Add an outbound gateway for outgoing email

Outbound gateways process outgoing email messages from your organization before they’re sent to recipients. Outbound gateways can help improve email security, compliance, and delivery.

For example, outbound gateways can block outgoing messages that could be spam or messages with harmful content. Outbound gateways also support compliance requirements by archiving messages, enforcing policies, and creating an audit trail. Outbound gateways also offer advanced features, such as IP rotation, reputation management, and limiting the amount of email sent through a remote server (throttling).

Before you begin

Make sure your Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) authentication configuration takes into account your outbound gateway settings. Sending email over an outbound gateway can impact SPF and DKIM authentication. 

Details about outbound gateways and email authentication

  • SPF records—Be sure to add your outbound gateway IP address or domain to your SPF record. Your SPF record must include the Google Workspace mail servers and the outbound gateway. If your outbound gateway isn't included in your SPF record, outgoing email sent through the gateway is more likely to be marked as spam. For details, go to Set up SPF.
  • DKIM signatures—DKIM authenticates messages by verifying that messages aren't changed after they're sent. Outbound gateways commonly modify messages. For example, outbound gateways can add a footer to the end of all outgoing messages. If possible, set up your outbound gateway so that it doesn't modify messages. If your outbound gateway must modify outgoing messages, they will likely fail DKIM authentication. In this case, keeping your SPF setup accurate and up to date is important to help ensure your messages are authenticated.
  • IP addresses—Set up your outbound gateway to accept and forward email only from ​Google Workspace email server IP addresses. Use these addresses to help prevent spammers from using your gateway as an open email relay. For more information, go to Google IP address ranges for outbound mail servers.

    For help with your specific server setup, refer to the support documentation for your server.

Learn more about email authentication at Prevent spam, spoofing & phishing with Gmail authentication.

There are 2 options for adding an outbound gateway:

  • Option 1: Use the Outbound gateway setting

    To quickly set up a standard outbound gateway, we recommend using the Outbound gateway setting. With the Outbound gateway setting, you can enter the route or host directly to the setting. You don't need to take separate steps to add a route or host. The Outbound gateway setting can only be applied to the top-level organizational unit. It can't be applied to individual organizational units.

  • Option 2: Use the Routing setting

    If your outbound gateway requires specific or special configuration, we recommend using the Routing setting to add an outbound gateway. The Routing setting provides more configuration flexibility, and can be applied to selected organizational units

Option 1: Use the Outbound gateway setting

  1. Sign in with an administrator account to the Google Admin console.

    If you aren’t using an administrator account, you can’t access the Admin console.

  2. In the Admin console, go to Menu and then Appsand thenGoogle Workspaceand thenGmailand thenRouting.
  3. Next to the Outbound gateway setting, click Edit.
  4. Under Route outgoing emails..., enter the hostname or IP address of the outbound gateway, then click Save.

Option 2: Use the Routing setting

Step 1: Add an outbound gateway route

  1. Sign in with an administrator account to the Google Admin console.

    If you aren’t using an administrator account, you can’t access the Admin console.

  2. In the Admin console, go to Menu and then Appsand thenGoogle Workspaceand thenGmailand thenHosts.
  3. Click Add Route.
  4. For Name, enter a route name for the outbound gateway.
  5. For Enter host name or IP, enter the outbound gateway IP address.
  6. Select the options that you want to enable:
    • To deliver to MX hosts associated with the specified domain name, check the Perform MX lookup on host box.
    • To encrypt messages between sending mail servers and receiving mail servers with TLS, check the Require mail to be transmitted over a secure transport (TLS) connection (Recommended) box.
    • To require the client SMTP server to present a certificate signed by a Certificate Authority that is trusted by Google, check the Require CA signed certificate (Recommended) box.
    • To verify the receiving host name matches the certificate presented by the SMTP server,  check the Validate certificate hostname (Recommended) box.
  7. Click Test TLS connection to verify the connection to the receiving mail server.
  8. Click Save.

Changes can take up to 24 hours but typically happen more quickly. Learn more

If you get a “Could not validate certificate” error…

If you click Test TLS connection and get a certificate validation error, messages sent from your organization will bounce, even though you could save the new mail route. 

To fix the error, try one or more of these solutions:

  • If your mail server has more than one host name, make sure you’re using the host name that’s on the server’s certificate.
  • If you have access to the mail server on the route, install a new certificate from a trusted Certificate Authority. Verify the new certificate has the correct host name.
  • If you use a third-party mail relay service, contact the service provider about this error.
  • Uncheck the box for one or more of these options:
    • Require mail to be transmitted over a secure transport (TLS) connection
    • Require CA signed certificate
    • Validate certificate hostname

    Important: We recommend keeping these options turned on whenever possible so the connection can be verified.

Step 2: Set up the outbound gateway route in Gmail

  1. Sign in with an administrator account to the Google Admin console.

    If you aren’t using an administrator account, you can’t access the Admin console.

  2. In the Admin console, go to Menu and then Appsand thenGoogle Workspaceand thenGmailand thenRouting.
  3. Make sure your top-level organizational unit is selected.
  4. For Routing, click Configure or Add another rule (shows only if rules are added).
  5. Enter a name or description for the routing setting.
  6. For Email messages to affect, check the Outbound box.
  7. Under For the above types of messages, do the following, select Modify message.
    1. For Route, check the Change route box. Click Normal routing and select your outbound gateway route from the list.
    2. (Optional) To require TLS for onward delivery, for Encryption (onward delivery only), check the Require secure transport (TLS) box.
  8. At the bottom, click Save.

Changes can take up to 24 hours but typically happen more quickly. Learn more You can track changes in Admin log events.

Was this helpful?

How can we improve it?

Need more help?

Try these next steps:

Post to the help community Get answers from community members
Contact us Tell us more and we’ll help you get there
true
Start your free 14-day trial today

Professional email, online storage, shared calendars, video meetings and more. Start your free Google Workspace trial today.

Search
Clear search
Close search
Main menu
3940055533544151606
true
Search Help Center
true
true
true
true
true
73010
false
false