Skip to content
Learn Security

Gmail SMTP with Cloudflare Email Routing: A Security-First Guide

Learn how to integrate personal Gmail SMTP with Cloudflare Email Routing to send and receive custom domain emails. This guide covers step-by-step configuration, SPF and DMARC settings, and the critical security implications of DMARC alignment.

SMTP with Cloudflare

Integrating Gmail SMTP with Cloudflare Email Routing

A branded email address like hello@yourdomain.com adds immediate credibility to a portfolio, blog, or freelance business. But paying for Google Workspace or Microsoft 365 just to handle a handful of emails a day is hard to justify when you are starting out.

A practical alternative is combining Cloudflare Email Routing — which handles inbound forwarding for free — with a personal Gmail account using Google’s SMTP server (smtp.gmail.com) to send outgoing mail as your custom domain. You get a professional-looking address without the monthly subscription.

There is a catch, though. Modern email is heavily authenticated, and mailbox providers enforce those authentication standards aggressively to fight phishing. Setting this up without understanding the security side of things often ends with your messages landing in the spam folder. This guide walks through the full setup and explains the DMARC alignment limitations you need to know about before going live.

How the Setup Works

It helps to understand the two separate flows — one for incoming mail, one for outgoing — before touching any settings:

%%{init: {'theme': 'dark', 'themeVariables': { 'background': '#0d1117', 'primaryColor': '#1e293b', 'primaryTextColor': '#e2e8f0', 'primaryBorderColor': '#475569', 'lineColor': '#38bdf8', 'secondaryColor': '#0f172a', 'tertiaryColor': '#1e293b'}}}%% graph TD classDef inbound fill:#0f172a,stroke:#38bdf8,stroke-width:2px,color:#e2e8f0; classDef outbound fill:#1e1b4b,stroke:#a855f7,stroke-width:2px,color:#e2e8f0; classDef dns fill:#1c1917,stroke:#eab308,stroke-width:2px,color:#e2e8f0; subgraph Inbound ["Inbound Email Flow (Receiving)"] Sender[External Sender] -->|1. Sends to you[at]yourdomain.com| CF_MX[Cloudflare MX Servers] CF_MX -->|2. Forwards via SRS to| Gmail_Inbox[Gmail Inbox] end subgraph Outbound ["Outbound Email Flow (Sending)"] Gmail_UI[Gmail Compose UI] -->|3. Authenticates with App Password| Gmail_SMTP[Gmail SMTP Server smtp.gmail.com] Gmail_SMTP -->|4. Relays mail as you[at]yourdomain.com| Recipient[Recipient Mail Server] end subgraph Auth ["Authentication & Validation"] Recipient -->|5. Queries DNS records| CF_DNS[Cloudflare DNS yourdomain.com] CF_DNS -.->|6. Validates SPF & DMARC| Recipient end class Sender,CF_MX,Gmail_Inbox inbound; class Gmail_UI,Gmail_SMTP,Recipient outbound; class CF_DNS dns;
  • Inbound Flow: Any email sent to your custom address hits Cloudflare’s MX servers first. Cloudflare uses the Sender Rewriting Scheme (SRS) to rewrite the envelope sender and then forwards the message cleanly to your personal Gmail inbox.
  • Outbound Flow: When you compose a reply or send a new email, Gmail routes it through Google’s SMTP servers and sets the visible From: header to your custom domain address.

Step 1: Secure Your Google Account with 2FA

Google blocks basic authentication to prevent credential-stuffing attacks. To use Gmail SMTP with a third-party tool or server, you need an App Password — and App Passwords require Two-Factor Authentication (2FA) to be active on your account first.

  1. Go to your Google Account Security Settings .
  2. Under How you sign in to Google, select 2-Step Verification.
  3. Follow the prompts to enable it.

[!NOTE] 2FA stops attackers from accessing your inbox even if your primary password is leaked. It is a basic but critical layer of defense.

Step 2: Generate an App Password for SMTP

An App Password is a unique 16-character code that grants a specific application access to your Google account without exposing your main password — and without triggering 2FA prompts during authentication.

  1. Go to the Google App Passwords page .
  2. In the App name field, type a descriptive label such as Gmail SMTP Custom Domain.
  3. Click Create.
  4. Copy the 16-character password shown on screen — you will only see it once.
PhaseActionTarget Resource
CreationEnter an app name and generateGoogle Account Security panel
SecurityCopy the 16-character codeTemporary secure clipboard
UsagePaste into Gmail SMTP configurationGmail Account Settings

[!WARNING] Treat your App Password like a private key. It bypasses 2-Step Verification entirely. If you suspect it has been exposed, revoke it immediately from your Google account.

Advertisement

Step 3: Register Your Custom Domain in Gmail

Next, configure Gmail to let you select your custom domain address in the “From” dropdown when composing emails.

  1. Open Gmail, click the gear icon, and select See all settings.
  2. Go to the Accounts and Import tab.
  3. Under Send mail as, click Add another email address.
  4. In the window that opens:
    • Enter your Name (what recipients will see).
    • Enter your custom domain address (e.g., you@yourdomain.com).
    • Uncheck the box labeled Treat as an alias.
  5. Click Next Step.

Why uncheck “Treat as an alias”? Keeping it checked tells Gmail to treat the address as just another name for your main account. Unchecking it registers it as a distinct sending identity, so replies route back correctly.

Step 4: Configure SMTP Settings

Gmail will ask how to route outbound emails for your custom address. Since Cloudflare Email Routing only handles inbound traffic, you relay outbound through Google’s own servers:

  1. Enter the following details:
    • SMTP Server: smtp.gmail.com
    • Port: 587
    • Username: Your full personal Gmail address (e.g., yourusername@gmail.com).
    • Password: The 16-character App Password from Step 2.
    • Security Connection: Select Secured connection using TLS.
  2. Click Add Account.
  3. Google will send a verification code to your custom address. Since Cloudflare is already forwarding to your Gmail inbox, open that email, copy the code, and paste it into the confirmation box.
Advertisement

Step 5: Configure SPF and DMARC Records in Cloudflare

DNS authentication records tell recipient mail servers how to verify that an email claiming to be from your domain was actually sent by an authorized source.

SPF (Sender Policy Framework) Record

SPF specifies which IP addresses and services are authorized to send mail on behalf of your domain. Since Cloudflare handles inbound forwarding and Google handles outbound SMTP, you need to authorize both.

Create a TXT record in your Cloudflare DNS zone:

  • Type: TXT

  • Name: @ (root domain)

  • Content: v=spf1 include:_spf.mx.cloudflare.net include:_spf.google.com ~all

  • TTL: Auto

  • include:_spf.mx.cloudflare.net — authorizes Cloudflare’s routing infrastructure.

  • include:_spf.google.com — authorizes Google’s outbound SMTP servers.

DMARC (Domain-based Message Authentication, Reporting, and Conformance) Record

DMARC tells receiving servers what to do with emails that fail SPF or DKIM checks. Start with a monitoring-only policy:

  • Type: TXT
  • Name: _dmarc
  • Content: v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com
  • TTL: Auto

[!TIP] p=none lets you collect authentication reports without rejecting any email. Once you confirm everything is authenticating properly, you can tighten the policy to p=quarantine or p=reject.

The Crucial Catch: DMARC Alignment Failure

This setup works for casual use, but it has a fundamental limitation: DMARC alignment failure.

For a message to pass DMARC, two things must be true:

  1. It must pass either SPF or DKIM.
  2. The domain verified by SPF or DKIM must align — meaning it must match the domain shown in the header From: that recipients actually see.

Here is where personal Gmail SMTP breaks down:

  • SPF Alignment Fails: When you send through a personal Gmail account, Google overwrites the envelope sender (Return-Path) with your @gmail.com address to handle bounces. The SPF check passes for gmail.com, but that does not align with yourdomain.com in the visible From: header.
  • DKIM Alignment Fails: Google signs messages with its own DKIM key (d=gmail.com). The signature is cryptographically valid, but the domain does not match yourdomain.com.

Both alignments fail, which means DMARC fails.

The Professional Workaround

If you ever enforce a strict DMARC policy (p=quarantine or p=reject) to protect your domain from spoofing, emails sent through personal Gmail SMTP will be blocked or land in spam. The real fixes are:

  1. Use Google Workspace: Paid Google accounts allow you to publish custom DKIM keys aligned to your domain, so outbound headers pass DMARC correctly.
  2. Use a Dedicated SMTP Relay: Instead of smtp.gmail.com, connect a transactional SMTP provider like SMTP2GO , Resend , or Brevo in Gmail’s “Send mail as” settings. These providers let you verify domain ownership, publish aligned DKIM and SPF records, and fully satisfy DMARC policies.

Verification Tools

Once everything is configured, use these tools to confirm your DNS records are correct and your emails are passing authentication checks:

  • MXToolbox — Check SPF, DKIM, and DMARC record syntax.
  • Mail Tester — Send a test message and get a detailed spam score with DMARC alignment results.
  • Google Postmaster Tools — Monitor your domain reputation and deliverability metrics over time.

FAQ

1. Why does my email show “sent via gmail.com” to recipients?

Gmail adds this notice when the domain in the From: header (yourdomain.com) does not align with the actual sending server (gmail.com). It is a side effect of the DKIM misalignment that comes with using a personal Gmail account for outbound SMTP.

2. Can I use custom DKIM keys with a free Gmail account?

No. Google does not allow personal @gmail.com accounts to upload custom DKIM private keys. To get properly aligned DKIM signatures, you need Google Workspace or an external SMTP relay service that supports domain verification.

3. What is Cloudflare SRS and why does it matter?

SRS (Sender Rewriting Scheme) is the mechanism Cloudflare uses when forwarding incoming email. It rewrites the envelope sender to a Cloudflare address so that when Google receives the forwarded message, the SPF check passes. Without SRS, Gmail would reject the forwarded email because Cloudflare’s IP is not in the original sender’s SPF record.

4. Is it safe to leave p=none in DMARC indefinitely?

p=none is useful for monitoring, but it offers no protection against spoofing. Over time you should aim to move to p=quarantine and eventually p=reject. Before doing that, you need to stop using personal Gmail SMTP — otherwise you will start blocking your own outgoing emails.

5. Does this setup work on mobile?

Yes. Once you add the “Send mail as” custom domain in the desktop version of Gmail, it syncs automatically and becomes available as a sending option in the official Gmail app on iOS and Android.

Share article

Subscribe to my newsletter

Receive my case study and the latest articles on my WhatsApp Channel.

Warning