Outbound mail gateways and email authentication
If you use an outbound mail gateway and authenticate outbound email using Sender Policy Framework (SPF) records or domain key signing (DKIM), you may need to update your configuration.
Sender Policy Framework (SPF) records
When you use an outbound mail gateway, recipients receive mail sent from the gateway server rather than directly from the G Suite mail servers. If the recipient's mail system wants to verify that the message really came from your domain (and not from a spammer), it needs to confirm that the gateway server is an authorized mail server for your domain.
To enable this, you need to add the outbound mail gateway server to the SPF record for your domain. The SPF record for your domain needs to include both the G Suite mail servers and the outbound mail gateway server.
Domain key signing (DKIM)
If you sign outgoing messages with DKIM, everything is fine as long as the outbound gateway forwards your messages without modifying them. If the gateway server modifies the message, such as when Postini adds a compliance footer, the change invalidates the DKIM signature. You need to prevent the gateway server from modifying messages or turn off DKIM authentication.