Require mail to be transmitted via a secure (TLS) connection

Transport Layer Security (TLS) is a security protocol that encrypts email to protect its privacy. TLS is the successor to Secure Sockets Layer (SSL). Gmail uses TLS by default, but when a secure connection isn't available (both sender and recipient need to use TLS to create a secure connection), Gmail will deliver messages over non-secure connections.

However, you can configure your TLS setting to require a secure connection for email to (or from) specific domains or email addresses that you list.

What happens to email to (or from) domains that don't use TLS?
Outgoing mail Mail won't be delivered and will bounce. You'll get a non-delivery report (NDR). Only one send attempt is made (no retries).
Incoming mail Mail is rejected without any notification to you, although the sender will receive an NDR.

Set up TLS compliance

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in

  2. From the Admin console Home page, go to Appsand thenG Suiteand thenGmailand thenAdvanced settings.

    Tip: To see Advanced settings, scroll to the bottom of the Gmail page.

  3. On the left, select an organization.
  4. In the Compliance section, hover over Secure transport (TLS) compliance and click Configure. If the setting is already configured, hover over the setting and click Edit or Add Another.
  5. For a new setting, enter a description.
  6. Choose inbound and/or outbound messages.

    Choose Outbound - messages requiring Secure Transport via another setting for outbound messages to which another secure connection setting applies. For example, you can set email routing to send outbound messages through a secure connection, or you can set an alternate secure route for outbound messages.You must create a domain or address list to enforce TLS compliance for any inbound or outbound messages.

  7. Create a list of the specific domains or email addresses that require TLS for secure transport.

    Note: You must create a domain or address list to enforce TLS compliance for any inbound or outbound messages.

    1. Click Use existing or create a new one.
    2. Enter a new list name, and click Create.

      Tip: To use an existing list as your approved sender list, click the list name.

    3. Move your pointer over the list name, and click Edit.
    4. Click Add Add .
    5. Enter email addresses or domain names, using a space or a comma to separate multiple entries.

    6. Click Save.

    Note: To determine if the address list is matched, G Suite considers the "from" sender for received mail and the recipients for sent mail. For senders, the authentication requirement is also checked. Therefore, to require TLS compliance for inbound messages, the "From:" sender must exactly match an address or domain you enter.

    Learn more about address lists, including how to search, or view all entries in the list, and how addresses are matched against the address lists.

  8. (Optional) Check the Require CA signed cert when delivering outbound to the above-specified TLS-enabled domains box.

    If you check this box, the client SMTP server must present a valid CA signed certificate for messages that match the conditions you set in steps 6 and 7. The cert requirement is enforced only for messages that match these conditions. For example, if you select Outbound - messages requiring Secure Transport via another setting in step 6, only outgoing messages sent through a smart host or alternate secure route will require a CA signed cert. Messages sent through any other route are delivered without requiring a CA signed cert.

  9. Click Add Setting or Save.
  10. At the bottom of the Gmail Advanced settings page, click Save.

It can take up to an hour for your changes to take effect. You can track changes in the Admin console audit log.

Was this helpful?
How can we improve it?