I,m using gmail with own domain (Google Apps) for my project. Now I want to add external mail server for sending notifications for users. Gmail doesn't give private keys for DKIM and if keys will be generated on external mail server, in case strict rules, all mail from gmail will be rejected. How can I use SPF+DKIM+DMARC in this situation to prevent mail spoofing?
-
What do you mean by using Gmail with your own domain? – Paul Jan 14 '16 at 12:09
-
I mean Google Apps. – cptBuggy Jan 14 '16 at 12:19
-
Is the external mail server only for sending? If so, is it also a service such as Mandrill, SendGrid, Mailgun, etc.? – Paul Jan 14 '16 at 12:22
-
External mail server only for sending. No, just own mail server with configured postfix. – cptBuggy Jan 14 '16 at 13:09
4 Answers
Add the the server to your existing SPF record with something like ip4:<server ip address>
If you want DKIM signing of the messages, you can use OpenDKIM, a popular milter, and update your DNS with the selector.
You probably don't need to edit anything in your DMARC record, but if you are unsure, you may find some of these resources useful at the DMARC Deployment Tools page.
I am using such config since 2010, actually DMARC came in later. I use Google Apps servers to send and receive email via web client. My server is only sending emails and not receiving so there is no need for any DNS MX record changes and also the server port 25 is not opened to the Internet.
SPF
I suppose you are past standard Google guide to attaching your domain to Google Apps. Therefore you only need to tune your DNS zone SPF/TXT record to include your server:
<yourdomain>. TXT "v=spf1 ip4:<yourserver-ip> include:_spf.google.com ~all"
DKIM
If you configured DKIM for your domain DNS zone with Google generated key, then you are also fine to add any number of your custom DKIM keys, see more here: https://support.google.com/a/answer/174124 . So your another DKIM record on domain should look like:
<yoursercer-key-id>._domainkey.<yourdomain>. TXT "v=DKIM1; g=*; k=rsa; <dkim key data here>"
Google will sign outgoing emails with its key so receivers will validate it against signed key id. Your server's emails should be sent and signed by your custom DKIM with own key id, then receivers email server/client will simply lookup that custom key id to verify source, not Google's - fine!
DMARC
Finally I have configured DMARC. I receive DMARC reports on "admin@" account which actually is hosted on the same domain which is monitored and on Google Apps. In addition I use Google;s email alias trick "+dmarc" to easily filter these reports to label them.
_dmarc.<yourdomain>. TXT ""v=DMARC1; p=none; rua=mailto:admin+dmarc@<yourdomain>"
- 1,007
- 10
- 11
-
Have you found a good dkim tester that validates against each selector? I tried dkimvalidator.com and mail-tester.com, and both seem to validate dkim using the google selector even when sending email from the php mail server... and they say it validates! But easydmarc.com shows 0% dkim pass rate for emails coming from the php mail server. – Jimmy Feb 25 '21 at 03:45
-
Or is that an issue with the php email server that specifies the wrong selector? – Jimmy Feb 25 '21 at 05:19
-
FWIW – since I came across this page in my research... It is possible to send DKIM valid emails from (regular free) Gmail through an external mail server as long as you can set/get the correct domainkey and publish the pertinent DNS record. If your host has cPanel, for instance, you should be good to go!
I've put together a quick write-up for how to do this with a cPanel host like HostGator here: https://felixboehme.medium.com/dkim-signing-with-regular-free-gmail-and-hostgator-cpanel-83cc0eb3c337
- 101
You won't be able to send email with a gmail Emailaddress in the From: Header if you don't use a server that gmail want's you to send email from. That is the basic mechanism of restoring the trust in email addresses dkim, spf and so forth are doing.
As far as I understand it. If you need to send Email from your own server then just get yourself your own domain, create your own dkim private keys and send from a legitimate emailaddress @yourdomain. You can forward email sent to that address to gmail again. You can also set gmail up to use smtp to send emails through your server.
I hope I didn't miss anything...
- 101
- 1