SPF + DKIM + DMARC with Gmail account and external mail server
Solution 1
I am using such config since 2010, actually DMARC came in later. I use Google Apps servers to send and receive email via web client. My server is only sending emails and not receiving so there is no need for any DNS MX record changes and also the server port 25 is not opened to the Internet.
SPF
I suppose you are past standard Google guide to attaching your domain to Google Apps. Therefore you only need to tune your DNS zone SPF/TXT record to include your server:
<yourdomain>. TXT "v=spf1 ip4:<yourserver-ip> include:_spf.google.com ~all"
DKIM
If you configured DKIM for your domain DNS zone with Google generated key, then you are also fine to add any number of your custom DKIM keys, see more here: https://support.google.com/a/answer/174124 . So your another DKIM record on domain should look like:
<yoursercer-key-id>._domainkey.<yourdomain>. TXT "v=DKIM1; g=*; k=rsa; <dkim key data here>"
Google will sign outgoing emails with its key so receivers will validate it against signed key id. Your server's emails should be sent and signed by your custom DKIM with own key id, then receivers email server/client will simply lookup that custom key id to verify source, not Google's - fine!
DMARC
Finally I have configured DMARC. I receive DMARC reports on "admin@" account which actually is hosted on the same domain which is monitored and on Google Apps. In addition I use Google;s email alias trick "+dmarc" to easily filter these reports to label them.
_dmarc.<yourdomain>. TXT ""v=DMARC1; p=none; rua=mailto:admin+dmarc@<yourdomain>"
Solution 2
Add the the server to your existing SPF record with something like ip4:<server ip address>
If you want DKIM signing of the messages, you can use OpenDKIM, a popular milter, and update your DNS with the selector.
You probably don't need to edit anything in your DMARC record, but if you are unsure, you may find some of these resources useful at the DMARC Deployment Tools page.
Related videos on Youtube
07 : 22
08 : 27
17 : 15
![SPF, DKIM, and DMARC Simplified: How They Improve Email Security [2022]](https://i.ytimg.com/vi/JtQzOrX1918/hqdefault.jpg?sqp=-oaymwEcCOADEI4CSFXyq4qpAw4IARUAAIhCGAFwAcABBg==&rs=AOn4CLCuQsxzBh1VyHOOmOgmVbOoCmThJA)
06 : 48
21 : 13
00 : 49
05 : 44
cptBuggy
Updated on September 18, 2022Comments
-
cptBuggy over 1 year
I,m using gmail with own domain (Google Apps) for my project. Now I want to add external mail server for sending notifications for users. Gmail doesn't give private keys for DKIM and if keys will be generated on external mail server, in case strict rules, all mail from gmail will be rejected. How can I use SPF+DKIM+DMARC in this situation to prevent mail spoofing?
-
Admin over 8 yearsWhat do you mean by using Gmail with your own domain? -
Admin over 8 yearsI mean Google Apps.
-
Admin over 8 yearsExternal mail server only for sending. No, just own mail server with configured postfix.
-
-
Jimmy about 3 yearsHave you found a good dkim tester that validates against each selector? I tried dkimvalidator.com and mail-tester.com, and both seem to validate dkim using the google selector even when sending email from the php mail server... and they say it validates! But easydmarc.com shows 0% dkim pass rate for emails coming from the php mail server.
-
Jimmy about 3 yearsOr is that an issue with the php email server that specifies the wrong selector?
-
gertas over 2 years@Jimmy I use
opendkim-testmsgto validate my sent email contents.
