As an administrator, you can use an outbound mail gateway to process outgoing email messages from your organization before they’re sent to recipients. Outbound mail gateways are servers that can help you improve email security, compliance, and delivery.
For example, outbound gateways can block outgoing spam messages or messages with harmful content. They can help you meet compliance requirements by archiving messages, enforcing policies, and creating an audit trail. Outbound gateways also offer more advanced features, such as IP rotation, reputation management, and limiting the amount of email messages you send through a remote server at one time (also known as message throttling).
Before you begin
Make sure your Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) configurations take into account any outbound gateway because it can affect SPF and DKIM authentication.
- SPF records—If you use an SPF record to validate sending servers for your domain, add your outbound gateway IP address or domain to your SPF record. Your SPF record must include the Google Workspace mail servers and the outbound gateway. For details, go to Help prevent spoofing and spam with SPF.
- DKIM signatures—DKIM authenticates messages by verifying that messages aren't changed after they're sent. It's not uncommon for outbound gateways to modify messages, for example, by adding a footer to the end of all outgoing messages. If possible, set up your outbound gateway so that it doesn't modify messages. If your outbound gateway must modify outgoing messages, they will likely fail DKIM authentication. In this case, making sure you have SPF authentication set up becomes even more important.
- IP addresses—Set up your outbound gateway to accept and forward email only from Google Workspace mail server IP addresses. Use these addresses to help prevent spammers from using your gateway as an open mail relay. For more information, go to Google IP address ranges for outbound mail servers.
For help with your specific server setup, refer to the support documentation for your server.
Related topics:
- Help prevent spoofing and spam with DKIM
- Prevent spam, spoofing & phishing with Gmail authentication
Step 1: Add an outbound gateway route
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
In the Admin console, go to Menu AppsGoogle WorkspaceGmailHosts.
- Click Add Route.
- For Name, enter a route name for the outbound gateway.
- For Enter host name or IP, enter the outbound gateway IP address.
- Select the options that you want to enable:
- To deliver to MX hosts associated with the specified domain name, check the Perform MX lookup on host box.
- To encrypt messages between sending mail servers and receiving mail servers with TLS, check the Require mail to be transmitted over a secure transport (TLS) connection (Recommended) box.
- To require the client SMTP server to present a certificate signed by a Certificate Authority that is trusted by Google, check the Require CA signed certificate (Recommended) box.
- To verify the receiving host name matches the certificate presented by the SMTP server, check the Validate certificate hostname (Recommended) box.
- Click Test TLS connection to verify the connection to the receiving mail server.
- Click Save.
Changes can take up to 24 hours but typically happen more quickly. Learn more
If you get a “Could not validate certificate” error…
If you click Test TLS connection and get a certificate validation error, messages sent from your organization will bounce, even though you could save the new mail route.
To fix the error, try one or more of these solutions:
- If your mail server has more than one host name, make sure you’re using the host name that’s on the server’s certificate.
- If you have access to the mail server on the route, install a new certificate from a trusted Certificate Authority. Verify the new certificate has the correct host name.
- If you use a third-party mail relay service, contact the service provider about this error.
- Uncheck the box for one or more of these options:
- Require mail to be transmitted over a secure transport (TLS) connection
- Require CA signed certificate
- Validate certificate hostname
Important: We recommend keeping these options turned on whenever possible so the connection can be verified.
Step 2: Set up the outbound gateway route in Gmail
You can set up an outbound gateway using the Routing setting or the Outbound gateway setting. We recommend using the Routing setting whenever possible.
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
In the Admin console, go to Menu AppsGoogle WorkspaceGmailRouting.
- Make sure your top-level organizational unit is selected.
- For Routing, click Configure, Edit, or Add another rule.
- Enter a name or description for the routing setting.
- For Email messages to affect, check the Outbound box.
- For For the above types of messages, do the following, select Modify message.
- For Route, check the Change route box.
- Click Normal routing and select your outbound gateway route from the list.
- (Optional) To require TLS for onward delivery, for Encryption (onward delivery only), check the Require secure transport (TLS) box.
- Click Add setting or Save.
- At the bottom, click Save.
Changes can take up to 24 hours but typically happen more quickly. Learn more
You can track changes in Admin log events.