Set up an outbound mail gateway

If you have the legacy free edition of G Suite, upgrade to Google Workspace to get this feature. 

An outbound mail gateway server processes email before messages are delivered to recipients. Outbound mail gateway servers are typically used for archiving or spam filtering. Outbound mail gateway servers are sometimes called smart hosts.

Set up an outbound gateway server with Google Workspace to route all outgoing messages from your domain through a gateway server.

Set up your gateway server

Set up your outbound gateway server to accept and forward email only from ​Google Workspac​e mail server IP addresses. This helps prevent spammers from using your gateway as an open mail relay.

For help on setting up your gateway server, refer to the support or help documentation for your server.

SPF and DKIM

Sender Policy Framework (SPF)

If you use an SPF record to validate sending servers for your domain, add your outbound mail gateway server to your SPF record. Your SPF record must include the Google Workspace mail servers and the outbound mail gateway server.

Domain key signing (DKIM)

Your outbound gateway supports DKIM signatures if the gateway forwards your messages without modifying them. If your gateway server modifies messages (for example, by adding compliance footers), DKIM signatures are invalidated. Make sure the gateway server doesn't modify messages. We don't recommend turning off DKIM authentication.

Set up your outbound gateway

You can set up an outbound gateway using the Routing setting or the Outbound gateway setting. We recommend using the Routing setting whenever possible.

Use the Routing setting

Add outbound gateway route

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Appsand thenGoogle Workspaceand thenGmailand thenHosts.

    Note: You might find this setting at Appsand thenGoogle Workspaceand thenGmailand thenAdvanced Settings.

  3. Click Add Route.
  4. Enter a route name for the gateway server in the Name field.
  5. Enter the outbound gateway server address in the Enter host name or IP field.
  6. Select the options you want to enable:
    • Perform MX lookup on host—Deliver to MX hosts associated with the specified domain name.
    • Require mail to be transmitted over a secure transport (TLS) connection (Recommended)—Encrypt messages between sending mail servers and receiving mail servers with Transport Layer Security (TLS).
    • Require CA signed certificate (Recommended)—The client SMTP server must present a certificate signed by a Certificate Authority that is trusted by Google.
    • Validate certificate hostname (Recommended)—Verify the receiving hostname matches the certificate presented by the SMTP server.
  7. Click Test TLS connection to verify the connection to the receiving mail server
  8. Click Save.

It can take up to 24 hours for changes to take effect.

If you get a “Could not validate certificate” error

When you click Test TLS connection, you might get an error that says “Could not validate certificate…” If you get this error, you can save the new mail route but messages sent from your organization will bounce. 

To fix the error, try one or more of these solutions:

  • If your mail server has more than one host name, make sure you’re using the host name that’s on the server’s certificate.
  • If you have access to the mail server on the route, install a new certificate from a trusted Certificate Authority. Verify the new certificate has the correct host name.
  • If you use a third-party mail relay service, contact the service provider about this error.
  • Turn off one or more of these options:
    • Require mail to be transmitted over a secure transport (TLS) connection
    • Require CA signed certificate
    • Validate certificate hostname

      Important: We recommend keeping these options turned on whenever possible so the connection can be verified.

Set up an outbound gateway route in Gmail

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Appsand thenGoogle Workspaceand thenGmailand thenRouting.

    Note: You might find this setting at Appsand thenGoogle Workspaceand thenGmailand thenAdvanced Settings.

  3. In the Organizations section, select the top-level organization.
  4. Hover over the Routing, and click ConfigureEdit, or Add another.
  5. Enter a name or description for the routing setting.
  6. Under Messages to affect, check Outbound.
  7. Under the third option (For the above types of messages…), select Modify message.
  8. Under Route, check the Change route box.
  9. Click the Down arrow Down Arrow and select your gateway server route from the list.
  10. (Optional) Under Encryption (onward delivery only), check the Require secure transport (TLS).
  11. Click Add setting or Save.
    New settings are added to the page.
  12. At the bottom of the page, click Save.

It can take up to 24 hours for changes to take effect. You can track changes in the Admin console audit log.

Use the Outbound gateway setting
  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Appsand thenGoogle Workspaceand thenGmailand thenRouting.

    Note: You might find this setting at Appsand thenGoogle Workspaceand thenGmailand thenAdvanced Settings.

  3. In the Organizations section, select the top-level organization.
  4. Go to the Outbound gateway setting in the Routing section.
  5. Enter the outbound gateway server address.
  6. At the bottom of the page, click Save.

It can take up to 24 hours for changes to take effect. You can track changes in the Admin console audit log.

Was this helpful?
How can we improve it?

Need more help?

Sign in for additional support options to quickly solve your issue