How Domain Email Actually Works

So you want to send emails from [email protected] instead of [email protected]? Cool — but there’s more to it than just picking an address. This guide explains how the whole thing works, in plain language.


The Cast of Characters

To send email from your own domain, you need three services that each play a different role. Here’s who they are:

🟠 Cloudflare — Your Domain’s Address Book

What it does: Cloudflare is your DNS provider. Think of it as the phonebook of the internet.

When someone’s email server looks up “where do I send mail for christianjeremia.com?”, it asks Cloudflare. Cloudflare says: “Here are the rules — read them carefully.”

Cloudflare itself does not send or receive emails. It just points the way.

🔵 Brevo — The Actual Post Office

What it does: Brevo is your SMTP provider — the actual engine that sends your emails.

Think of Brevo as a post office. You drop off your letter (email) at the post office, and they stamp it with proper postage (DKIM signature), put it in the mail truck, and deliver it to the recipient’s mailbox.

Without Brevo (or a similar service), you’d have to run your own post office on your VPS — which is a terrible idea because:

  • VPS providers block port 25 (the post office loading dock)
  • Cloud IPs have bad reputations (spammers ruin it for everyone)
  • You’d have to maintain your own mail server (a nightmare)

🟢 Gmail — Your Personal Mailbox

What it does: Gmail is your email client — the place where you read emails and compose replies.

In this setup, Gmail does two things:

  1. Receives emails (Cloudflare forwards incoming mail to your Gmail inbox)
  2. Sends emails (when you hit “send” in Gmail, it hands the email to Brevo, not to Gmail’s own servers)

The trick is: Gmail thinks Brevo is just another SMTP server. You configure Gmail’s “Send mail as” feature to use Brevo’s SMTP instead of Gmail’s own.


How an Email Actually Gets Sent — The Journey

Let’s say you’re in Gmail and you type a message to [email protected] from [email protected]. Here’s what happens behind the scenes:

You hit "Send" in Gmail
        │
        ▼
Gmail connects to Brevo's SMTP server (smtp-relay.brevo.com:587)
        │
        ▼
Brevo checks: "Do I know this sender? Is the SMTP key valid?"
        │ (✅ Yes — you already added the sender and set up DKIM)
        ▼
Brevo takes your email and:
   1️⃣  Signs it with your domain's DKIM key 🔑
   2️⃣  Puts the envelope in a truck (their outbound servers)
   3️⃣  Sends it to Outlook's mail server
        │
        ▼
Outlook receives the email and checks:
   🔍 "Who sent this? [email protected]"
   🔍 "Is the DKIM signature valid?" → Looks up your DNS on Cloudflare
   🔍 "Is the sender authorized?" → Checks your SPF record on Cloudflare
        │
        ▼
If everything matches → ✅ Email lands in inbox (no phishing warning!)
If something is wrong → ❌ Spam folder or phishing warning

Why the Phishing Warning Happened Before

Before we set up Brevo, Gmail was signing your email with Gmail’s DKIM key (because it was using Gmail’s SMTP). But the email was from [email protected] — not @gmail.com.

So Outlook checked your domain’s DNS, found no DKIM record, and said:

🚨 “This email says it’s from christianjeremia.com but there’s no signature proving that. Might be a fake!”

That’s the phishing warning. Now that Brevo signs with your domain’s DKIM key, Outlook can verify it properly. No more warning.


The DNS Records — What Each One Does

Remember the phonebook (Cloudflare)? These are the entries you added:

RecordTypeWhat it does (baby explanation)
SPFTXTA guest list: “Only these post offices (Brevo, Gmail) are allowed to send mail for this domain.”
DKIMCNAMEA signature stamp: “Every email from this domain has a unique digital signature. If the signature doesn’t match, it’s fake.”
DMARCTXTA policy sign: “If an email fails SPF or DKIM checks, here’s what to do (for now: just flag it, don’t block it).”
Brevo CodeTXTA proof of ownership: “I, the domain owner, confirm that Brevo is allowed to send for me.”
Branded CNAMEsCNAMETracking links: When you include links in emails and Brevo tracks clicks, these make the tracking links use your domain instead of brevo.com

🔑 SPF Simplified

Before: v=spf1 include:_spf.google.com ~all
         └── Only Google can send for this domain

After:  v=spf1 include:_spf.google.com include:brevo.com ~all
         └── Both Google AND Brevo can send

The ~all at the end means: “If a server NOT on this list tries to send email for this domain… be suspicious, but don’t necessarily block it.”

🔑 DKIM Simplified

DKIM is like a wax seal on a letter. In old times, a king would seal a letter with his ring. The recipient would recognize the seal and know the letter really came from the king.

Your DKIM records are CNAMEs (aliases) that point to Brevo’s servers:

brevo1._domainkey.yourdomain.com  →  b1.yourdomain-com.dkim.brevo.com

This means: “Hey email servers, if you want to verify the DKIM signature on this email, go ask Brevo for the public key.”

🔑 DMARC Simplified

DMARC tells email providers what to do when an email looks suspicious:

v=DMARC1; p=none; rua=mailto:[email protected]
  • p=none = “Just report it, don’t block anything” (safe starting mode)
  • Later you can change to p=quarantine (send to spam) or p=reject (block outright)

Step-by-Step Setup Guide

⚠️ This guide shows the process without any secret keys or passwords.

Phase 1: Cloudflare — Prepare the Phonebook

  1. Log into Cloudflare dashboard → your domain → DNS

  2. You’ll add several records (all grey cloud — DNS only, NOT proxied):

    TypeNameWhat goes here
    TXT@ (root)SPF record: v=spf1 include:_spf.google.com include:brevo.com ~all
    CNAMEbrevo1._domainkeyThe DKIM value from Brevo
    CNAMEbrevo2._domainkeyThe DKIM backup value from Brevo
    TXT_dmarcDMARC policy
    CNAMEmailBranded sending domain
    CNAMEimg.mailBranded image links
    CNAMEr.mailBranded redirect links
  3. ⚠️ Critical: All records must be grey cloud (⚪ DNS only). Orange cloud (proxied) will break email authentication.

Phase 2: Brevo — Set Up the Post Office

  1. Sign up at brevo.com (free plan = 300 emails/day)
  2. Go to Settings → Senders & Domains → Domains
  3. Add your domain (e.g., christianjeremia.com) or a subdomain (mail.christianjeremia.com)
  4. Brevo will show you DNS records to add — copy them to Cloudflare (Phase 1)
  5. Click “Verify” in Brevo — it checks that the DNS records exist
  6. Once verified, go to SendersAdd a Sender → add your email address (e.g., [email protected])
  7. Check your inbox for a verification email and click the link
  8. Go to Settings → SMTP & API → SMTP:
    • Create an SMTP key (copy it immediately — shown only once!)
    • Copy your SMTP Login ID (looks like [email protected])
    • Make sure Authorized IPs is empty (so Gmail can connect)

Phase 3: Gmail — Connect the Mailbox

  1. In Gmail, go to Settings → See all settings → Accounts and Import

  2. Under “Send mail as”, click “Add another email address”

  3. Enter: [email protected]

  4. Uncheck “Treat as alias” (optional)

  5. SMTP settings:

    FieldValue
    SMTP Serversmtp-relay.brevo.com
    Port587
    UsernameYour Brevo SMTP Login ID (not your email!)
    PasswordYour Brevo SMTP key
    Secured connection✅ TLS
  6. Gmail will send a test email to verify — if it works, you’re done!

Phase 4: Test

Send a test email to an Outlook/Hotmail address. It should arrive in the inbox with no phishing warning — because your email is now properly signed with your own domain’s DKIM.


Troubleshooting

”Couldn’t connect to server” in Gmail

  • Check that Authorized IPs in Brevo’s SMTP settings is empty
  • Check you’re using the SMTP Login ID ([email protected]), not your email
  • Try port 465 with SSL instead of 587 with TLS

”Authentication failed”

  • Your SMTP key might have a typo — create a new one in Brevo
  • Make sure you’re using the SMTP key as password, not your Brevo account password

”This email looks suspicious / Phishing” in Outlook

  • Wait a few hours for DNS records to propagate (up to 48 hours)
  • Double-check your DKIM CNAME records in Cloudflare
  • Use an online DKIM checker to verify your records are correct

DNS changes not working

  • DNS changes can take 5 minutes to 48 hours to spread across the internet
  • Cloudflare makes them fast (usually seconds), but other DNS servers cache old data
  • You can check with: dig TXT christianjeremia.com or an online DNS checker

The Cost Breakdown

ServiceWhat it providesCost
CloudflareDNS records, email forwarding (incoming)Free
BrevoSMTP relay, DKIM signing (outgoing)Free (300 emails/day)
GmailEmail client, inbox (incoming)Free
DomainYour name on the internet~$10-15/year
Total~$10-15/year (just the domain)

No servers to maintain. No subscriptions. No “trial expires” nonsense. Just pure, professional email with your own domain.