====== Gmail architecture ======
This page describes the to-be setup after email migration from gsuite has taken place

===== Incoming email =====

  - Outgoing server finds MX records for cloudflare
  - Cloudflare((https://blog.cloudflare.com/introducing-email-routing/)) checks internal database and forwards the email to gmail

{{:architecture-incoming.png|incoming email architecture}}

===== Outgoing email =====
  - Gmail authenticates to AWS SES((https://aws.amazon.com/ses/)) servers using unique IAM username/password
    - each unique user is restricted to only be able to send from their own set of email addresses
  - AWS SES signs the email using DKIM keys stored in internal SES database for the sender domain
  - AWS SES looks up destination MX server and sends email to destination email server
  - (optional) Destination email server looks up SPF, DKIM and DMARC via DNS

{{:architecture-outgoing.png|outgoing email architecture}}