Tong Family

Well, if I have frustrated by all that horrible spam and Bluehost have been great but even with Spam Experts and Spam Assassin, we still get way more spam. I originally just wanted to make Gsuite just filter messages and send them back to Bluehost for deliver, it turns out that this is actually impossible. You can try to do split delivery for instance, but this doesn’t quit work instead, the best and cheapest thing to do is to have Bluehost send mail to Gsuite which then filters it and then forwards it to personal Gmail accounts. Pretty cool but hard to figure out. In the personal accounts, you set each to reply-to the Bluehost account and it all works, you get nice Gmail interfaces but can use the vanity domain without having to have a Gsuite account for each.

Getting started with Gsuite

Here are the steps:

1. Sign up for Gsuite with your private domain.
2. Logon to Gsuite with one account, you will have to validate your account by sticking things into the CNAME or something like that.
3. You need to setup the right CNAME record and the right MX Records
4. Then use the Admin Console with Customized URL to ghs.googlehosted.com
5. Because you don’t want to pay $5/month for each user, you can forward vanity accounts to existing (and free gmail accounts).

Debug the host

First thing is to know how to debug all this mail routing is to setup things properly in the User Settings area. Note that this conflicts with the later Routing setting, so you want to leave this as clean as possible, so here is how to debug.

1. Gsuite has a Reports/Email Log Search, this will let you know if mail was received externally and where it went. Mainly this will tell you it went into the mail pipeline which is a good thing.
2. It will also tell you if it thought it was spam.
3. Make sure to disable catchall so that unrecognized mail from routing works. This is in Gsuite > Apps > Gmail > User Settings > Email Routing and choose discard to make sure you get how the routing works. If you have catchall, then non of the rules will ever work because all mail is recognized and sent to your catchall, so make sure this is reset.
4. If you try to use your box***.bluehost.com:587 this is for delivery from a client, so needs authentication, use port 25 instead as this is the standard SMTP port for mail server to mail server delivery. You should use the default name for bluehost which is typically, mail.yourdomain.com and port 25. However, there is a problem in that Bluehost will either deliver locally (if it detects that the lowest MX record is a local system) or it will only deliver remotely. It does seem that it is impossible to have Google first get the mail and then redeliver to local accounts. That’s too bad as it would be really convenient.

Debugging to make sure the Gsuite and Bluehost mail flow

1. Add a rule as noted below, then see how the message is routed. So to test routing to your old domain, create a new host (see below) and then create a router rule which is “All recipients ” that and make sure “unrecognized addresses” is checked down below, this will route all unrecognized emails (e.g. without gmail accounts) to the downstream host, so you can check to see if the host works ok.
2. In our case, this didn’t work because submitting to port 587 to bluehost.com resulted in an SMTP authentication required message and an NDR gets sent back, but it works on port 25
3. Use the Gsuite > Reports > Email Search to figure out how routing works
4. Now you can use the Bluehost trace email to see how mail is sent.

Having Gmail forward mail

Since you can’t have bluehost reprocess mail once it hits your vanity domain, your main option is to use Gmail routing to forward mail. This isn’t split delivery, but really forwarding. It is not really obvious how to make it work, so here goes:

1. Add the Hosts above and make sure that works
2. In the Gsuite > Apps > Gmail > Advanced Settings > Default Routing, add the route for each forward like by checking, Routing is Normal (so it will go into the dead letter box in your Gsuite) and then add Additional Delivery and type in some other address like some privatemail@gmail.com so people can use a personal and free gmail account.
3. Also note that if you edit the current Default routing, you get a spurious there is an error editing, try again later it actually does work, but you have to hit refresh at least in Safari to see it.

More details on how routing works

The most confusing thing is how to support all of this without having to buy a $5/month mailbox for everyone. That makes sense for a company but not a vanity domain. Here are some solutions for routing messages. Note that right now GSuite seems to hang under Safari, so use Chrome:

1. Split delivery. This is the right enterprise way to do this, first set up a route to the old mail server `AppsG SuiteGmailAdvanced settings > Hosts >Add Host`. Make sure you use TLS and port for security. Then go to Apps > G Suite > Gmail > Advanced Routing > Inbound  Routing and then Change default routing route so those addresses can go back to the legacy server assuming your old host mail. Then you get all the spam filtering but end-users don’t have to change anything!
2. For remapping in the local system. Then to Apps/G Suite /Settings for Gmail /Advanced settings/Recipient Address Map to fix things which seems to reroute messages, but it looks like it doesn’t work moving off server, so you can’t just point it at an arbitrary email address so only works internally.
3. You can also do this at the individual user level with aliasing, so one account can respond to rich in addition to any other names.

Some strange things

1. Conflicting accounts. There is a strange issue where you can have an organizational account called foo@tongfamily.com and a personal one called foo@tongfamily.com. I actually had this problem when creating the Gsuite identity. So I had to create a fake admin name and then delete it once I could create the new identity.
2. The only what that seems to work is to create a group and allow outside accounts to be part of the group. Like another gmail address. This works well in those cases where users are already using their vanity name (like rich@tongfamily.com as their google authentication, because google won’t deliver is there is a name collision). Then you connect it to the outside account. This is a little clunky because you need this extra group, but it is nice because any end user can do it and you do not need admin privileges. In this case you can have lots of folks use free personal gmail accounts, but they get routed mail via the vanity domain. They can also set reply-as in the personal gmail so it looks like they are using the  vanity domain.
3. Finally there is a difference between unrecognized addresses that is addresses where there is no Gmail address. However, beware that if you turn on catch-all address to get all the mail then all addresses are recognized. So normally you do not want this on.

Protecting yourself from Spam with Magic DNS Records

The main way is to use special DNS records to limit things:

1. SPF. The sender policy framework is set by a TXT record which tells the mail server which domains can send mail to their SMTP server. For instance, if you say v=spf1 include:bluehost.com this means that only servers from the bluehost.com domain can send mail from that domains SMTP servers.
2. Setup DKIM to  digitally signs the outgoing message headers so that other servers can detect spam that is falsely written as coming from your servers. You just need to generate a DKIM record in Gmail > Advanced Settings > DKIM and add it as a TXT record in the DNS server. SPF tells other servers what mail servers can send for your domain. That is, sometimes the mail is both forged (fixed with DKIM) and comes from some other mail server (fixed by SPF). You can merge SPFs, so for instance you can use bluehost and Gsuite together using SPF syntax you basically concatenate it all.
3. DMARC is another TXT record that tells recipient mail servers what do to with mail that comes addressed from your domain. For instance, you can say (as eBay does) that any mail that doesn’t have DKIM on it should be rejected.