Secure Email Routing with Cloudflare and Third-Party SMTP: A Security-Focused Guide#

This guide provides a secure implementation for custom domain email using Cloudflare Email Routing with third-party SMTP relay services. The approach addresses common security issues like DKIM authentication failures, spam filtering problems, and email delivery challenges.

Security Considerations#

When implementing custom email solutions:

Authentication Chain: Complete SPF, DKIM, and DMARC implementation is critical for email security and deliverability
Threat Surface: Using multiple services creates additional attack vectors requiring proper configuration
Credential Management: App passwords must be securely stored and regularly rotated
Email Headers: Ensure proper alignment between envelope sender, header From address, and authentication records

Method 1: SMTP Relay Services (Recommended)#

This method addresses the primary security issue with Gmail SMTP + Cloudflare: DKIM signature alignment failures that cause security verification errors and result in emails landing in spam folders.

Step 1: Choose an SMTP Relay Provider#

Recommended options with proper DKIM support:

SMTP2GO (500 emails/month free tier)
Mailjet (200 emails/day free tier)
SendGrid (100 emails/day free tier)

Step 2: Configure DNS Records in Cloudflare#

1
# SPF Record
2
Type: TXT
3
Name: @
4
Content: v=spf1 include:_spf.mx.cloudflare.net include:{PROVIDER_SPF} ~all
5
TTL: Auto
6

7
# DKIM Record (provider-specific)
8
Type: TXT
9
Name: {PROVIDER_SELECTOR}._domainkey
10
Content: {PROVIDER_KEY}
11
TTL: Auto
12

13
# DMARC Record
14
Type: TXT
15
Name: _dmarc
16
Content: v=DMARC1; p=none; rua=mailto:{YOUR_EMAIL}; fo=1;
17
TTL: Auto

Step 3: Verify Domain with SMTP Provider#

Follow your chosen provider’s domain verification process to enable DKIM signing.

Step 4: Configure Email Client with SMTP Provider Credentials#

1
SMTP Server: {PROVIDER_SMTP_SERVER}
2
Port: 587 (TLS) or 465 (SSL)
3
Username: {PROVIDER_USERNAME}
4
Password: {PROVIDER_API_KEY}
5
Security: TLS/SSL

Method 2: Gmail SMTP Implementation (Has Security Issues)#

Security Warning: This method suffers from DKIM signature alignment failures with Gmail’s SMTP service. Emails may be flagged as suspicious or land in spam folders, especially with Outlook/Hotmail.

Step 1: Enable 2FA on Google Account#

Enable two-factor authentication for your Google account.

Step 2: Generate App Password#

Go to App Passwords
Select “Mail” as app and your device
Copy the 16-character password (no spaces)

Step 3: Configure DNS Records in Cloudflare#

1
# SPF Record
2
Type: TXT
3
Name: @
4
Content: v=spf1 include:_spf.mx.cloudflare.net include:_spf.google.com ~all
5
TTL: Auto
6

7
# DMARC Record
8
Type: TXT
9
Name: _dmarc
10
Content: v=DMARC1; p=none; rua=mailto:{YOUR_EMAIL}; fo=1;
11
TTL: Auto

Step 4: Add Custom Email to Gmail#

In Gmail, go to Settings → Accounts → “Send mail as”
Click “Add another email address”
Enter your name and custom email
Uncheck “Treat as an alias” (important for security headers)
Click “Next Step”
Configure SMTP settings:

1
SMTP Server: smtp.gmail.com
2
Port: 587
3
Username: your-gmail@gmail.com
4
Password: [App Password from Step 2]
5
Enable TLS: Yes

Complete the verification process

Security Testing and Validation#

Test your email security configuration with:

Mail-Tester - Check authentication records
DMARC Analyzer - Verify DMARC policy
Send test emails to different providers (Gmail, Outlook, Yahoo)
Check email headers for proper authentication results

Troubleshooting Common Security Issues#

Issue	Possible Cause	Solution
DKIM Failure	Missing/incorrect DKIM record	Use SMTP relay with proper DKIM support
Emails in Spam	Authentication alignment fails	Check SPF includes, verify DMARC policy
”Unverified Sender”	Header/envelope address mismatch	Use proper SMTP relay, verify alignment
Delivery Failures	Rate limiting by Gmail	Use dedicated SMTP provider instead
Profile Picture Missing	Email reputation issues	Use direct Google Account method (see below)

Advanced: Profile Picture Support#

Use the direct Google Account method for profile picture support:

Visit accounts.google.com
Select “Use your existing email” when prompted
Enter your custom domain email
Complete verification
Add your profile picture through Google Account settings

Security Best Practices#

Regularly monitor DMARC reports for authentication failures
Implement proper TLS for all SMTP connections
Consider upgrading to p=quarantine or p=reject DMARC policy after validation
Enable MTA-STS and DANE for transport layer security when possible
Use strong, unique passwords for each SMTP service
Implement regular credential rotation

Conclusion#

While Gmail SMTP integration is simple, it has significant security limitations. For production use, SMTP relay services provide better authentication alignment and deliverability. Always prioritize security and authentication when implementing custom email solutions.

Last updated: March 21, 2025