Transport Layer Security (TLS) is a security protocol that encrypts email for privacy. TLS prevents unauthorized access of email when it's in transit over internet connections.
By default, Gmail always tries to use TLS when sending email. However, a secure TLS connection requires that both the sender and recipient use TLS. If the receiving server doesn't use TLS, Gmail still delivers messages, but the connection isn't secure. We recommend you add the Secure transport (TLS) compliance setting so that Gmail always uses a secure connection for email sent to and from specified domains and email addresses.
When composing a new Gmail message, a padlock image next to the recipient address means the message will be sent with TLS. The padlock shows only for accounts with a Google Workspace subscription that supports S/MIME encryption.
Google Workspace supports TLS versions 1.0, 1.1, 1.2, and 1.3.Email sent to or from servers that don't use TLS
The Secure transports (TLS) compliance setting affects messages sent over non-TLS connections, for addresses and domains specified in the setting:
|Outgoing messages||Messages aren't delivered, and will bounce. You'll get a non-delivery report. Gmail makes only one attempt to send messages over a non-TLS connection.|
|Incoming messages||Incoming messages from non-TLS connections are rejected without any notification to you. The sender gets a non-delivery report.|
Set up TLS compliance
From the Admin console Home page, go to AppsGoogle WorkspaceGmailCompliance.
- On the left, select an organizational unit.
- Point to Secure transport (TLS) compliance and click Configure. To add more TLS settings, click Add Another.
- For new settings, enter a description.
- Choose inbound or outbound messages. You must use an address list to enforce TLS for inbound and outbound messages.
Choose Outbound - messages requiring Secure Transport via another setting for outbound messages that have other secure connection settings. For example, you can set email routing to send outbound messages through a secure connection, or you can set an alternate secure route for outbound messages.
- Create an address list of the domains or email addresses that require TLS. Learn more about creating and using address lists in Apply Gmail settings to specific senders or domains:
- Click Use existing or create a new one.
- Enter a new list name, and click Create. To use an existing list as your approved sender list, click the list name
- Move your pointer over the list name, and click Edit.
- Click Add .
- Enter email addresses or domain names. Separate multiple entries with a space or comma.
- Click Save.
Note: For address list matching, Gmail uses the From: sender for inbound messages and the recipients for outbound messages. For inbound messages, the From: sender must exactly match an address or domain in the setting. Authentication requirements are checked for outgoing messages.
- We recommend you turn on these options for the options you selected in Steps 6 and 7:
- Perform MX lookup on host—Deliver to MX hosts associated with the specified domain name.
- Require mail to be transmitted over a secure transport (TLS) connection (Recommended)—Encrypt messages with TLS between sending and receiving mail servers.
- Require CA signed certificate (Recommended)—The client SMTP server must present a certificate signed by a trusted Certificate Authority.
- Validate certificate hostname (Recommended)—Verify the receiving hostname matches the certificate presented by the SMTP server.
- Click Test TLS connection to verify the connection to the receiving mail server.
- Click Add Setting or Save.
- At the bottom of the Compliance page, click Save.
It can take up to 24 hours for your changes to take effect. You can monitor changes in the Admin console audit log.
When you click Test TLS connection, you might get an error that says “Could not validate certificate…” If you get this error, you can save the new mail route but messages sent from your organization will bounce.
To fix the error, try one or more of these solutions:
- If your mail server has more than one host name, make sure you’re using the host name that’s on the server’s certificate.
- If you have access to the mail server on the route, install a new certificate from a trusted Certificate Authority. Verify the new certificate has the correct host name.
- If you use a third-party mail relay service, contact the service provider about this error.
- Turn off one or more of these options:
- Require mail to be transmitted over a secure transport (TLS) connection
- Require CA signed certificate
- Validate certificate hostname
Important: We recommend keeping these options turned on whenever possible so the connection can be verified.