Mail routing and delivery: Guidelines and best practices

Mail routing and delivery options are accessible from multiple locations on the Gmail settings page -- including Advanced Settings, the Hosts tab, and the Default routing tab. Use these options to control mail routing and delivery for different organizational units, or to set up default routing options for your domain.

Note: Default routing controls are available only for Google Apps for Business and Google Apps for Education customers.

Users of legacy routing controls for outbound gateways and outbound BCCs should avoid any similar settings that are described on this page to avoid conflicting and unpredictable behavior. These conflicts are currently being addressed. This warning will be removed when they are resolved. (See the note at the bottom of this page for more details about legacy routing settings.)

About mail routing

By default, Google Apps mail servers deliver incoming mail to the Gmail inbox of the recipient. If a message is addressed to a user in your domain that is not registered in Google Apps, the mail server discards the message. This configuration is referred to as direct delivery (see Understand MX records for instructions on configuring Gmail for direct delivery).

However, your situation may call for delivery options that are more advanced. You can manage your mail routing options to change the default routing behavior in the following ways:

  • Split delivery - If you have unregistered Google Apps users, you can route those users to an on-premise mail server. You can also set up split delivery for registered users in different organizational units.
  • Dual delivery / multiple delivery - Route messages to both a primary mail server and at least one additional, or secondary, mail server.
  • Smart hosting - Route outbound mail to an outbound mail gateway, which then delivers messages to the recipients.
  • Content routing or attachment routing - Define mail routes based on message content or attachment type.
  • TLS compliance routing - Require an encrypted connection when corresponding with specific domains or recipients.
Note: Before you begin, you must first use the Hosts tab to set up mail routes. For instructions and guidelines on managing your mail routing and delivery settings, follow the instructions in the sections below.
Getting started: Use the Hosts tab to set up mail routes

Before you begin setting up your mail routing and delivery settings, you need to create a list of mail hosts, or routes. Click the Hosts tab from the Gmail settings page to create these routes. You can later choose from this list as you configure your routing and delivery settings.

For more details on setting up routes, see Add mail routes with the hosts tab.

Routing examples and use cases

Several mail routing and delivery scenarios are listed below. If a use case applies to you, click the link for detailed instructions.

Default routing - Use split delivery to route unregistered Google Apps users to an on-premise mail server

If you are migrating from a legacy mail server to Gmail, you can test your Google Apps configuration with a subset of users before registering all of your users. During this time, the MX records for your domain are pointing to Gmail; but a portion of your users are unregistered with Google Apps and will continue using the on-premise mail server (for example, Microsoft Exchange).

To configure such a phased roll-out of Google Apps using split delivery, configure your mail routing and delivery options as follows:

  • For registered Google Apps pilot users, deliver inbound mail to the Gmail inbox.
  • For users who are not yet registered with Google Apps, deliver inbound mail to the legacy email inbox.

An incoming message is then delivered to either a Gmail inbox or a legacy system inbox, depending on the recipient.

To set up split delivery as described above, use the Default routing setting in the Admin console. Note that Default routing defines domain-wide mail routing settings, and applies only to inbound messages.

To route unregistered Google Apps users to an on-premise mail server:

  1. Sign in to the Google Admin console.
  2. Click Google Apps > Gmail > Advanced settings.
  3. If you have not done so already, add a host, or route, for your on-premise server (see Setting up mail hosts).
  4. Click Default routing.
  5. Click Add setting.
  6. Go to the following section: Specify envelope recipients to match

    From the drop-down menu, click All recipients.
     
  7. Go to the following section: If the envelope recipient matches the above, do the following

    From the drop-down menu, click Modify message.
  8. Highlight the Change route check box. From the drop-down list, click the name for your on-premise server (for example, Exchange on-premise).
  9. In the Options section, click Perform this action only on non-recognized addresses.
  10. Click Save.
For more details and instructions, see Default routing setting.
Receiving routing - Use split delivery to route mail based on organizational unit

Use the Receiving routing setting to set up split delivery so that mail is routed to different mail hosts depending on the recipient's organizational unit -- for example:

  • You can set up an organizational unit named Exchange Users, and then route inbound mail for these users to the Exchange mail host.
  • You can set up an organizational unit named Google Apps Users and use the default routing configuration (direct delivery to the user's Gmail inbox).

This configuration is useful if some of your registered users (for example, contractors and human resources personnel) will continue to use Exchange indefinitely, while users in other organizational units (for example, the IT and Engineering teams) are using Gmail only.

To use split delivery to route mail based on organizational unit:

  1. Sign in to the Google Admin console.
  2. Click Google Apps > Gmail > Advanced settings.
  3. If you have not done so already, add a host, or route, for your on-premise server (see Setting up mail hosts).
  4. In the Organizations section near the top of the page, highlight the organizational unit for which you want to configure settings (see Configure email settings for an organizational unit for more details).
  5. Scroll down to the Receiving routing section:
    • If the setting's status is Not configured yet, click the Configure button near the right edge of the window (the Add setting dialog box opens).
    • If the setting's status is Locally applied or Inherited, click Edit to edit an existing setting (the Edit setting dialog box appears), or click Add another to add a new setting (the Add setting dialog box appears).
       
  6. Highlight the Change route check box.
  7. To change your primary delivery for the organizational unit, select a route from the drop-down menu -- for example, MS Exchange server.
  8. When you are finished making changes, click Add setting or Save to close the dialog box.

    Note: Any settings you add will be highlighted on the Gmail settings page.
     
  9. Click Save changes at the bottom of the Gmail settings page.

For more details and instructions, see Receiving routing setting.

Default routing - Set up a catch-all address

Use Default routing for your domain to set up a catch-all address. You designate an existing user account as a catch-all address to receive messages that are addressed to non-existent users in your domain. It captures mail for previously deleted users or when the sender has misspelled the user's name (the part to the left of @).

Note: Spam addressed to unregistered users will be placed in the Spam folder of the catch-all user, so designate a catch-all address only when you really need it. Spammers often try to guess email addresses in your domain; when they guess incorrectly, the spam is delivered to the catch-all address. The volume of incoming messages may well exceed the Gmail receiving limits, resulting in the account becoming locked or in legitimate messages being deferred, delayed, or bounced.

To set up a catch-all address:

  1. Sign in to the Google Admin console.
  2. Click Google Apps > Gmail > Advanced settings.
  3. Click Default routing.
  4. Click Add setting.
  5. Go to the following section: Specify envelope recipients to match

    From the drop-down menu, click Single recipient.
     
  6. Go to the following section: If the envelope recipient matches the above, do the following

    From the drop-down menu, click Modify message.
  7. Highlight the Change envelope recipient check box.
  8. To specify the catch-all address, enter a registered user (the part to the left of @) in the empty field adjacent to @existing-domain. -- for example, enter the following:

    jsmith-registered-user
     
  9. In the Options section, click Perform this action only on non-recognized addresses.
  10. Click Save.
Note: Default routing defines domain-wide mail routing settings, and applies only to inbound messages. For more details and instructions, see Default routing setting.
Receiving routing - Use dual delivery to deliver mail to both Gmail and an external server

The Receiving routing setting enables you to set up routing options by organizational unit for inbound or internal-receiving mail traffic.

With dual delivery, users receive their mail messages in two inboxes. For example, they can receive mail in both their legacy inbox (for example, Microsoft Exchange or an archiving server) and their Google Apps inbox. Incoming mail is delivered to a primary delivery, which processes and delivers each message, and a copy is also forwarded to a secondary delivery which delivers it to the second inbox.

When you set up dual delivery to route mail to both Gmail and an external archiving server, leave the primary delivery (the Gmail mail host) unchanged. Then specify a secondary delivery so that mail is delivered to both the primary server (Gmail) and to the secondary server (the external server).

Note: If you want to apply this setting to your entire domain, you can configure it at the root org level.

To use dual delivery to route mail to both Gmail and an external server:

  1. Sign in to the Google Admin console.
  2. Click Google Apps > Gmail > Advanced settings.
  3. If you have not done so already, add a host, or route, that you need for dual delivery (see Setting up mail hosts).
  4. In the Organizations section near the top of the page, highlight the organizational unit for which you want to configure the setting (see Configure email settings for an organizational unit for more details).
  5. Scroll down to the Receiving routing section:
    • If the setting's status is Not configured yet, click the Configure button near the right edge of the window (the Add setting dialog box opens).
    • If the setting's status is Locally applied or Inherited, click Edit to edit an existing setting (the Edit setting dialog box appears), or click Add another to add a new setting (the Add setting dialog box appears).
       
  6. Click Add more recipients to add a secondary mail route.
  7. Click Add.
  8. In the Recipients section, choose Advanced from the Basic/Advanced drop-down menu.
  9. In the Advanced settings section (under Recipients), click Change route.
  10. From the drop-down menu, select a route -- for example, Archiving Server.
  11. When you are finished making changes, click Add setting or Save to close the dialog box.

    Note: Any settings you add will be highlighted on the Gmail settings page.
     
  12. Click Save changes at the bottom of the Gmail settings page.
Note: When setting up dual delivery, you will see two Change route check boxes. The first box is for the primary delivery, while the second box is for the secondary delivery. Leave the first box unchecked (closer to the top of the Receiving routing setting) to keep Gmail as the primary delivery.

For more instructions and details, see Receiving routing setting.

Sending routing - Set up a smarthost (outbound mail gateway)

An outbound mail gateway is a server through which all mail passes that is sent from your domain. The gateway typically processes the mail in some way — such as archiving it or filtering out spam — before delivering the mail.

When you use an outbound mail gateway, the Google Apps mail servers pass all outgoing mail from your domain to the gateway server. You configure the gateway server to accept a stream of mail from the Google Apps mail servers. You may also need to update your DKIM configuration or the Sender Policy Framework (SPF) record for your domain.

To configure an outbound gateway:

  1. Sign in to the Google Admin console.
  2. Click Google Apps > Gmail > Advanced settings.
  3. If you have not done so already, add hosts, or routes, that you need for an outbound gateway (see Setting up mail hosts).
  4. In the Organizations section near the top of the page, highlight your domain or the organizational unit for which you want to configure this setting (see Configure email settings for an organizational unit for more details).
  5. Scroll down to the Sending routing section:
    • If the setting's status is Not configured yet, click the Configure button near the right edge of the window (the Add setting dialog box opens).
    • If the setting's status is Locally applied or Inherited, click Edit to edit an existing setting (the Edit setting dialog box appears), or click Add another to add a new setting (the Add setting dialog box appears).
       
  6. Click Change route.
  7. Select a route from the drop-down list -- for example, Archiving Server.
  8. When you are finished making changes, click Add setting or Save to close the dialog box.

    Note: Any settings you add will be highlighted on the Gmail settings page.
     
  9. Click Save changes at the bottom of the Gmail settings page.

For more instructions and details, see Sending routing setting.

Sending routing - Use dual delivery to deliver outbound mail to both Gmail and an external archiving server

The Sending routing setting enables you to set up delivery and routing options by organizational unit for outbound mail traffic.

For more details about dual delivery, and for instructions on setting up dual delivery for inbound traffic, see Receiving routing - Use dual delivery to deliver mail to both Gmail and an external server.

Note: If you want to apply this setting to your entire domain, you can configure it at the root org level.

To use dual delivery to deliver mail to both Gmail and an external archiving server:

  1. Sign in to the Google Admin console.
  2. Click Google Apps > Gmail > Advanced settings.
  3. If you have not done so already, add hosts, or routes, that you need for dual delivery (see Setting up mail hosts).
  4. In the Organizations section near the top of the page, highlight your domain or the organizational unit for which you want to configure this setting (see Configure email settings for an organizational unit for more details).
  5. Scroll down to the Sending routing section:
    • If the setting's status is Not configured yet, click the Configure button near the right edge of the window (the Add setting dialog box opens).
    • If the setting's status is Locally applied or Inherited, click Edit to edit an existing setting (the Edit setting dialog box appears), or click Add another to add a new setting (the Add setting dialog box appears).
       
  6. Click Add more recipients to add a secondary mail route.
  7. Click Add.
  8. In the Recipients section, choose Advanced from the Basic/Advanced drop-down menu.
  9. In the Advanced settings section (under Recipients), click Change route.
  10. From the drop-down menu, select a route -- for example, Archiving Server.
  11. When you are finished making changes, click Add setting or Save to close the dialog box.

    Note: Any settings you add will be highlighted on the Gmail settings page.
     
  12. Click Save changes at the bottom of the Gmail settings page.

For more instructions and details, see Sending routing setting.

Route messages based on message content, attachment settings, or TLS controls

In addition to Receiving routing and Sending routing, mail routing and delivery controls are built into other email settings such as Content compliance, Objectionable content and Attachment compliance, so there is more than one way to configure routing options to achieve the same results.

However, we recommend that you use these settings for the specific use cases they are intended to support. For example, you can set up the same routing options by using a Content compliance setting or a Receiving routing setting; but use a Content compliance setting for content-related use cases, and use a Receiving routing setting for general routing-related use cases, such as dual delivery.

Content compliance and Objectionable content

Content compliance routing enables you to implement special handling for certain types of email -- for example, to route messages with specific content to your legal department. Do this by defining a new primary delivery -- or by creating additional deliveries -- that match specific text strings or patterns. For example, you can set up a content match on a word such as confidential, and then change the primary delivery to a server that supports encryption.

For more instructions and details, see Content compliance setting and Objectionable content setting.

Attachment compliance

For the Attachment compliance setting, you can define a new primary delivery or add additional deliveries for messages that match a specific attachment type. For example, you might want to set up a secondary delivery that delivers any message with image attachments to the HR team.

For more instructions and details, see Attachment compliance setting.

TLS compliance

Use the Secure transport (TLS) compliance setting to require mail to be transmitted via a secure connection when users correspond with specific domains and email addresses. You can configure this setting for an organizational unit for both inbound and outbound mail. If TLS is not available at a domain that you specify in this setting, inbound mail will be rejected and outbound mail will not be transmitted.

Note: When an outbound gateway server is defined that accepts TLS, outbound messages sent to domains that do not support TLS (and are on the enforced TLS list) will not be rejected.

For more instructions and details, see Secure transport (TLS) compliance setting.

Default routing - Forward messages for specific users to their secondary address

The Default routing setting enables you to forward messages for specific registered users to their secondary email address.

Note: You can set up multiple Default routing settings that forward messages for specific users. You can then create separate policies for each user.

To forward messages for specific users using Default routing:

  1. Sign in to the Google Admin console.
  2. Click Google Apps > Gmail > Advanced settings.
  3. Click Default routing.
  4. Click Add setting.
  5. Go to the following section: Specify envelope recipients to match

    From the drop-down menu, click Single recipient.
     
  6. In the Recipient: field, type the complete email address of the user (for example: jjsmith@solarmora.com).
     
  7. Go to the following section: If the envelope recipient matches the above, do the following:

    From the drop-down menu, click Modify message.
     
  8. Highlight the Add more recipients check box.
  9. Click Add.
  10. From the drop-down menu, choose Basic.
  11. In the Recipient address: field, type the complete email address of the user (for example, jjsmith@ez4utech.com).
  12. In the Options section, click Perform this action on non-recognized and recognized addresses.
  13. Click Save.

For more details and instructions, see Default routing.

Note: The Gmail settings page includes a set of legacy routing controls that you can also currently access from the General Settings tab. In a future release, these legacy settings will be migrated to the routing settings described above. During a transition period, both sets of controls will function simultaneously. If any conflict exists between the controls -- for example, if you configure two different outbound gateways -- the settings described on this page will override the legacy settings. While it's possible to use both sets of routing controls, we encourage you to use only the new and improved routing settings that are described above.