Add mail routes for advanced Gmail delivery

Generally, Gmail messages are set up for direct delivery. Direct delivery sends all email messages for users in a domain to their Gmail inbox. The basic setup instructions for your domain describe how to set up direct delivery.

However, you might need to set up other delivery options. For example, you might want to route mail for Microsoft Exchange users. To do this, first add a route for each on-premise server, then create routing settings that use these routes for given domains or users.

These settings can be set up on a per-organization unit basis.

For more mail routing use cases and examples, see Email routing and delivery.

Add a mail route for a domain

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in

  2. In the Admin console, go to Menu ""and then"" Appsand thenGoogle Workspaceand thenGmailand thenHosts.
  3. Click Add Route.
  4. Enter a route name. Use a name that helps you remember the route.
  5. Specify any email servers for the route.
  6. If you select Single host, enter the route's host name (recommended) or IP address. Enter the port number: 25, 587, or a number from 1024 to 65535. Port 465 is not allowed or supported for single host.
  7. If you select Multiple hosts, specify multiple primary and secondary hosts for load balancing and failover purposes.

    To add more hosts, click Add, then enter each host's host name, port number, and load percentage. The load percentage must add up to 100% in each category (primary and secondary). For example, if you have two primary hosts, enter 50 for each.

  8. Select any options you want to turn on for the route. The Recommended options are turned on by default for new routes:
    • Perform MX lookup on host—Deliver to MX hosts associated with the specified domain name.

    • Require mail to be transmitted over a secure transport (TLS) connection (Recommended)—Encrypt messages between sending mail servers and receiving mail servers with Transport Layer Security (TLS).

    • Require CA signed certificate (Recommended)—The client SMTP server must present a certificate signed by a Certificate Authority that is trusted by Google.

    • Validate certificate hostname (Recommended)—Verify the receiving hostname matches the certificate presented by the SMTP server.

  9. Click Test TLS connection to verify the connection to the receiving mail server.

  10. At the bottom, click Save.

It can take up to 24 hours for changes to propagate through the system. You can track changes in the Admin console audit log.

“Could not validate certificate” error

When you click Test TLS connection, you might get an error that says “Could not validate certificate…” If you get this error, you can save the new mail route but messages sent from your organization will bounce. 

To fix the error, try one or more of these solutions:

  • If your mail server has more than one host name, make sure you’re using the host name that’s on the server’s certificate.
  • If you have access to the mail server on the route, install a new certificate from a trusted Certificate Authority. Verify the new certificate has the correct host name.
  • If you use a third-party mail relay service, contact the service provider about this error.
  • Turn off one or more of these options:
    • Require mail to be transmitted over a secure transport (TLS) connection
    • Require CA signed certificate
    • Validate certificate hostname

      Important: We recommend keeping these options turned on whenever possible so the connection can be verified.

Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.

Was this helpful?
How can we improve it?

Need more help?

Sign in for additional support options to quickly solve your issue

Clear search
Close search
Google apps
Main menu
Search Help Center