "yourcompany.com",  // Only show Workspace accounts
});
Always Verify Server-Side

The hd parameter only affects the UI (which accounts Google shows). You must still verify the email domain server-side in the callback, because a determined user could modify the auth URL.

The Complete Picture

The Complete Picture
👤 User
app.yourdomain.com
🛡️ Cloudflare Edge
DDoS + WAF + SSL (automatic, free)
⚡ Worker
Your code running at the edge
▼ routes to ▼
/auth/login
Redirect to
Google OAuth
/auth/callback
Exchange code
Create session
Set cookie
/ (app)
Check session
Render page

What You Get for Free

After moving your domain's nameservers to Cloudflare, what happens to your Google Workspace email?
Correct! MX records tell mail servers where to deliver email. As long as you keep Google's MX records in Cloudflare's DNS (which the auto-import does), Gmail keeps working exactly as before.
Not quite. Changing nameservers only changes who manages DNS — it doesn't affect email as long as the MX records pointing to Google's mail servers are preserved.
📖 Primary Source

Custom Domains — Cloudflare Workers Docs — official guide for connecting domains to Workers, including certificate management and route behavior.

💬 Questions? Ask me about wildcard subdomains, redirecting www to root, or setting up multiple Workers on different subdomains of the same domain.
← Back Next →