Send email over a secure TLS connection

Transport Layer Security (TLS) is a protocol that encrypts email messages for security and privacy. TLS prevents unauthorized access of messages when they're sent over internet connections.

By default, Gmail always tries to send messages over a secure TLS connection. A secure, end-to-end TLS connection requires that both the sending and receiving server use TLS. If the receiving server doesn't use TLS, Gmail still sends messages with TLS but the connection isn't secure.

To use TLS for messages sent to and from domains and addresses that you specify, use the Secure transport (TLS) compliance setting. This setting includes options to require a CA-signed certificate, verify the hostname associated with the certificate, and test the TLS connection.

When composing a new message in Gmail, a padlock image next to the recipient address means the message will be sent with TLS. The padlock shows only for accounts with a Google Workspace subscription that supports S/MIME encryption.

Google Workspace supports TLS versions 1.0, 1.1, 1.2, and 1.3.

Before you begin

Verify supported TLS versions for standards used in your organization

Before setting up TLS in your Google admin console, verify the TLS versions supported by any compliance, security, or other standards used in your organization. Not all standards support the TLS versions that Google Workspace supports.
If the standards used in your organization require TLS, enable it with the Secure transport (TLS) compliance setting.
Messages sent to or from servers that don't use TLS

The Secure transports (TLS) compliance setting affects delivery of messages sent over non-TLS connections, for the addresses and domains specified in the setting.

Outgoing messages Messages aren't delivered, and will bounce. You'll get a non-delivery report. Gmail makes only one attempt to send messages over a non-TLS connection.
Incoming messages Incoming messages from non-TLS connections are rejected. You aren't notified. The sender gets a non-delivery report.

Add a TLS compliance setting

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in

  2. In the Admin console, go to Menu and then Appsand thenGoogle Workspaceand thenGmailand thenCompliance.
  3. On the left, select an organizational unit.
  4. Point to Secure transport (TLS) compliance and click Configure. To add more TLS settings, click Add Another.
  5. In the Add setting box, enter a name for the setting and take these steps:
    Setting What to do
    1. Email messages to affect

    Select InboundOutbound, or both. You must use an address list to enforce TLS for inbound and outbound messages. You'll set the address list in the next step.

    For address list matching, Gmail uses the From: sender for inbound messages and the recipients for outbound messages. For inbound messages, the From: sender must exactly match an address or domain in the setting. Authentication requirements are checked for outgoing messages.

    Select Outbound - messages requiring Secure Transport via another setting for outbound messages that have other secure connection settings. For example, you can set email routing to send outbound messages through a secure connection, or you can set an alternate secure route for outbound messages.

    2. Use TLS for secure transport when corresponding with these domains / email addresses.

    To select an existing address list that has the domains or email addresses that require TLS connections:

    1. Click Use existing list. The Select address list box opens.
    2. Select one or more address lists to use with the TLS setting.
    3. Click the X in the upper left to close the Select address list box.

    To create a new address list with the domains or email addresses that require TLS connections:

    1. Click Create or edit list. The Manage address lists page opens in a new tab. 
    2. On the Manage address lists page, click Add address list. The Add address list box opens.
    3. In the Name field, enter a unique name for the address list.
    4. To add addresses or domains to the new address list, click Bulk add addresses or Add address.
    5. Enter email addresses or domain names. Separate entries with a space or comma.
    6. Click Save, then return to the Compliance tab to finish setting up TLS.

    To learn more about creating and using address lists, visit Apply Gmail settings to specific senders or domains.

    3. Options

    Select setting options:

    Require CA signed certificate (Recommended)—Requires the client SMTP server to present a certificate signed by a trusted Certificate Authority.

    Validate certificate hostname (Recommended)—Verifies that the receiving hostname matches the certificate presented by the SMTP server.

    Test TLS connection (Optional) Click Test TLS connection to verify the connection to the receiving mail server.
  6. At the bottom of the Add setting box, click Save. The new setting appears in the Secure Transport (TLS) compliance settings table.

Changes can take up to 24 hours but typically happen more quickly. Learn more

You can monitor changes in the Admin console audit log.

Troubleshoot TLS errors

If you get an error when setting up TLS, follow the recommendations in this section.

If you click Test TLS connection and get a certificate validation error, messages sent from your organization will bounce, even though you could save the new mail route. 

To fix the error, try one or more of these solutions:

  • If your mail server has more than one host name, make sure you’re using the host name that’s on the server’s certificate.
  • If you have access to the mail server on the route, install a new certificate from a trusted Certificate Authority. Verify the new certificate has the correct host name.
  • If you use a third-party mail relay service, contact the service provider about this error.
  • Uncheck the box for one or more of these options:
    • Require mail to be transmitted over a secure transport (TLS) connection
    • Require CA signed certificate
    • Validate certificate hostname

    Important: We recommend keeping these options turned on whenever possible so the connection can be verified.

Was this helpful?

How can we improve it?
Clear search
Close search
Google apps
Main menu