I'm trying to clean up my email set-up to ensure that I'm meeting best practises. Some background:

For years I've used the Gmail for my email (the free version, not GSuite or Workspace or whatever it's called today), I signed up pretty much right from the very start when you had to get an invite to join. I have my own domain name and therefore like to send / receive via name@domain.co.nz. Back in the early days of Gmail they allowed people to set up any From address that they liked, so I set up my From address in Gmail to be name@domain.co.nz and then set up mail forwarding at my web hosting company to forward all email that came to name@domain.co.nz on to my Gmail address. This set-up has worked fine for years.

Most of my sending of email is done via the Gmail website or Gmail app on my phone, I don't use an email client on my desktop. My website has a contact form that sends email to me (eg it uses my web host's mail server to send these emails) and my desktop PC at home is also set up to send some stuff to me (eg cron job reports) which it does by using mSMTP and sending to smtp.gmail.com.

I have an SPF record set up that looks like this: v=spf1 ip4:103.121.35.30 ip4:103.121.34.8 +a +mx +include:_spf.google.com +include:spf.mailrelay.prodigi.nz ~all

As you can see I've included Google and my web host (Prodigi), the rest was created by cPanel.

I have a DMARC record set up that looks like this: v=DMARC1; p=none

cPanel also automatically set up a DKIM record for me.

My understanding of DKIM is that the there's a public key (in the DKIM DNS record) and a private key. The private key is used by the sending SMTP server to sign the email, and therefore the sending SMTP server has to have the private key. This is fine for my web host, they have the private key (I can see it in cPanel) and therefore any emails sent via my website should be automatically signed.

And now we come to my question: how do I give my private key to Gmail so it can sign outgoing emails?

I've found plenty of articles explaining how to set up DKIM within Google Workspace, but they're no good to me as I don't use Workspace. I can't see anywhere in the free version of Gmail where you can set this up.

I did find one article that provides a work-around: https://www.kavalier.tv/blog/send-e-mail-from-gmail-with-your-personal-domain-without-g-suite Their solution is you set Gmail up to send all outgoing email via your web host's SMTP server. I guess this would work, but it seems weird to me that the free version of Gmail doesn't allow you to set up DKIM within it. Maybe they don't want people using their own domain name with the free version of Gmail?