Require a secure connection for email

Set up TLS for specific email addresses and domains

Transport Layer Security (TLS) is a security protocol that encrypts email for privacy. TLS prevents unauthorized access of your email when it's in transit over internet connections.

By default, Gmail always tries to use a secure TLS connection when sending email. However, a secure TLS connection requires that both the sender and recipient use TLS. If the receiving server doesn't use TLS, Gmail still delivers messages, but the connection isn't secure. Add the Secure transport (TLS) compliance setting to always use TLS for email sent to and from domains and addresses that you specify.

When composing a new Gmail message, a padlock image next to the recipient address means that the message will be sent with TLS. The padlock shows only for accounts with a Google Workspace subscription that supports S/MIME encryption.

Google Workspace supports TLS versions 1.0, 1.1, 1.2, and 1.3.

Before you begin

Verify supported TLS versions for standards used in your organization

Before setting up TLS in your Google admin console, verify the TLS versions supported by any compliance, security, or other standards used in your organization. Not all standards support the TLS versions that Google Workspace supports.
If the standards used in your organization require specific TLS versions, the Secure transport (TLS) compliance setting lets you select options that support those versions.
Understand what happens to messages sent to or from servers that don't use TLS

Your Secure transports (TLS) compliance setting affects messages sent over non-TLS connections, for addresses and domains that you specify in the setting.

Outgoing messages Messages aren't delivered, and will bounce. You'll get a non-delivery report. Gmail makes only one attempt to send messages over a non-TLS connection.
Incoming messages Incoming messages from non-TLS connections are rejected without any notification to you. The sender gets a non-delivery report.

Set up TLS compliance

Set up TLS in your Google admin console:

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu ""and then"" Appsand thenGoogle Workspaceand thenGmailand thenCompliance.
  3. On the left, select an organizational unit.
  4. Point to Secure transport (TLS) compliance and click Configure. To add more TLS settings, click Add Another.
  5. In the Add setting box, enter a name for the setting and take these steps:
     
    Setting What to do
    1. Email messages to affect

    Select InboundOutbound, or both. You must use an address list to enforce TLS for inbound and outbound messages. You'll set the address list in the next step.

    For address list matching, Gmail uses the From: sender for inbound messages and the recipients for outbound messages. For inbound messages, the From: sender must exactly match an address or domain in the setting. Authentication requirements are checked for outgoing messages.

    Select Outbound - messages requiring Secure Transport via another setting for outbound messages that have other secure connection settings. For example, you can set email routing to send outbound messages through a secure connection, or you can set an alternate secure route for outbound messages.

    2. Use TLS for secure transport when corresponding with these domains / email addresses.

    To select an existing address list that has the domains or email addresses that require TLS connections:

    1. Click Use existing list. The Select address list box opens.
    2. Select one or more address lists to use with the TLS setting.
    3. Click the X in the upper left to close the Select address list box.

    To create a new address list with the domains or email addresses that require TLS connections:

    1. Click Create or edit list. The Manage address lists page opens in a new tab. 
    2. On the Manage address lists page, click Add address list. The Add address list box opens.
    3. In the Name field, enter a unique name for the address list.
    4. To add addresses or domains to the new address list, click Bulk add addresses or Add address.
    5. Enter email addresses or domain names. Separate entries with a space or comma.
    6. Click Save, then return to the Compliance tab to finish setting up TLS.

    To learn more about creating and using address lists, visit Apply Gmail settings to specific senders or domains.

    3. Options

    Select setting options:

    Require CA signed certificate (Recommended)—Requires the client SMTP server to present a certificate signed by a trusted Certificate Authority.

    Validate certificate hostname (Recommended)—Verifies that the receiving hostname matches the certificate presented by the SMTP server.

    Test TLS connection (Optional) Click Test TLS connection to verify the connection to the receiving mail server.
  6. At the bottom of the Add setting box, click Save. The new setting appears in the Secure Transport (TLS) compliance settings table.

It can take up to 24 hours for your changes to take effect. You can monitor changes in the Admin console audit log.

Troubleshoot TLS errors

If you get an error when setting up TLS, follow the recommendations in this section.

“Could not validate certificate” error

When you click Test TLS connection, you might get an error that says “Could not validate certificate…” If you get this error, you can save the new mail route but messages sent from your organization will bounce. 

To fix the error, try one or more of these solutions:

  • If your mail server has more than one host name, make sure you’re using the host name that’s on the server’s certificate.
  • If you have access to the mail server on the route, install a new certificate from a trusted Certificate Authority. Verify the new certificate has the correct host name.
  • If you use a third-party mail relay service, contact the service provider about this error.
  • Turn off one or more of these options:
    • Require mail to be transmitted over a secure transport (TLS) connection
    • Require CA signed certificate
    • Validate certificate hostname

      Important: We recommend keeping these options turned on whenever possible so the connection can be verified.

Was this helpful?
How can we improve it?

Need more help?

Sign in for additional support options to quickly solve your issue

Search
Clear search
Close search
Google apps
Main menu
Search Help Center
true
73010
false
false