When migrating from Google Workspace's discontinued free tier, using Gmail's "Send mail as" feature with external domains often triggers spam filters due to incomplete email authentication. The fundamental issue lies in properly configuring SPF, DKIM and DMARC records when emails are sent through smtp.gmail.com but appear to originate from your custom domain.
For CloudFlare DNS users, the baseline setup should include:
; SPF Record
@ IN TXT "v=spf1 include:_spf.mx.cloudflare.net include:_spf.google.com ~all"
; DMARC Record
_dmarc IN TXT "v=DMARC1; p=quarantine; rua=mailto:admin@yourdomain.com; pct=100"
Unlike traditional setups where you generate DKIM keys, Gmail handles this differently when using "Send mail as". Google automatically signs outgoing messages with their DKIM signature when sent through smtp.gmail.com, but this creates an alignment problem since the d= parameter in the DKIM signature will show gmail.com rather than your domain.
To improve deliverability:
- SPF Enhancement:
v=spf1 include:_spf.mx.cloudflare.net include:_spf.google.com -all(Restrictive policy with "-all" instead of "~all")
- DMARC Enforcement:
v=DMARC1; p=reject; rua=mailto:dmarc-reports@yourdomain.com; adkim=s; aspf=s(Strict alignment mode for both SPF and DKIM)
For family members sharing a domain:
// Each user needs to:
1. Create app-specific password in Google Account
2. Configure "Send mail as" in Gmail settings with:
- SMTP Server: smtp.gmail.com
- Port: 587
- Authentication: Yes
- Secure connection: STARTTLS
3. Set "Treat as alias" option
Use these tools to verify your setup:
- MXToolbox Email Health Check
- Google Admin Toolbox Messageheader Analyzer
- DMARC Analyzer (dmarcly.com)
While you can't add custom DKIM for Gmail SMTP, you can improve alignment:
; Additional TXT record for better Gmail alignment
google._domainkey IN TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA..."
Note: Google doesn't provide individual DKIM keys for personal accounts - this approach works better with Google Workspace.
When using Gmail's "Send mail as" feature with an external domain via smtp.gmail.com, emails often land in recipients' spam folders. This happens because email providers (like Gmail, Outlook, etc.) perform strict authentication checks via SPF, DKIM, and DMARC.
Your current configuration likely has these components:
MX Records:
example.com → [*.mx.cloudflare.net]
SPF Record:
v=spf1 include:_spf.mx.cloudflare.net include:_spf.google.com ~all
DMARC Record:
v=DMARC1; p=none; rua=mailto:me@gmail.com; ruf=mailto:me@gmail.com
Google provides DKIM signing for Workspace accounts but not for personal Gmail accounts using "Send as". Here's how to implement it:
# Cloudflare Email Routing DKIM setup (if using beta)
1. Go to Cloudflare Dashboard → Email → DNS
2. Add these TXT records:
- google._domainkey.example.com
"v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC..."
- _dmarc.example.com
"v=DMARC1; p=quarantine; rua=mailto:admin@example.com"
Modify your SPF to explicitly authorize both Cloudflare and Google's SMTP servers:
v=spf1
include:_spf.mx.cloudflare.net
include:_spf.google.com
ip4:173.194.76.0/24
ip4:74.125.0.0/16
~all
Start with monitoring mode, then gradually enforce:
# Phase 1 (Monitoring)
v=DMARC1; p=none; rua=mailto:dmarc-reports@example.com
# Phase 2 (After 30 days)
v=DMARC1; p=quarantine; pct=50; rua=mailto:dmarc-reports@example.com
# Phase 3 (Full enforcement)
v=DMARC1; p=reject; rua=mailto:dmarc-reports@example.com
Use these command-line tools to verify:
# SPF check
dig +short TXT example.com | grep spf
# DKIM check
dig +short TXT google._domainkey.example.com
# DMARC check
dig +short TXT _dmarc.example.com
# Email test (Linux)
echo "Test" | mail -s "DKIM Test" check-auth@verifier.port25.com
Each family member should:
- Create a personal Gmail account
- Generate an App Password (not regular password)
- Configure "Send mail as" with SMTP server: smtp.gmail.com
- Use identical DKIM/SPF/DMARC records