Set up an outbound mail gateway

If you have the legacy free edition of G Suite, upgrade to G Suite Basic to get this feature. 

An outbound mail gateway server, also known as a smart host, processes email messages before they’re delivered. Typically, outbound mail gateway servers are used for archiving or spam filtering.

Set up an outbound gateway server with G Suite to route all outgoing messages from your domain through a gateway server.

Set up your gateway server

Set up your outbound gateway server to accept and forward email only from G Suite mail server IP addresses. This helps prevent spammers from using your gateway as an open mail relay.

For help on setting up your gateway server, contact the gateway server’s support team.

SPF and DKIM

Sender Policy Framework (SPF)

If you use an SPF record to validate outgoing mail servers for your domain, you need to set up your SPF record to include your outbound mail gateway server. The SPF record needs to include both the G Suite mail servers and the outbound mail gateway server.

Domain key signing (DKIM)

Your outbound gateway will work with DKIM signatures if the gateway forwards your messages without modifying them. If your gateway server modifies messages (for example, by adding compliance footers) DKIM signatures are invalidated. Prevent the gateway server from modifying messages or turn off DKIM authentication.

Set up your outbound gateway

Set up an outbound gateway using the Routing setting or the Outbound gateway setting. For best practices, use the Routing setting.

Use the Routing setting

Add outbound gateway route

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console, go to Apps and thenG Suite and then Gmail and then Advanced settings.
  3. Click Hosts.
  4. Click Add Route.
  5. Enter a route name for the gateway server in the Name field.
  6. Enter the outbound gateway server address in the Enter host name or IP field.
  7. Select any options you want to enable:
    • Perform MX lookup on host—Deliver to MX hosts associated with the specified domain name.
    • Require mail to be transmitted over a secure transport (TLS) connection (Recommended)—Encrypt messages between sending mail servers and receiving mail servers with Transport Layer Security (TLS).
    • Require CA signed certificate (Recommended)—The client SMTP server must present a certificate signed by a Certificate Authority that is trusted by Google.
    • Validate certificate hostname (Recommended)—Verify the receiving hostname matches the certificate presented by the SMTP server.
  8. Click Test TLS connection to verify the connection to the receiving mail server
  9. Click Save.

If you get a “Could not validate certificate” error

When you click Test TLS connection, you might get an error that says “Could not validate certificate…” If you get this error, you can save the new mail route but messages sent from your organization will bounce. 

To fix the error, try one or more of these solutions:

  • If your mail server has more than one host name, make sure you’re using the host name that’s on the server’s certificate.
  • If you have access to the mail server on the route, install a new certificate from a trusted Certificate Authority. Verify the new certificate has the correct host name.
  • If you use a third-party mail relay service, contact the service provider about this error.
  • Turn off one or more of these options:
    • Require mail to be transmitted over a secure transport (TLS) connection
    • Require CA signed certificate
    • Validate certificate hostname

      Important: We recommend keeping these options turned on whenever possible so the connection can be verified.

Configure Gmail with outbound gateway route

From the Gmail Advanced settings section:

  1. Click General Settings.
  2. In the Organizations section, select the top-level organization.
  3. Scroll to the Routing setting in the Routing section, hover over the setting, and choose one of the following options:
    • Click Configure.
    • If the setting is already configured, click Edit or Add another.
  4. Enter a name or description for your routing setting.
  5. Under Messages to affect, check Outbound.
  6. Under the third option (For the above types of messages…), select Modify message from the drop-down menu.
  7. Under Route, check the Change route box.
  8. From the drop-down list, select your gateway server route.
  9. (Optional) Under Encryption (onward delivery only), check the Require secure transport (TLS).
  10. Click Add setting or Save.
    New settings are added to the Advanced settings page.
  11. At the bottom of the Advanced settings page, click Save.

It can take up to 24 hours for changes to propagate to user accounts. You can track changes in the Admin console audit log.

Use the Outbound gateway setting
  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console, go to Apps and then G Suite and then Gmail and then Advanced settings.
  3. In the Organizations section, select the top-level organization.
  4. Scroll to the Outbound gateway setting in the Routing section.
  5. Enter the outbound gateway server address.
  6. At the bottom of the Advanced settings page, click Save.

It can take up to 24 hours for changes to propagate to user accounts. You can track changes in the Admin console audit log.

Was this helpful?
How can we improve it?

Need more help?

Sign in for additional support options to quickly solve your issue