SPF/DKIM/DMARC for Gmail "Send mail as" via smtp.gmail.com on external domain

Since "Google Apps" / "Google Apps for business" / "G-Suite" / "Google Workspaces" free tier is being discontinued, I need a solution to migrate my ~30 extended family to a sustainable solution.

I'm looking at the option of having them each piggy-back off a personal @gmail.com address they should each create, forwarding the email, and adding the address using "Send mail as" in gmail, using Google's gmail SMTP server and an app-specific password:

I'm using CloudFlare for DNS, and I've activated the CloudFlare Email routing (beta) feature, and I've set the MX records to the various .mx.cloudflare.net servers. I also added the CloudFlare SPF TXT record: v=spf1 include:_spf.mx.cloudflare.net ~all.

Now, it all seems to be working, except what is happening is sent emails seem to often end up in junk/spam. I guess this is possibly something to do with SPF/DKIM/DMARC but this is way outside my domain of knowledge.

I've modified the SPF header from v=spf1 include:_spf.mx.cloudflare.net ~all to v=spf1 include:_spf.mx.cloudflare.net include:_spf.google.com ~all as I saw suggested elsewhere, but that doesn't seem to have solved the problem.

Is it possible to add DKIM and/or DMARC records, and if so, how? My (limited) understanding is that Google would need to give me a key (probably unique to my account) to add, which validates that not only is it Google/gmail that's sending the mail, but specifically me and not some other random gmail user.

Moreover, how would this work with the other users? I need all users to be able to reliably be able to send/receive emails and not have them end up in spam/junk.

If this were like SSH, I would generate a key pair, put the public key on the DNS and each user would add the same private key somewhere in their "Send As" on their gmail settings.

I guess this is probably unrelated to emails getting into spam/junk but I added the _dmarc TXT record: v=DMARC1; p=none; rua=mailto:{{[email protected]}}; ruf=mailto:{{[email protected]}}; sp=none; fo=1; ri=86400.

I found a free solution. It requires hosted mail, though.

There are other transactional email providers out there, but I used SendGrid because it's free (up to 100 emails/day). https://app.sendgrid.com

You just have to add and verify your domain with the given DNS registers. You then create the sender identities of the different email users in your domain and then use the SMPT tool they have.

They will generate an API key for you (it's really important to save it somewhere because it won't be shown to you again) and then you add your address to the "Send mail as" section of your Gmail account, using smpt.sendgrid.net, "apikey" as the username and the API key you were given as the password. The user and password are the same for every email address of your domain, it won't be a personal key like when using smpt.gmail.com.

By doing this, emails of your domain will have DKIM security. To obtain SPF security you just have to add sendgrid and gmail (just in case) to the SPF register of your DNS. I haven't been able to add DMARC security yet, but I'm certain that it is possible.

In relation to the original question, I don't think there is a way to get DKIM and DMARC using smpt.gmail.com. Sorry if this was out of topic.

I haven't done this myself yet, but I assume I'll have to do something similar.

This question was linked from https://www.reddit.com/r/gsuite/comments/s9n7b9/gsuite_email_host_alternatives_with_prices/, I'm surprised no-one from there has responded here.

It looks to me like you should be able to avoid your DKIM issues by configuring Gmail to use a custom SMTP server, and there are free SMTP hosts for personal amounts of email (e.g. <30 per day). A popular one seems to be https://www.sendinblue.com/.

A downside of that appears to be that they will add a forwarding tracking domain to links in any outgoing email. This may or may not bother you. But I believe it should solve the spam problem.

Curious to hear if anyone else knows of free SMTP hosts who don't add the tracking domain.

Sometime i would advise to try is a test email thing like this one : https://tools.redsift.com/sift/investigate

there you can see how your email is evaluated and if theres a problem it will flag it.

they also has an extensive knowledge base article on cloudflare and how to set it up correctly:

https://knowledge.ondmarc.redsift.com/en/articles/2699998-what-is-a-dmarc-record-and-how-do-i-create-it-in-dns-using-cloudflare