Require mail to be transmitted via a secure (TLS) connection

Transport Layer Security (TLS) is a security protocol that encrypts email to protect its privacy. TLS is the successor to Secure Sockets Layer (SSL).

Gmail uses TLS by default, but when a secure connection isn't available (both sender and recipient need to use TLS to create a secure connection), Gmail will deliver messages over non-secure connections.

However, you can configure your TLS setting to require a secure connection for email to (or from) specific domains or email addresses that you list.

What happens to email to (or from) domains that don't use TLS?
Outgoing mail Mail won't be delivered and will bounce. You'll get a non-delivery report (NDR). Only one send attempt is made (no retries).
Incoming mail Mail is rejected without any notification to you, although the sender will receive an NDR.

Set up TLS compliance

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in

  2. From the Admin console Home page, go to Appsand thenG Suiteand thenGmailand thenAdvanced settings.

    Tip: To see Advanced settings, scroll to the bottom of the Gmail page.

  3. On the left, select an organization.
  4. In the Compliance section, hover over Secure transport (TLS) compliance and click Configure. If the setting is already configured, hover over the setting and click Edit or Add Another.
  5. For a new setting, enter a description.
  6. Choose inbound and/or outbound messages.

    Choose Outbound - messages requiring Secure Transport via another setting for outbound messages to which another secure connection setting applies. For example, you can set email routing to send outbound messages through a secure connection, or you can set an alternate secure route for outbound messages.

  7. Create a list of the specific domains or email addresses that require TLS for secure transport.

    Note: You must create a domain or address list to enforce TLS compliance for any inbound or outbound messages.

    1. Click Use existing or create a new one.
    2. Enter a new list name, and click Create.
    3. Move your pointer over the list name, and click Edit.
    4. Click Add.
    5. Enter comma or space delimited email addresses or domain names
    6. Click Save.

    Note: When you enter addresses or domain names for inbound messages, Gmail checks them against the From: part of the inbound message header, not the envelope sender (or Return-Path section of the message header). Therefore, to require TLS compliance for inbound messages, the From: sender must exactly match an address or domain you enter.

  8. (Optional) Check the Require CA signed cert when delivering outbound to the above-specified TLS-enabled domains box.

    If you check this box, the client SMTP server must present a valid CA signed certificate for messages that match the conditions you set in steps 6 and 7. The cert requirement is enforced only for messages that match these conditions. For example, if you select Outbound - messages requiring Secure Transport via another setting in step 6, only outgoing messages sent through a smart host or alternate secure route will require a CA signed cert. Messages sent through any other route are delivered without requiring a CA signed cert.

  9. Click Add Setting or Save.
  10. At the bottom of the Gmail Advanced settings page, click Save.

It can take up to an hour for your changes to take effect. You can track changes in the Admin console audit log.

Was this article helpful?
How can we improve it?