578 words
3 minutes
Secure Email Routing with Cloudflare and Third-Party SMTP
Anubhav Gain
2025-01-28
2025-06-28

Secure Email Routing with Cloudflare and Third-Party SMTP: A Security-Focused Guide#

This guide provides a secure implementation for custom domain email using Cloudflare Email Routing with third-party SMTP relay services. The approach addresses common security issues like DKIM authentication failures, spam filtering problems, and email delivery challenges.

Security Considerations#

When implementing custom email solutions:

  • Authentication Chain: Complete SPF, DKIM, and DMARC implementation is critical for email security and deliverability
  • Threat Surface: Using multiple services creates additional attack vectors requiring proper configuration
  • Credential Management: App passwords must be securely stored and regularly rotated
  • Email Headers: Ensure proper alignment between envelope sender, header From address, and authentication records

This method addresses the primary security issue with Gmail SMTP + Cloudflare: DKIM signature alignment failures that cause security verification errors and result in emails landing in spam folders.

Step 1: Choose an SMTP Relay Provider#

Recommended options with proper DKIM support:

  • SMTP2GO (500 emails/month free tier)
  • Mailjet (200 emails/day free tier)
  • SendGrid (100 emails/day free tier)

Step 2: Configure DNS Records in Cloudflare#

# SPF Record
Type: TXT
Name: @
Content: v=spf1 include:_spf.mx.cloudflare.net include:{PROVIDER_SPF} ~all
TTL: Auto
# DKIM Record (provider-specific)
Type: TXT
Name: {PROVIDER_SELECTOR}._domainkey
Content: {PROVIDER_KEY}
TTL: Auto
# DMARC Record
Type: TXT
Name: _dmarc
Content: v=DMARC1; p=none; rua=mailto:{YOUR_EMAIL}; fo=1;
TTL: Auto

Step 3: Verify Domain with SMTP Provider#

Follow your chosen provider’s domain verification process to enable DKIM signing.

Step 4: Configure Email Client with SMTP Provider Credentials#

SMTP Server: {PROVIDER_SMTP_SERVER}
Port: 587 (TLS) or 465 (SSL)
Username: {PROVIDER_USERNAME}
Password: {PROVIDER_API_KEY}
Security: TLS/SSL

Method 2: Gmail SMTP Implementation (Has Security Issues)#

Security Warning: This method suffers from DKIM signature alignment failures with Gmail’s SMTP service. Emails may be flagged as suspicious or land in spam folders, especially with Outlook/Hotmail.

Step 1: Enable 2FA on Google Account#

Enable two-factor authentication for your Google account.

Step 2: Generate App Password#

  1. Go to App Passwords
  2. Select “Mail” as app and your device
  3. Copy the 16-character password (no spaces)

Step 3: Configure DNS Records in Cloudflare#

# SPF Record
Type: TXT
Name: @
Content: v=spf1 include:_spf.mx.cloudflare.net include:_spf.google.com ~all
TTL: Auto
# DMARC Record
Type: TXT
Name: _dmarc
Content: v=DMARC1; p=none; rua=mailto:{YOUR_EMAIL}; fo=1;
TTL: Auto

Step 4: Add Custom Email to Gmail#

  1. In Gmail, go to Settings → Accounts → “Send mail as”
  2. Click “Add another email address”
  3. Enter your name and custom email
  4. Uncheck “Treat as an alias” (important for security headers)
  5. Click “Next Step”
  6. Configure SMTP settings:
SMTP Server: smtp.gmail.com
Port: 587
Username: your-gmail@gmail.com
Password: [App Password from Step 2]
Enable TLS: Yes
  1. Complete the verification process

Security Testing and Validation#

Test your email security configuration with:

  • Mail-Tester - Check authentication records
  • DMARC Analyzer - Verify DMARC policy
  • Send test emails to different providers (Gmail, Outlook, Yahoo)
  • Check email headers for proper authentication results

Troubleshooting Common Security Issues#

IssuePossible CauseSolution
DKIM FailureMissing/incorrect DKIM recordUse SMTP relay with proper DKIM support
Emails in SpamAuthentication alignment failsCheck SPF includes, verify DMARC policy
”Unverified Sender”Header/envelope address mismatchUse proper SMTP relay, verify alignment
Delivery FailuresRate limiting by GmailUse dedicated SMTP provider instead
Profile Picture MissingEmail reputation issuesUse direct Google Account method (see below)

Advanced: Profile Picture Support#

Use the direct Google Account method for profile picture support:

  1. Visit accounts.google.com
  2. Select “Use your existing email” when prompted
  3. Enter your custom domain email
  4. Complete verification
  5. Add your profile picture through Google Account settings

Security Best Practices#

  1. Regularly monitor DMARC reports for authentication failures
  2. Implement proper TLS for all SMTP connections
  3. Consider upgrading to p=quarantine or p=reject DMARC policy after validation
  4. Enable MTA-STS and DANE for transport layer security when possible
  5. Use strong, unique passwords for each SMTP service
  6. Implement regular credential rotation

Conclusion#

While Gmail SMTP integration is simple, it has significant security limitations. For production use, SMTP relay services provide better authentication alignment and deliverability. Always prioritize security and authentication when implementing custom email solutions.

Last updated: March 21, 2025

Secure Email Routing with Cloudflare and Third-Party SMTP
https://mranv.pages.dev/posts/cloudflare-smtp-security-guide/
Author
Anubhav Gain
Published at
2025-01-28
License
CC BY-NC-SA 4.0