Set up an outbound mail gateway

If you have the legacy free edition of G Suite, upgrade to G Suite Basic to get this feature. 

An outbound mail gateway server, also known as a smart host, processes email messages before they’re delivered. Typically, outbound mail gateway servers are used for archiving or spam filtering.

Set up an outbound gateway server with G Suite to route all outgoing messages from your domain through a gateway server.

Set up your gateway server

Set up your outbound gateway server to accept and forward email only from G Suite mail server IP addresses. This helps prevent spammers from using your gateway as an open mail relay.

For help on setting up your gateway server, contact the gateway server’s support team.

SPF and DKIM

Sender Policy Framework (SPF)

If you use an SPF record to validate outgoing mail servers for your domain, you need to set up your SPF record to include your outbound mail gateway server. The SPF record needs to include both the G Suite mail servers and the outbound mail gateway server.

Domain key signing (DKIM)

Your outbound gateway will work with DKIM signatures if the gateway forwards your messages without modifying them. If your gateway server modifies messages (for example, by adding compliance footers) DKIM signatures are invalidated. Prevent the gateway server from modifying messages or turn off DKIM authentication.

Set up your outbound gateway

Set up an outbound gateway using the Routing setting or the Outbound gateway setting. For best practices, use the Routing setting.

Use the Routing setting

Add outbound gateway route

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console, go to Apps and then G Suite and then Gmail and then Advanced settings.
  3. Click Hosts.
  4. Click Add Route.
  5. Enter a route name for the gateway server in the Name field.
  6. Enter the outbound gateway server address in the Enter host name or IP field.
  7. Select any options you want to enable:
    • Perform MX lookup on host—Deliver to MX hosts associated with the specified domain name.
    • Require secure transport (TLS)—Encrypt messages between sending mail servers and receiving mail servers using Transport Layer Security (TLS).
    • Require CA signed certificate—Require the certificate for authentication with TLS delivery.
  8. Click Save.

Configure Gmail with outbound gateway route

From the Gmail Advanced settings section:

  1. Click General Settings.
  2. In the Organizations section, select the top-level organization.
  3. Scroll to the Routing setting in the Routing section, hover over the setting, and choose one of the following options:
    • Click Configure.
    • If the setting is already configured, click Edit or Add another.
  4. Enter a name or description for your routing setting.
  5. Under Messages to affect, check Outbound.
  6. Under the third option (For the above types of messages…), select Modify message from the drop-down menu.
  7. Under Route, check the Change route box.
  8. From the drop-down list, select your gateway server route.
  9. (Optional) Under Encryption (onward delivery only), check the Require secure transport (TLS).
  10. Click Add setting or Save.
    New settings are added to the Advanced settings page.
  11. At the bottom of the Advanced settings page, click Save.

It can take up to an hour for changes to propagate to user accounts. You can track changes in the Admin console audit log.

Use the Outbound gateway setting
  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console, go to Apps and then G Suite and then Gmail and then Advanced settings.
  3. In the Organizations section, select the top-level organization.
  4. Scroll to the Outbound gateway setting in the Routing section.
  5. Enter the outbound gateway server address.
  6. At the bottom of the Advanced settings page, click Save.

It can take up to an hour for changes to propagate to user accounts. You can track changes in the Admin console audit log.

Was this article helpful?
How can we improve it?