When configuring email authentication for a hybrid setup using Google Workspace (formerly G Suite) with an external mail server, we face a unique technical constraint: Google doesn't provide private DKIM keys for external use, while external mail servers need their own DKIM setup. This creates potential authentication conflicts with strict DMARC policies (p=reject/quarantine).
Email Flow:
1. User-facing emails → Google SMTP (uses Google's DKIM)
2. System notifications → External SMTP (uses your DKIM)
1. SPF Configuration
Include both Google and your external server in SPF:
v=spf1 include:_spf.google.com include:yourdomain.com ~allFor your external server's DNS:
v=spf1 ip4:YOUR.SERVER.IP.HERE -all2. DKIM Strategy
Create separate selectors for each service:
google._domainkey.yourdomain.com (managed by Google)
external._domainkey.yourdomain.com (your external server)Example OpenDKIM configuration for external server:
# /etc/opendkim.conf
Domain yourdomain.com
KeyFile /etc/opendkim/keys/yourdomain.com/external.private
Selector external
3. DMARC Policy
Start with monitoring mode:
v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.comGradually tighten after verification:
v=DMARC1; p=quarantine; pct=100; rua=mailto:dmarc-reports@yourdomain.comUse these commands to verify each component:
# SPF check
dig +short txt yourdomain.com
# DKIM verification
dig +short txt google._domainkey.yourdomain.com
dig +short txt external._domainkey.yourdomain.com
# DMARC validation
dig +short txt _dmarc.yourdomain.com
- Use BIMI for brand verification once DMARC reaches p=reject
- Implement MTA-STS for transport security
- Consider TLS-RPT for encryption reporting
Problem: Emails getting marked as spam despite correct setup
Solution: Check alignment in DMARC reports - both SPF and DKIM must align with your domain
Problem: External server emails failing authentication
Solution: Verify your external server's HELO/EHLO matches your domain
When using Google Workspace with your custom domain while simultaneously operating an external mail server for transactional emails, you face a unique authentication dilemma. Gmail's DKIM implementation doesn't expose private keys, while strict DMARC policies would reject messages from your external server if it uses different DKIM signatures.
The optimal solution involves maintaining separate authentication mechanisms for each sending path:
# Example SPF record allowing both Google and your server
v=spf1 include:_spf.google.com ip4:YOUR_SERVER_IP ~all
# Example DMARC policy (start with monitoring mode)
v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.comFor your external mail server (Postfix example):
# Generate DKIM keys
opendkim-genkey -b 2048 -s mail -d yourdomain.com
mv mail.private /etc/opendkim/keys/yourdomain.com
chown opendkim:opendkim /etc/opendkim/keys/yourdomain.com
# OpenDKIM config
# /etc/opendkim.conf
Domain yourdomain.com
KeyFile /etc/opendkim/keys/yourdomain.com/mail.private
Selector mailAdd these DNS records (Cloudflare API example):
# Google's DKIM (from Admin Console)
google._domainkey 3600 IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNA..."
# Your server's DKIM
mail._domainkey 3600 IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNA..."Follow this phased approach:
- Start with p=none and monitor reports
- After 2 weeks, move to p=quarantine
- Once confident, implement p=reject
Use these diagnostic commands:
# Check SPF
dig +short TXT yourdomain.com
# Verify DKIM
opendkim-testkey -d yourdomain.com -s mail -k /etc/opendkim/keys/yourdomain.com/mail.private -vvv- Ensure your external server sets proper From: headers
- Never reuse DKIM selectors between systems
- Maintain alignment between From domains and DKIM signatures