Require mail to be transmitted via a secure (TLS) connection

Transport Layer Security (TLS) is a security protocol that encrypts email to protect its privacy. TLS is the successor to Secure Sockets Layer (SSL). Gmail always uses TLS by default.

Google Workspace supports TLS versions 1.0, 1.1, 1.2, and 1.3.

Note: When composing a message, users who have an S/MIME-compatible subscription will see a gray padlock icon to the right of the recipient's address (as a sign of TLS encryption). 

To create a secure connection, both the sender and recipient must use TLS. When a secure connection can't be created, Gmail delivers messages over non-secure connections. However, you can add TLS settings that require a secure connection for email to and from specific domains or email addresses.

Important: We recommend you turn on TLS settings that require Gmail to always use secure connections for sending and receiving email from specific domains and email addresses.

What happens to email delivered to or from domains that don't use TLS?
Outgoing mail Mail won't be delivered and will bounce. You'll get a non-delivery report (NDR). Only one send attempt is made (no tries again).
Incoming mail Mail is rejected without any notification to you, although the sender will receive an NDR.

Set up TLS compliance

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in

  2. From the Admin console Home page, go to Appsand thenGoogle Workspaceand thenGmailand thenCompliance.

    Note: You might find this setting at Appsand thenGoogle Workspaceand thenGmailand thenAdvanced Settings.

  3. On the left, select an organization.
  4. In the Compliance section, point to Secure transport (TLS) compliance and click Configure. If the setting is already configured, point to the setting and click Edit or Add Another.
  5. For a new setting, enter a description.
  6. Choose inbound or outbound messages.

    Choose Outbound - messages requiring Secure Transport via another setting for outbound messages to which another secure connection setting applies. For example, you can set email routing to send outbound messages through a secure connection, or you can set an alternate secure route for outbound messages. You must create a domain or address list to enforce TLS compliance for any inbound or outbound messages.

  7. Create a list of the specific domains or email addresses that require TLS for secure transport.

    Note: Create a domain or address list to enforce TLS compliance for any inbound or outbound messages.

    Note: To determine if the address list is matched, Gmail considers the "from" sender for received mail and the recipients for sent mail. For senders, the authentication requirement is also checked. Therefore, to require TLS compliance for inbound messages, the "From:" sender must exactly match an address or domain you enter.

    Learn more about address lists, including how to search, or view all entries in the list, and how addresses are matched against the address lists.

    1. Click Use existing or create a new one.
    2. Enter a new list name, and click Create.

      Tip: To use an existing list as your approved sender list, click the list name.

    3. Move your pointer over the list name, and click Edit.
    4. Click Add "" .
    5. Enter email addresses or domain names, using a space or a comma to separate multiple entries.

    6. Click Save.

  8. We recommend you turn on these options for the conditions set in Steps 6 and 7:
    • Perform MX lookup on host—Deliver to MX hosts associated with the specified domain name.
    • Require mail to be transmitted over a secure transport (TLS) connection (Recommended)—Encrypt messages between sending mail servers and receiving mail servers with Transport Layer Security (TLS).
    • Require CA signed certificate (Recommended)—The client SMTP server must present a certificate signed by a Certificate Authority that is trusted by Google.
    • Validate certificate hostname (Recommended)—Verify the receiving hostname matches the certificate presented by the SMTP server.
  9. Click Test TLS connection to verify the connection to the receiving mail server.
  10. Click Add Setting or Save.
  11. At the bottom of the Gmail Compliance settings page, click Save.

It can take up to 24 hours for your changes to take effect. You can track changes in the Admin console audit log.

If you get a “Could not validate certificate” error

When you click Test TLS connection, you might get an error that says “Could not validate certificate…” If you get this error, you can save the new mail route but messages sent from your organization will bounce. 

To fix the error, try one or more of these solutions:

  • If your mail server has more than one host name, make sure you’re using the host name that’s on the server’s certificate.
  • If you have access to the mail server on the route, install a new certificate from a trusted Certificate Authority. Verify the new certificate has the correct host name.
  • If you use a third-party mail relay service, contact the service provider about this error.
  • Turn off one or more of these options:
    • Require mail to be transmitted over a secure transport (TLS) connection
    • Require CA signed certificate
    • Validate certificate hostname

      Important: We recommend keeping these options turned on whenever possible so the connection can be verified.

Was this helpful?
How can we improve it?

Need more help?

Sign in for additional support options to quickly solve your issue