Table of Contents

Gmail architecture

This page describes the to-be setup after email migration from gsuite has taken place

Incoming email

  1. Outgoing server finds MX records for cloudflare
  2. Cloudflare1) checks internal database and forwards the email to gmail

incoming email architecture

Outgoing email

  1. Gmail authenticates to AWS SES2) servers using unique IAM username/password
    1. each unique user is restricted to only be able to send from their own set of email addresses
  2. AWS SES signs the email using DKIM keys stored in internal SES database for the sender domain
  3. AWS SES looks up destination MX server and sends email to destination email server
  4. (optional) Destination email server looks up SPF, DKIM and DMARC via DNS

outgoing email architecture

1)
https://blog.cloudflare.com/introducing-email-routing/
2)
https://aws.amazon.com/ses/