2022-11-02
Estimated time: 15-20 minutes.
Okay, so it’s not quite free. Your domain will, obviously, cost money, and one of the two services we will be using does cost money – but for a normal non-corporate user the traffic you generate will be so low that it may as well be free. (We’re talking pennies.)
This setup uses an existing mail server, e.g., GMail, and performs routing, back and forth, for you. One service will route incoming emails to your existing address (1), and the other service will take outgoing emails and put their stamp of authority on your emails to allow them to not be classed as spam (2). I will use GMail as an example as it is easy, and they allow alias addresses. (It also means you can just use their online web client.)
For service (1) we shall use Cloudflare. If you aren’t already using Cloudflare for your domain, you should be. They provide free DDoS mitigation and protection, but for our case they also provide free email routing. To be clear, all this service does is receives emails and sends them to you – it won’t send emails for you.
Service (2) will be provided by Amazon Web Services (AWS). Specifically, their Simple Email Service (SES). It’s very easy to setup. At the time of writing, their London pricing calculator suggests that if you were to send 1,000 emails a month, with a total size of 1GB, it would cost $0.22 a month. For sending 100 emails a month (100MB per month), only $0.02
Contrast this with Google’s basic Workspace plan that costs $6 per user per month!
Okay, so let’s set up Cloudflare. This article presumes your domain has already been paired with Cloudflare. If it hasn’t, please follow their guide here. (Select the free plan.)
You need to decice where and for which addresses emails will be delivered. As an example, let’s say I own the GMail account [email protected], and I also own the domain website.com. I would like all emails that go to [email protected] to be routed to [email protected]. Anything else will be dropped, i.e., goes nowhere. An illustration of this setup is shown in fig. 1. You can also tell Cloudflare to route all addresses to website.com to go to another address, e.g., [email protected], if you so wish.
Go to the ‘Email’ > ‘Email Routing’ page. Scroll down to the bottom of the page, to the section titled ‘Destination addresses’, and add all the destination addresses you will be using. E.g., [email protected]. Click ‘save’. An email will be sent to your current GMail account, click the link to verify you own it. Refresh the `Email Routing’ page to verify it has been a success.
Once these are all complete, we need to add our routing rules. Referring to fig. 1, I need to add [email protected]. (I will also add [email protected], this is for later.) Scroll to the top of the page and look for the section titled ‘Custom addresses’. Now I have a route from [email protected] to [email protected].
At the top of the page should be a box saying Email routing is currently disabled, and asking if we would like to enable it. Click ‘Enable Email Routing’. Tell it to add any MX records it suggests. It should now tell us that email routing is enabled and records have been added. If you look in your domain’s DNS records there will be a bunch of autogenerated records – leave them be!
If we were to send an email to our new route, e.g., [email protected], we should receive it in our GMail inbox, [email protected]. Test it now to check it works.
We’re not done just yet though… We need to setup a DMARC policy. This specifies what should happen if an email purporting to be from your domain fails authentication. I.e., if it isn’t actually from you. Navigate to the ‘DNS’ tab again and there will be a box asking you to set one up.
(The options are largely up to you, however I suggest ‘quarantine’ for the policy action and to leave the percentage alone.)
We should, finally, be done with Cloudflare!
Time to move on to AWS. I won’t cover signing up to AWS, but you need to use the ‘Amazon Simple Email Service’ product. This will allow us to send emails. It will be our SMTP server.
Once you are in the SES panel, go to ‘Configuration’ > ‘Verified Identities’. Click ‘Create identity’ and then select ‘domain’. This is where we are going to verify we own our domain, website.com. Select ‘Use a custom MAIL FROM domain’ and enter any subdomain you like, I will use mail.website.com.
Under ‘Identity type’ select ‘Easy DKIM’. Then click the orange ‘Create Identity’ button.
On the page for your domain, again, scroll down until you see three CNAME records that AWS is telling you that you must set to verify your domain. Copy these and set them in Cloudflare, under ‘DNS’. (Make sure they are all unproxied.)
Then scroll down further to find the ‘Custom MAIL FROM domain’ DNS records to publish; do the same thing. (The first number in the MX record is the priority to set.)
After a few minutes, refresh the page and the DKIM and MAIL FROM domain should both be verified!
Afterwards, add your email as an identity too.
We’re almost finished! We just need to generate some SMTP credentials, so we can send emails. Go to ‘SMTP settings’ and click ‘Create SMTP credentials’.
Once finished, download your credentials. You can’t do this again, keep them safe. If you lose them you have to recreate your credentials.
After reading this article, a Reddit user u/Zangoran
contacted me saying that they could not get AWS to unlock (approve)
their account. When you first make an account it is put inside a
sandbox, with a very minimal number of emails allowed, and only to test
addresses, or yourself.
They asked to be removed from this sandbox and, seemingly, got trapped in an automated cycle of being denied. They asked what I sent when I first set this up and, upon sending that, they managed to get out of the cycle. So, here it is:
I am using this for personal use only. Some automated emails will be sent (perhaps 10 a month) to myself only. Emails are typically just text, and small. Most will be sent from an email client, not the API. I will send an approximate 20 a month, and at most 50 a month. I have no recipient list, nothing to unsubscribe from. I will only have the addresses:
<list of addresses>(Change to your specific needs, this is just what I sent for my usecase.)
u/Zangoran did note that they was eventually escalated
to a real person, when it was approved. They said ‘I would recommend
replying with the same repetitive non-commercial and personal use only
language until you get a real person’.
Now comes the exciting bit. We get to send emails from GMail using our new domain! In GMail, go to Settings > ‘See all settings’ > ‘Accounts and Import’. Under ‘Send mail as’ click ‘Add another email address’.
Type in the name you wish to appear on your emails, and the address that will be used, [email protected]. Ensure you untick ‘treat as an alias’. Fill in the SMTP server visible on your AWS panel under ‘SMTP settings’, and your details you downloaded from your generated credentials.
If you go to write a new email, you should see that there is an option list in the ‘from’ field, and you can select your new address!
Now that’s all set up, let’s test that everything comes together. That we can: receive emails; send emails; the DKIM authenticates us; we don’t get a high rating for spam potential.
Go to this website and wait for it to load. Then, send an email to the address it generates for you.
Go back to learndmarc and wait for it to receive your email. (Click fast forward or we’ll be here all day…) And it should show your results. If everything so far has worked, this is what we are looking for. PASS all round.
I would now be comfortable to use this as my main email account. Providing learndmarc returns all pass scores! You can also use other tools – there is a myriad of them – to test it.
Finally, send one last email to yourself to check that is still working. And, you are done…