Search
Clear search
Close search
Google apps
Main menu

SMTP relay: Route outgoing non-Gmail messages through Google

If you have the legacy free edition of Google Apps, upgrade to G Suite to get this feature.

If your organization uses non-Gmail email server software, such as Microsoft® Exchange or other non-Google SMTP service, you can configure the SMTP relay service to route outgoing mail through Google. You use the SMTP relay service setting to enable the filtering of messages for spam and viruses before they reach external contacts, and to apply G Suite email security settings to outgoing messages.

Use with comprehensive mail storage

We recommend that you also turn on comprehensive mail storage. Comprehensive mail storage trains the spam filter about addresses you send to, so that messages sent from these addresses are less likely to be marked as spam.

You must turn on comprehensive mail storage if you have a non-Gmail system that uses the SMTP Relay Service to route messages for your users; for example, for ticket tracking systems, bug databases, or automated notification systems, and to display that mail in your users’ Gmail mailboxes. If you use Google Vault and the SMTP relay service, you must also turn on comprehensive mail storage to have any messages sent through the relay archived in Vault.

Sending limits for the SMTP relay service

Limits per user

A registered G Suite user can't relay more than 10,000 messages in a 24-hour period, and can't relay messages to more than 10,000 unique recipients per 24-hour period. Users exceeding either of these limits see the error "550 5.4.5 Daily SMTP relay limit exceeded for user."

The message count is based on the address of the envelope sender presented during the SMTP relay transaction. If the envelope sender is not a registered user, then the per-user limits don't apply. Addresses in the From: and Reply-to: fields are not considered. Nor do we consider the address presented during SMTP authentication, which is turned on if you select the Require SMTP Authentication option, described below.

Any sender, whether or not they're a registered user,can also be prevented from sending messages if a customer relay limit has been reached. In this case, they see a different error message based on limits per customer.

Limits per customer

These limits are determined by the number of user licenses in your G Suite account. For small customers, these limits come into effect much earlier than the limits per user.

There are two per-customer limits:

  • The maximum number of total recipients allowed per customer per 24-hour period is approximately 130 times the number of user licenses in your G Suite account, with an upper bound of 4,600,000 recipients per 24-hour period for large customers. If a customer exceeds this limit, users see the error "550 5.7.1 Daily SMTP relay limit exceeded for customer."
  • The maximum number of total recipients allowed per customer in a 10-minute window is approximately 9 times the number of user licenses in your G Suite account, with an upper bound of 319,444 recipients per 10-minute window for large customers. If a customer exceeds this limit, users see the error "450 4.2.1 Peak SMTP relay limit exceeded for customer."

Additional notes:

  • The per-user recipient limits are for unique recipients, while the per customer limits are for total recipients. For example, when a given user relays 1000 messages to RecipientA and another 1000 to RecipientB, this counts as 2 for the per user limit, but 2000 for the customer limit.
  • Customer limits apply to all messages relayed by the customer, including messages relayed from any of the customer's secondary or subdomains, as well as messages relayed from external addresses where one of the customer's domains is presented in the “helo” argument.
  • Customer limits are lower for customers who have not yet paid a bill: 100 total recipients per day, 50 total recipients in a 10-minute window.
  • There are separate per-user sending limits published here for sending email using Gmail rather than SMTP relay. The SMTP relay and Gmail user sending limits are independent and are counted separately from each other.

Denial of Service (DoS) limits

G Suite SMTP relay servers have protections in place to guard against Denial of Service (DoS) attacks. To avoid conflicts with these protections, SMTP agents that send large amounts of mail through smtp-relay.google.com should reuse connections, sending multiple messages per connection. This is also known as connection caching. For instructions on this process, please contact your email server software provider.

Relay abuse limits

Google monitors messages sent through the SMTP relay service for spam classification purposes. When we detect significant amounts of spam being sent from any user through the relay service, we send an email notification to super administrators alerting them of this sending behavior. Learn more about the spam and abuse policy and handling SMTP relay abuse.

When you've configured the SMTP relay service, you’ll need to configure your on-premise outbound mail server or other SMTP service to point to Google. See the steps below for instructions.

Route your outbound mail using the SMTP relay service

Note: After you enter and save an IP address or range, you can enable or disable it by checking or unchecking the box to the left of the entry.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console dashboard, go to Appsand thenG Suiteand thenGmailand thenAdvanced settings.

    Tip: To see Advanced settings, scroll to the bottom of the Gmail page.

  3. On the left, select the top-level organization. See Tailor advanced settings for Gmail for more details.
    Note: You can configure the SMTP relay service setting for the top-level organization only. You can view the setting from the sub-organization level when it's added, but you can't add, edit, or delete the setting from the sub-organization level.

  4. Scroll to the SMTP relay service setting in the Routing section, hover over the setting, and click Configure. If the setting is already configured, hover over the setting and click Edit or Add another.

  5. For a new setting, enter a unique description.

  6. In the Allowed senders section, select the users who are allowed to send messages through the SMTP relay service:

    • Only registered Apps users in my domain—The sender must be a registered user in one of your domains.

    • Only addresses in my domains—The sender doesn't have to be a recognized G Suite user, but must be in one of your registered domains. This can be useful when you have third-party or custom applications that need to send messages.

    • Any addresses (not recommended)—The sender address can be anything, even an address outside of your domain.

      The Any addresses option makes you more vulnerable to abuse, either through malware on your user’s machines or by misconfiguration of your SMTP infrastructure. Therefore, we don't recommend this option.

      For the Any address option to work properly, you must configure your mail server either to use SMTP AUTH to identify the sending domain or to present one of your domain names in the HELO or EHLO command. See the instructions below for configuring your specific server type. You must also configure your mail server in one of these ways if you send messages from a domain you don't own (such as yahoo.com), or if you send messages with an empty envelope-from, such as non-delivery reports or vacation “out of office” notifications.

      If the envelope sender is not in one of your domains, the system changes the envelope sender from user@[domain you don't own] to postmaster@[your domain], where [your domain] is the domain the system receives from SMTP AUTH or from the HELO or EHLO command.

  7. In the Authentication section, check one or both boxes to set an authentication method:
    • Only accept mail from the specified IP addresses—The system only accepts mail sent from these IP addresses as coming from your domains.

    • Require SMTP Authentication—Enforces the use of SMTP Authentication to identify the sending domain.

  8. If you chose to only accept messages from specified IP addresses, enter the IP addresses:

    1. Click Add IP RANGE.

    2. Enter a description for the IP address or range.

    3. Enter the IP address or range.

      Use the Classless Inter-Domain Routing (CIDR) format to enter an IP range; for example, 123.123.123.123. Use your own public IP address. The maximum number of IP addresses that you can specify in the range is 65,536. We recommend that you keep the allowed IP range as narrow as possible for security reasons.

      You can also use IPv6 address formats to specify an IP address; for example:

      1050:0000:0000:0000:0005:0600:300c:326b or

      1050:0:0:0:5:600:300c:326b or

      1050::5:600:300c:326b

    4. Check the Enabled box to enable (or uncheck to disable) this IP address or range.

    5. Click Save.
      Note: After you enter and save an IP address or range, you can enable or disable it in the future simply by checking the box to the left of the entry.

  9. In the Encryption section, check the Require TLS encryption box to require that the communication between your server and Google’s server be TLS encrypted, including the message contents.

    Note: If your email server does not support TLS, do not check this box. If you check this box, Google rejects messages that are not encrypted.

  10. Click Add setting or Save. Any new settings are added to the Advanced settings page.

  11. At the bottom, click Save.

    Note: It can take up to an hour for changes to propagate to user accounts. You can track prior changes using the Admin console audit log.

  12. Configure your on-premise outbound email server to point to smtp-relay.gmail.com as follows:

    See the sections below for instructions on completing this step for specific email servers.

    • If you checked the box to require TLS encryption in step 9, you must configure your on-premise mail server to point to smtp-relay.gmail.com on port 587.
    • If you don’t require TLS encryption, you can configure your on-premise mail server to point to smtp-relay.gmail.com on port 25, port 465, or port 587.

The SMTP Relay service does not support multiple envelope recipients (RCPT TO) when specifying a null envelope sender (MAIL FROM: <>).

Microsoft Exchange 2007/2010 without an Edge Server

If you do not have an Edge Server, follow the instructions below to set up the SMTP relay service for Exchange 2007/2010. In this case, set up Outbound Services on a Hub Transport server.

You don't need to increase the timeouts for Microsoft Exchange 2007/2010 mail servers. The default timeout settings are appropriate.

To create and configure a Send Connector on your Hub Connector Server:

  1. Click Organization Configuration and then Hub Transport.
  2. Click Send Connectors.
  3. Right-click in the actions pane and select New SMTP Send Connector.
  4. Name the connector Outbound.
  5. Click the list, select Internet, and then click Next.


     
  6. Click Add to open the Add Address Space dialog box.


     
  7. In the Domain field, enter an asterisk (*) so that all mail is routed through the new connector.


     
  8. Check the Include all subdomains box, and click OK.
  9. On the New SMTP Send Connector dialog box, click Next.
  10. Under Network settings, click the Route mail through the following smart hosts option.
  11. Click Add.


     
  12. In the "Add smart host" dialog box, enter smtp-relay.gmail.com in the Fully qualified domain name field.

  13. Under Configure smart host authentication settings, click the None option, and then click Next.


     
  14. On the Source Server page, click Add, and list each outbound hub server that will act as a bridgehead.




     
  15. Click OK and then Next.
  16. On the New Connector page, click New.


     
  17. Click Finish to complete the send connector configuration.


     
  18. When you've completed your configuration, send a test message to confirm that your outbound mail is flowing.

In addition to the server configuration steps listed above, you might have to perform an additional configuration on your server if either of the following is true:

  • You click the Any address option in the Allowed senders setting and you send mail from a domain you do not own, such as yahoo.com.
  • You send mail without a “From” address, such as non-delivery reports or vacation “out of office” notifications.

In these cases, you must configure your mail server to either ensure that the server is using SMTP AUTH to authenticate as a registered G Suite user or to present one of your domain names in the HELO or EHLO command. See the instructions here.

Important: G Suite Support does not provide technical support for configuring on-premise mail servers or third-party products. In the event of a Microsoft Exchange issue, you should consult your Microsoft Exchange administrator. These instructions are designed to work with the most common Microsoft Exchange scenarios. Any changes to your Microsoft Exchange configuration should be made at the discretion of your Microsoft Exchange administrator.
Microsoft Exchange 2007/2010 with an Edge Server

For Microsoft Exchange 2007/2010, different servers are assigned distinct, concrete roles. An Edge Server is one such role. The Edge Server connects all other Exchange Servers to the Internet, and provides filtering and security.

To send messages on an edge transport server, you must configure a send connector. Send connectors are created and edited in the Exchange Management Console. Follow the instructions below to set up the SMTP relay service for Exchange 2007/2010 on your Edge Server.

You don't need to increase the timeouts for Microsoft Exchange 2007/2010 mail servers. The default timeout settings are appropriate.

To create and configure a Send Connector on your Hub Connector Server:

  1. Click Organization Configuration and then Hub Transport.
  2. Click Send Connectors.
  3. Double-click the EdgeSync – [your site] to Internet connector, where [your site] is the name of your site.


     
  4. On the Address Space tab, verify that the asterisk (*) domain has been added.


     
  5. On the Network tab, un-check the Enable Domain Security (Mutual Auth TLS) box, and click the Route mail through the following smart hosts option.


     
  6. Click Add to display the Add smart host dialog box.
  7. Enter smtp-relay.gmail.com in the Fully qualified domain name field, and click OK.

  8. On the Source Server tab, verify that the appropriate edge subscriptions are defined.
  9. From the Exchange Management Shell, run the start-edgesynchronization command.


     
  10. On the Edge servers, verify that the new Send Connector settings have been received and are identical to those on the hub server.

  11. Check your receive connectors on the Edge server and verify the following:

    • The Network tab has the IP range of all hub servers included.

    • The Authentication tab has the Exchange Server Authentication option checked.

    • The Permission Groups tab has the Exchange Servers option checked.

  12. When you've completed your configuration, send a test message to confirm that your outbound mail is flowing.

In addition to the server configuration steps listed above, you might have to perform an additional configuration on your server if either of the following is true:

  • You click the Any address option in the Allowed senders setting and you send mail from a domain you do not own, such as yahoo.com.

  • You send mail without a “From” address, such as non-delivery reports or vacation “out of office” notifications.

In these cases, you'll need to configure your mail server to either ensure that the server is using SMTP AUTH to authenticate as a registered G Suite user or to present one of your domain names in the HELO or EHLO command. See the instructions here.

Important: G Suite Support does not provide technical support for configuring on-premise mail servers or third-party products. In the event of a Microsoft Exchange issue, you should consult your Microsoft Exchange administrator. These instructions are designed to work with the most common Microsoft Exchange scenarios. Any changes to your Microsoft Exchange configuration should be made at the discretion of your Microsoft Exchange administrator.
Microsoft Exchange 2000/2003

Change the retry interval and configure the smart host to route traffic to Google:

  1. Right-click SMTP Virtual Server and select Properties.

  2. Click the Delivery tab.

  3. Under Outbound, change the default retry interval values to the following:
    First retry interval (minutes): 1
    Second retry interval (minutes): 1
    Third retry interval (minutes): 3
    Subsequent retry interval (minutes): 5

  4. Click Connectors, right-click the SMTP Connector (or the Internet Mail SMTP Connector), and select Properties.

  5. On the General tab, type smtp-relay.gmail.com.

  6. Click OK to save the changes.

In addition to the server configuration steps listed above, you might have to perform an additional configuration on your server if either of the following is true:

  • You click the Any address option in the Allowed senders setting and you send mail from a domain you do not own, such as yahoo.com.

  • You send mail without a “From” address, such as non-delivery reports or vacation “out of office” notifications.

In these cases, you must configure your mail server to either ensure that the server is using SMTP AUTH to authenticate as a registered G Suite user or to present one of your domain names in the HELO or EHLO command.

Important: G Suite Support does not provide technical support for configuring on-premise mail servers or third-party products. In the event of a Microsoft Exchange issue, you should consult your Microsoft Exchange administrator. These instructions are designed to work with the most common Microsoft Exchange scenarios. Any changes to your Microsoft Exchange configuration should be made at the discretion of your Microsoft Exchange administrator.
IBM Lotus Domino

Follow the instructions below to set up the SMTP relay service for IBM Lotus Domino. These instructions, which were written for Lotus Domino R5/R6, are designed to work with a majority of deployments.

You don't need to change the timeout configuration for Lotus Domino R5/R6. You can use the default timeout settings.

Set up a smart host and adjust the Retry Interval:

  1. Open Domino Administrator.

  2. Click Administration and select the Configuration tab.

  3. Click Configurations.

  4. Double-click the name of your Domino Server.

  5. At the top of the window, click Edit Server Configuration.

  6. Select the Router/SMTP tab in the first row. This selects the Basics tab of the second row of tabs.

  7. Under Relay host for messages leaving the local internet domain, add smtp-relay.gmail.com.

  8. Select the Restrictions and Controls tab from the second row.

  9. Select the Transfer Controls tab from the third row.

  10. Set the configuration Initial Transfer Retry Interval to one minute or higher.

  11. Click Save & Close to exit.

  12. When you've completed your configuration, send a test message to confirm that your outbound mail is flowing.

In addition to the server configuration steps listed above, you might have to perform an additional configuration on your server if either of the following is true:

  • You click the Any address option in the Allowed senders setting and you send mail from a domain you do not own, such as yahoo.com.
  • You send mail without a “From” address, such as non-delivery reports or vacation “out of office” notifications.

In these cases, you'll need to configure your mail server to either ensure that the server is using SMTP AUTH to authenticate as a registered G Suite user or to present one of your domain names in the HELO or EHLO command.

Important: G Suite Support does not provide technical support for configuring on-premise mail servers or third-party products. In the event of an IBM Lotus Domino issue, you should consult your IBM Lotus Domino administrator. These instructions are designed to work with the most common IBM Lotus Domino scenarios. Any changes to your IBM Lotus Domino configuration should be made at the discretion of your IBM Lotus Domino administrator.
Novell Groupwise

Follow the instructions below to set up the SMTP relay service for Novell Groupwise. These instructions are designed to work with a majority of deployments. You’ll first need to increase server timeouts before setting up a smart host.

To increase server timeouts:

  1. Open the Groupwise ConsoleOne interface.

  2. Right-click the Internet Agent object and select Properties.

  3. Select the SMTP/MIME Settings tab and click Timeouts.

  4. Set the following values:
    Commands: 5 minutes
    Data: 3 minutes
    Connection Establishment: 2 minutes
    Initial Greeting: 5 minutes
    TCP Read: 5 minutes
    Connection Termination: 15 minutes

  5. Click Apply > OK.

To set up a smart host:

  1. Open the Groupwise ConsoleOne interface.

  2. Right-click the Internet Agent object and select Properties.

  3. If the SMTP/MIME Settings page is not the default page, select the SMTP/MIME tab and click Settings.

  4. Set the number of SMTP Send Threads to the maximum number of simultaneous connections the Groupwise server will safely support.

  5. Enter smtp-relay.gmail.com in the Relay Host for Outbound Messages field.

  6. Click Apply > OK.

  7. When you've completed your configuration, send a test message to confirm that your outbound mail is flowing.

In addition to the server configuration steps listed above, you might have to perform an additional configuration on your server if either of the following is true:

  • You click the Any address option in the Allowed senders setting and you send mail from a domain you do not own, such as yahoo.com.

  • You send mail without a “From” address, such as non-delivery reports or vacation “out of office” notifications.

In these cases, you'll need to configure your mail server to either ensure that the server is using SMTP AUTH to authenticate as a registered G Suite user or to present one of your domain names in the HELO or EHLO command. See the instructions here.

Important: G Suite Support does not provide technical support for configuring on-premise mail servers or third-party products. In the event of a Novell Groupwise issue, you should consult your Novell Groupwise administrator. These instructions are designed to work with the most common Novell Groupwise scenarios. Any changes to your Novell Groupwise configuration should be made at the discretion of your Novell Groupwise administrator.
Sendmail

Follow the instructions below to set up the SMTP relay service for Sendmail. These instructions are designed to work with a majority of deployments.

Changing server timeouts should not be necessary. In Sendmail, the server timeout is set in the Timeout.datafinal value. By default, it's set to one hour. If the Timeout.datafinal value has been changed to a lower value, raise the value to one hour.

To configure a smarthost for Sendmail:

  1. Add the following line to the /etc/mail/sendmail.mc file:
    define(`SMART_HOST', `smtp-relay.gmail.com')​​

  2. Stop and restart the sendmail server process.

  3. When you've completed your configuration, send a test message to confirm that your outbound mail is flowing.

In addition to the server configuration steps listed above, you might have to perform an additional configuration on your server if either of the following is true:

  • You click the Any address option in the Allowed senders setting and you send mail from a domain you do not own, such as yahoo.com.

  • You send mail without a “From” address, such as non-delivery reports or vacation “out of office” notifications.

In these cases, you must configure your mail server to either ensure that the server is using SMTP AUTH to authenticate as a registered G Suite user or to present one of your domain names in the HELO or EHLO command. See the instructions here.

Important: G Suite Support does not provide technical support for configuring on-premise mail servers or third-party products. In the event of a Sendmail issue, you should consult your Sendmail administrator. These instructions are designed to work with the most common Sendmail scenarios. Any changes to your Sendmail configuration should be made at the discretion of your Sendmail administrator.
Apple Macintosh OS X

Follow the instructions below to set up the SMTP relay service for Apple Macintosh OS X. These instructions are designed to work with a majority of deployments.

To set up a smart host:

  1. In Server Admin, select Mail and click Settings.

  2. Under Relay all mail through this host, enter smtp-relay.gmail.com.

  3. Click Save to close the Server Admin.

  4. Restart the mail service.

  5. When you've completed your configuration, send a test message to confirm that your outbound mail is flowing.

In addition to the server configuration steps listed above, you might have to perform an additional configuration on your server if either of the following is true:

  • You click the Any address option in the Allowed senders setting and you send mail from a domain you do not own, such as yahoo.com.
  • You send mail without a “From” address, such as non-delivery reports or vacation “out of office” notifications.

In these cases, you'll need to configure your mail server to either ensure that the server is using SMTP AUTH to authenticate as a registered G Suite user or to present one of your domain names in the HELO or EHLO command.

Important: G Suite Support does not provide technical support for configuring on-premise mail servers or third-party products. In the event of an Apple Macintosh OS X issue, you should consult your Apple Macintosh OS X administrator. These instructions are designed to work with the most common Apple Macintosh OS X scenarios. Any changes to your Apple Macintosh OS X configuration should be made at the discretion of your Apple Macintosh OS X administrator.
Qmail

Follow these instructions to set up the SMTP relay service for Qmail. The instructions are designed to work with a majority of deployments.

You might first need to increase server timeouts before setting up a smart host. The default timeout is 1200 seconds, which is long enough. If this value has been previously changed, then edit the /var/qmail/timeoutsmtpd file and increase it to at least 900 seconds.

To set up a smart host for Qmail:

  1. Edit (or create) the /var/qmail/control/smtproutes file and append the following line:
    :smtp-relay.gmail.com:25
  2. If you have certain internal domains whose traffic should not be routed to Google, you'll want to add specific routing to the appropriate mail server to the /var/qmail/control/smtproutes file, using the following syntax:
    <InternalDomain>:<ServerForInternalDomain>
  3. Stop and restart the Qmail server.
  4. When you've completed your configuration, send a test message to confirm that your outbound mail is flowing.

In addition to the server configuration steps listed above, you might have to perform an additional configuration on your server if either of the following is true:

  • You click the Any address option in the Allowed senders setting and you send mail from a domain you do not own, such as yahoo.com.
  • You send mail without a “From” address, such as non-delivery reports or vacation “out of office” notifications.

In these cases, you'll need to configure your mail server to either ensure that the server is using SMTP AUTH to authenticate as a registered G Suite user or to present one of your domain names in the HELO or EHLO command. See the instructions here.

Important: G Suite Support does not provide technical support for configuring on-premise mail servers or third-party products. In the event of a Qmail issue, you should consult your Qmail administrator. These instructions are designed to work with the most common Qmail scenarios. Any changes to your Qmail configuration should be made at the discretion of your Qmail administrator.
Postfix

Follow the instructions below to set up the SMTP relay service for Postfix. These instructions are designed to work with a majority of deployments. There is no need to increase the timeouts for Postfix servers. The default timeout settings are appropriate.

To set up a smart host for Postfix:

  1. Add the following line to your configuration file (example path /etc/postfix/main.cf):
    relayhost = smtp-relay.gmail.com:25
  2. Restart Postfix by running the following command:
    # sudo postfix reload
  3. Send a test message to confirm that your outbound mail is flowing.

Determine whether either of the following is true:

  • You click the Any address option in the Allowed senders setting and you send messages from a domain you do not own, such as yahoo.com.
  • You send messages without a “From” address, such as non-delivery reports or vacation “out of office” notifications.

If either is true, configure your mail server to either ensure that the server is using SMTP AUTH to authenticate as a registered G Suite user or to present one of your domain names in the HELO or EHLO command. See the instructions here.

Important: G Suite Support does not provide technical support for configuring on-premise mail servers or third-party products. In the event of a Postfix issue, you should consult your Postfix administrator. These instructions are designed to work with the most common Postfix scenarios. Any changes to your Postfix configuration should be made at the discretion of your Postfix administrator.

Was this article helpful?
How can we improve it?
Sign in to your account

Get account-specific help by signing in with your G Suite account email address, or learn how to get started with G Suite.