SPF + DKIM + DMARC with Gmail account and external mail server

email spf dkim gmail dmarc

I,m using gmail with own domain (Google Apps) for my project. Now I want to add external mail server for sending notifications for users. Gmail doesn't give private keys for DKIM and if keys will be generated on external mail server, in case strict rules, all mail from gmail will be rejected. How can I use SPF+DKIM+DMARC in this situation to prevent mail spoofing?


Solution 1:

Add the the server to your existing SPF record with something like ip4:<server ip address>

If you want DKIM signing of the messages, you can use OpenDKIM, a popular milter, and update your DNS with the selector.

You probably don't need to edit anything in your DMARC record, but if you are unsure, you may find some of these resources useful at the DMARC Deployment Tools page.

Solution 2:

I am using such config since 2010, actually DMARC came in later. I use Google Apps servers to send and receive email via web client. My server is only sending emails and not receiving so there is no need for any DNS MX record changes and also the server port 25 is not opened to the Internet.

SPF

I suppose you are past standard Google guide to attaching your domain to Google Apps. Therefore you only need to tune your DNS zone SPF/TXT record to include your server: 

<yourdomain>. TXT "v=spf1 ip4:<yourserver-ip> include:_spf.google.com ~all"

DKIM

If you configured DKIM for your domain DNS zone with Google generated key, then you are also fine to add any number of your custom DKIM keys, see more here: https://support.google.com/a/answer/174124 . So your another DKIM record on domain should look like:

<yoursercer-key-id>._domainkey.<yourdomain>. TXT "v=DKIM1; g=*; k=rsa; <dkim key data here>"

Google will sign outgoing emails with its key so receivers will validate it against signed key id. Your server's emails should be sent and signed by your custom DKIM with own key id, then receivers email server/client will simply lookup that custom key id to verify source, not Google's - fine!

DMARC

Finally I have configured DMARC. I receive DMARC reports on "admin@" account which actually is hosted on the same domain which is monitored and on Google Apps. In addition I use Google;s email alias trick "+dmarc" to easily filter these reports to label them.

_dmarc.<yourdomain>. TXT ""v=DMARC1; p=none; rua=mailto:admin+dmarc@<yourdomain>"

Related

Abnormally high Outlook 2010 RAM usage for one Terminal Server user (RDS)
Using Let's Encrypt inside Docker's official Wordpress container
SpamAssassin: avoid FREEMAIL_REPLYTO on Contact Form
ProxyPass a WebSocket connection to a UNIX socket
ldapsearch: Invalid credentials (49)
How do I ignore unmet dependencies while using apt-get remove?
Create a windows 10 image for use as a docker container
Copy s3 contents of bucket, including all versions
IIS does not set X-FORWARDED-HOST
Java error Unsigned application requesting unrestricted access to system
Why does this allocation of client static IP in OpenVPN fail?
How to correctly configure IPv6 with OpenVPN?