Google Apps Administrator Help
Google Apps AdministratorHelp forumForum Contact us

SMTP relay service setting

If your organization uses non-Gmail email server software, such as Microsoft Exchange (or other non-Google SMTP service), you can use the SMTP relay service setting to route outgoing mail through Google. This setting enables you to filter messages for spam and viruses before they reach external contacts, and to apply Google Apps email security settings to outgoing messages.

After you configure an advanced Gmail setting, it may take up to one hour for that configuration to propagate to individual user accounts. You can track prior changes under Admin console audit log

Note: SMTP relay service is not available with the legacy free edition of Google Apps.
Sending limits for the SMTP relay service

Limits per user
A registered Google Apps user cannot relay more than 10,000 messages in a 24-hour period, and cannot relay messages to more than 10,000 unique recipients per 24-hour period. If a user exceeds either of these limits, they’ll receive an error "550 5.4.5 Daily SMTP relay limit exceeded for user."

A user may also be prevented from sending messages if a customer relay limit has been reached, in which case they will see a different error message based on limits per customer.

Limits per customer

These limits are determined by the number of user licenses in your Google Apps account. For small customers, these limits will come into effect much earlier than the above-mentioned per-user limits.

There are two per-customer limits:

  • The maximum number of total recipients allowed per customer per 24-hour period is approximately 130 times the number of user licenses in your Google Apps account (with an upper bound of 4,600,000 recipients per 24-hour period for large customers). If a customer exceeds this limit, users will receive an error "550 5.7.1 Daily SMTP relay limit exceeded for customer."
  • The maximum number of total recipients allowed per customer in a 10-minute window is approximately 9 times the number of user licenses in your Google Apps account (with an upper bound of 319,444 recipients per 10-minute window for large customers). If a customer exceeds this limit, users will receive an error "450 4.2.1 Peak SMTP relay limit exceeded for customer."

Additional notes:

  • The per-user recipient limits are for unique recipients, while the per customer limits are for total recipients. For example, when a given user relays 1000 messages to RecipientA and another 1000 to RecipientB, this counts as 2 for the per user limit, but 2000 for the customer limit.
  • Customer limits apply to all mail relayed by the customer, including mail relayed from any of the customer's secondary or subdomains, as well as mail relayed from external addresses where one of the customer's domains is presented in the “helo” argument.
  • Customer limits are lower for customers who have not yet paid a bill: 100 total recipients per day, 50 total recipients in a 10-minute window.
  • There are separate per-user sending limits published here for sending email using Gmail rather than SMTP relay. The SMTP relay and Gmail user sending limits are independent and are counted separately from each other.

Denial of Service (DoS) limits

Google Apps SMTP relay servers have protections in place to guard against Denial of Service (DoS) attacks. To avoid conflicts with these protections, SMTP agents that send large amounts of mail through smtp-relay.google.com should reuse connections, sending multiple messages per connection. This is also known as connection caching. For instructions on this process, please contact your email server software provider.

When you've configured the SMTP relay service, you’ll need to configure your on-premise outbound mail server or other SMTP service to point to Google. See the steps below for instructions.

To route your outbound mail through Google Apps using the SMTP relay service setting:

Note: After you enter and save an IP address or range, you can enable or disable it in the future by checking or unchecking the box to the left of the entry.
  1. Sign in to the Google Admin console.
  2. From the dashboard, go to Apps > Google Apps > Gmail > Advanced settings.
  3. In the Organizations section, highlight the top-level org (see Configure advanced settings for Gmail for more details).
    Note: You can configure the SMTP relay service setting for the root organizational unit only. You can view the setting from the sub-org level when it's added, but you cannot add, edit, or delete the setting from the sub-org level.
  4. Scroll down to SMTP relay service (you can also enter SMTP relay service in the search field):
    • If the setting's status is Not configured yet, click Configure. The Add setting dialog box displays.
    • Click Edit to edit an existing configuration for the setting. The Edit setting dialog box displays.
    • Click Add another to add a new configuration for the setting. The Add setting dialog box displays.
  5. Click Add description to enter a short description that displays in the setting's summary.
  6. In the Allowed senders section, select what kinds of users are allowed to send mail through the SMTP relay service. Select one of the following options:
    • Only registered Apps users in my domain—The sender must be a registered user in one of your domains.
    • Only addresses in my domains—The sender doesn't have to be a recognized Apps user, but must be in one of your registered domains. This is sometimes useful when you have third-party or custom applications that need to send email.
    • Any addresses (not recommended)—The sender address can be anything, even an address outside of your domain.
      The Any addresses option makes you more vulnerable to abuse, either through malware on your user’s machines or by misconfiguration of your SMTP infrastructure. Therefore, we don't recommend this option.

      For the Any address option to work properly, you must configure your mail server either to use SMTP AUTH to identify the sending domain or to present one of your domain names in the HELO or EHLO command. See the instructions below for configuring your specific server type. You must also configure your mail server in one of these ways if you send mail from a domain you don't own (such as yahoo.com), or if you send mail with an empty envelope-from (such as non-delivery reports or vacation “out of office” notifications).

      If the envelope sender is not in one of your domains, the system changes the envelope sender from user@[domain you don't own] to postmaster@[your domain], where [your domain] is the domain the system receives from SMTP AUTH or from the HELO or EHLO command.

  7. In the Authentication section, check one or both boxes to set an authentication method:
    • Only accept mail from the specified IP addresses—The system only accepts mail sent from these IP addresses as coming from your domains.
    • Require SMTP Authentication—Enforces the use of SMTP Authentication to identify the sending domain. If you check this box, the Require TLS encryption box in the Encryption section is automatically checked and grayed out, because SMTP Authentication requires TLS encryption.
  8. If you selected the option to only accept mail from specified IP addresses, do the following to enter those IP addresses:
    Note: After you enter and save an IP address or range, you can enable or disable it in the future simply by checking the box to the left of the entry.
    1. Click Add.
    2. Enter a description for the IP address or range.
    3. Enter the IP address or range.

      Use the Classless Inter-Domain Routing (CIDR) format to enter an IP range; for example, 123.123.123.123. Use your own public IP address. The maximum number of IP addresses that you can specify in the range is 65,536. We recommend that you keep the allowed IP range as narrow as possible for security reasons.

      You can also use IPv6 address formats to specify an IP address; for example:

      1050:0000:0000:0000:0005:0600:300c:326b or

      1050:0:0:0:5:600:300c:326b or

      1050::5:600:300c:326b

    4. Check the Enabled box to enable (or uncheck to disable) this IP address or range.
    5. Click Save.
  9. In the Encryption section, check the Require TLS encryption box to require that the communication between your server and Google’s server be TLS encrypted, including the message contents.
    Note: If your email server does not support TLS, do not check this box. If you check this box, Google will reject messages that are not encrypted.
  10. When you're finished making changes, click Add setting or Save to close the dialog box.
    Note: Any settings you add will be highlighted on the Advanced settings page.
  11. Click Save changes at the bottom of the Advanced settings page.
  12. Configure your on-premise outbound mail server to point to smtp-relay.gmail.com as follows:
    • If you checked the box to require TLS encryption in step 9, you must configure your on-premise mail server to point to smtp-relay.gmail.com on port 587.
    • If you aren’t requiring TLS encryption, you can configure your on-premise mail server to point to smtp-relay.gmail.com on port 25, port 465, or port 587.

    See the sections below for instructions on completing this step for specific mail servers.

The SMTP Relay service does not support multiple envelope recipients (RCPT TO) when specifying a null envelope sender (MAIL FROM: <>).

Microsoft Exchange 2007/2010 without an Edge Server

If you do not have an Edge Server, follow the instructions below to set up the SMTP relay service for Exchange 2007/2010. In this case, set up Outbound Services on a Hub Transport server.

There is no need to increase the timeouts for Microsoft Exchange 2007/2010 mail servers. The default timeout settings are appropriate.

To create and configure a Send Connector on your Hub Connector Server:

  1. Click Organization Configuration > Hub Transport.
  2. Click Send Connectors.
  3. Right-click in the actions pane and select New SMTP Send Connector.
  4. Name the connector Outbound.
  5. Click the drop-down list, select Internet, and then click Next.


     
  6. Click Add to open the Add Address Space dialog box.


     
  7. In the Domain field, enter an asterisk (*) so that all mail is routed through the new connector.


     
  8. Check the Include all subdomains box, and click OK.
  9. On the New SMTP Send Connector dialog box, click Next.
  10. Under Network settings, click the Route mail through the following smart hosts option.
  11. Click Add.


     
  12. In the "Add smart host" dialog box, enter smtp-relay.gmail.com in the Fully qualified domain name field.

  13. Under Configure smart host authentication settings, click the None option, and then click Next.


     
  14. On the Source Server page, click Add, and list each outbound hub server that will act as a bridgehead.




     
  15. Click OK > Next.
  16. On the New Connector page, click New.


     
  17. Click Finish to complete the send connector configuration.


     
  18. When you've completed your configuration, send a test message to confirm that your outbound mail is flowing.

In addition to the server configuration steps listed above, you may need to perform an additional configuration on your server if either of the following is true:

  • You click the Any address option in the Allowed senders setting and you send mail from a domain you do not own, such as yahoo.com.
  • You send mail without a “From” address, such as non-delivery reports or vacation “out of office” notifications.

In these cases, you must configure your mail server to either ensure that the server is using SMTP AUTH to authenticate as a registered apps user or to present one of your domain names in the HELO or EHLO command. See the instructions here.

Important: Google Apps Support does not provide technical support for configuring on-premise mail servers or third-party products. In the event of a Microsoft Exchange issue, you should consult your Microsoft Exchange administrator. These instructions are designed to work with the most common Microsoft Exchange scenarios. Any changes to your Microsoft Exchange configuration should be made at the discretion of your Microsoft Exchange administrator.
Microsoft Exchange 2007/2010 with an Edge Server

For Microsoft Exchange 2007/2010, different servers are assigned distinct, concrete roles. An Edge Server is one such role. The Edge Server connects all other Exchange Servers to the Internet, and provides filtering and security.

To send email on an edge transport server, you must configure a send connector. Send connectors are created and edited in the Exchange Management Console. Follow the instructions below to set up the SMTP relay service for Exchange 2007/2010 on your Edge Server.

There is no need to increase the timeouts for Microsoft Exchange 2007/2010 mail servers. The default timeout settings are appropriate.

To create and configure a Send Connector on your Hub Connector Server:

  1. Click Organization Configuration > Hub Transport.
  2. Click Send Connectors.
  3. Double-click the EdgeSync – [your site] to Internet connector, where [your site] is the name of your site.


     
  4. On the Address Space tab, verify that the asterisk (*) domain has been added.


     
  5. On the Network tab, un-check the Enable Domain Security (Mutual Auth TLS) box, and click the Route mail through the following smart hosts option.


     
  6. Click Add to display the Add smart host dialog box.
  7. Enter smtp-relay.gmail.com in the Fully qualified domain name field, and click OK.

  8. On the Source Server tab, verify that the appropriate edge subscriptions are defined.
  9. From the Exchange Management Shell, run the start-edgesynchronization command.


     
  10. On the Edge servers, verify that the new Send Connector settings have been received and are identical to those on the hub server.
  11. Check your receive connectors on the Edge server and verify the following:
    • The Network tab has the IP range of all hub servers included.
    • The Authentication tab has the Exchange Server Authentication option checked.
    • The Permission Groups tab has the Exchange Servers option checked.
  12. When you've completed your configuration, send a test message to confirm that your outbound mail is flowing.

In addition to the server configuration steps listed above, you may need to perform an additional configuration on your server if either of the following is true:

  • You click the Any address option in the Allowed senders setting and you send mail from a domain you do not own, such as yahoo.com.
  • You send mail without a “From” address, such as non-delivery reports or vacation “out of office” notifications.

In these cases, you must configure your mail server to either ensure that the server is using SMTP AUTH to authenticate as a registered apps user or to present one of your domain names in the HELO or EHLO command. See the instructions here.

Important: Google Apps Support does not provide technical support for configuring on-premise mail servers or third-party products. In the event of a Microsoft Exchange issue, you should consult your Microsoft Exchange administrator. These instructions are designed to work with the most common Microsoft Exchange scenarios. Any changes to your Microsoft Exchange configuration should be made at the discretion of your Microsoft Exchange administrator.
Microsoft Exchange 2000/2003

Change the retry interval, and configure the smarthost to route traffic to Google:

  1. Right-click SMTP Virtual Server and select Properties.
  2. Click the Delivery tab.
  3. Under Outbound, change the default retry interval values to the following:
    First retry interval (minutes): 1
    Second retry interval (minutes): 1
    Third retry interval (minutes): 3
    Subsequent retry interval (minutes): 5
  4. Click Connectors, right-click the SMTP Connector (or the Internet Mail SMTP Connector), and select Properties.
  5. On the General tab, type smtp-relay.gmail.com.
  6. Click OK to save the changes.

In addition to the server configuration steps listed above, you may need to perform an additional configuration on your server if either of the following is true:

  • You click the Any address option in the Allowed senders setting and you send mail from a domain you do not own, such as yahoo.com.
  • You send mail without a “From” address, such as non-delivery reports or vacation “out of office” notifications.

In these cases, you must configure your mail server to either ensure that the server is using SMTP AUTH to authenticate as a registered apps user or to present one of your domain names in the HELO or EHLO command.

Important: Google Apps Support does not provide technical support for configuring on-premise mail servers or third-party products. In the event of a Microsoft Exchange issue, you should consult your Microsoft Exchange administrator. These instructions are designed to work with the most common Microsoft Exchange scenarios. Any changes to your Microsoft Exchange configuration should be made at the discretion of your Microsoft Exchange administrator.
IBM Lotus Domino

Follow the instructions below to set up the SMTP relay service for IBM Lotus Domino. These instructions, which were written for Lotus Domino R5/R6, are designed to work with a majority of deployments.

Changing the timeout configuration for Lotus Domino R5/R6 is not required. You can use the default timeout settings.

Set up a smarthost and adjust the Retry Interval:

  1. Open Domino Administrator.
  2. Click Administration and select the Configuration tab.
  3. Click Configurations.
  4. Double-click the name of your Domino Server.
  5. At the top of the window, click Edit Server Configuration.
  6. Select the Router/SMTP tab in the first row. (This selects the Basics tab of the second row of tabs.)
  7. Under Relay host for messages leaving the local internet domain, add smtp-relay.gmail.com.
  8. Select the Restrictions and Controls tab from the second row.
  9. Select the Transfer Controls tab from the third row.
  10. Set the configuration Initial Transfer Retry Interval to one minute or higher.
  11. Click Save & Close to exit.
  12. When you've completed your configuration, send a test message to confirm that your outbound mail is flowing.

In addition to the server configuration steps listed above, you may need to perform an additional configuration on your server if either of the following is true:

  • You click the Any address option in the Allowed senders setting and you send mail from a domain you do not own, such as yahoo.com.
  • You send mail without a “From” address, such as non-delivery reports or vacation “out of office” notifications.

In these cases, you must configure your mail server to either ensure that the server is using SMTP AUTH to authenticate as a registered apps user or to present one of your domain names in the HELO or EHLO command.

Important: Google Apps Support does not provide technical support for configuring on-premise mail servers or third-party products. In the event of an IBM Lotus Domino issue, you should consult your IBM Lotus Domino administrator. These instructions are designed to work with the most common IBM Lotus Domino scenarios. Any changes to your IBM Lotus Domino configuration should be made at the discretion of your IBM Lotus Domino administrator.
Novell Groupwise

Follow the instructions below to set up the SMTP relay service for Novell Groupwise. These instructions are designed to work with a majority of deployments. You’ll first need to increase server timeouts before setting up a smarthost.

To increase server timeouts:

  1. Open the Groupwise ConsoleOne interface.
  2. Right-click the Internet Agent object and select Properties.
  3. Select the SMTP/MIME Settings tab and click Timeouts.
  4. Set the following values:
    Commands: 5 minutes
    Data: 3 minutes
    Connection Establishment: 2 minutes
    Initial Greeting: 5 minutes
    TCP Read: 5 minutes
    Connection Termination: 15 minutes
  5. Click Apply OK.

To set up a smarthost:

  1. Open the Groupwise ConsoleOne interface.
  2. Right-click the Internet Agent object and select Properties.
  3. If the SMTP/MIME Settings page is not the default page, select the SMTP/MIME tab and click Settings.
  4. Set the number of SMTP Send Threads to the maximum number of simultaneous connections the Groupwise server will safely support.
  5. Enter smtp-relay.gmail.com in the Relay Host for Outbound Messages field.
  6. Click Apply OK.
  7. When you've completed your configuration, send a test message to confirm that your outbound mail is flowing.

In addition to the server configuration steps listed above, you may need to perform an additional configuration on your server if either of the following is true:

  • You click the Any address option in the Allowed senders setting and you send mail from a domain you do not own, such as yahoo.com.
  • You send mail without a “From” address, such as non-delivery reports or vacation “out of office” notifications.

In these cases, you must configure your mail server to either ensure that the server is using SMTP AUTH to authenticate as a registered apps user or to present one of your domain names in the HELO or EHLO command. See the instructions here.

Important: Google Apps Support does not provide technical support for configuring on-premise mail servers or third-party products. In the event of a Novell Groupwise issue, you should consult your Novell Groupwise administrator. These instructions are designed to work with the most common Novell Groupwise scenarios. Any changes to your Novell Groupwise configuration should be made at the discretion of your Novell Groupwise administrator.
Sendmail

Follow the instructions below to set up the SMTP relay service for Sendmail. These instructions are designed to work with a majority of deployments.

Changing server timeouts should not be necessary. In Sendmail, the server timeout is set in the Timeout.datafinal value. By default, it's set to one hour. If the Timeout.datafinal value has been changed to a lower value, raise the value to one hour.

To configure a smarthost for Sendmail:

  1. Add the following line to the /etc/mail/sendmail.mc file:
    define(`SMART_HOST', `smtp-relay.gmail.com')​​
  2. Stop and restart the sendmail server process.
  3. When you've completed your configuration, send a test message to confirm that your outbound mail is flowing.

In addition to the server configuration steps listed above, you may need to perform an additional configuration on your server if either of the following is true:

  • You click the Any address option in the Allowed senders setting and you send mail from a domain you do not own, such as yahoo.com.
  • You send mail without a “From” address, such as non-delivery reports or vacation “out of office” notifications.

In these cases, you must configure your mail server to either ensure that the server is using SMTP AUTH to authenticate as a registered apps user or to present one of your domain names in the HELO or EHLO command. See the instructions here.

Important: Google Apps Support does not provide technical support for configuring on-premise mail servers or third-party products. In the event of a Sendmail issue, you should consult your Sendmail administrator. These instructions are designed to work with the most common Sendmail scenarios. Any changes to your Sendmail configuration should be made at the discretion of your Sendmail administrator.
Apple Macintosh OS X

Follow the instructions below to set up the SMTP relay service for Apple Macintosh OS X. These instructions are designed to work with a majority of deployments.

To set up a smarthost:

  1. In Server Admin, select Mail and click Settings.
  2. Under Relay all mail through this host, enter smtp-relay.gmail.com.
  3. Click Save to close the Server Admin.
  4. Restart the mail service.
  5. When you've completed your configuration, send a test message to confirm that your outbound mail is flowing.

In addition to the server configuration steps listed above, you may need to perform an additional configuration on your server if either of the following is true:

  • You click the Any address option in the Allowed senders setting and you send mail from a domain you do not own, such as yahoo.com.
  • You send mail without a “From” address, such as non-delivery reports or vacation “out of office” notifications.

In these cases, you must configure your mail server to either ensure that the server is using SMTP AUTH to authenticate as a registered apps user or to present one of your domain names in the HELO or EHLO command.

Important: Google Apps Support does not provide technical support for configuring on-premise mail servers or third-party products. In the event of an Apple Macintosh OS X issue, you should consult your Apple Macintosh OS X administrator. These instructions are designed to work with the most common Apple Macintosh OS X scenarios. Any changes to your Apple Macintosh OS X configuration should be made at the discretion of your Apple Macintosh OS X administrator.
Qmail

Follow the instructions below to set up the SMTP relay service for Qmail. These instructions are designed to work with a majority of deployments.

You may first need to increase server timeouts before setting up a smarthost. The default timeout is 1200 seconds, which is long enough. If this value has been previously changed, then edit the /var/qmail/timeoutsmtpd file and increase it to at least 900 seconds.

To set up a smarthost for Qmail:

  1. Edit (or create) the /var/qmail/control/smtproutes file and append the following line:
    :smtp-relay.gmail.com:25
  2. If you have certain internal domains whose traffic should not be routed to Google, you'll want to add specific routing to the appropriate mail server to the /var/qmail/control/smtproutes file, using the following syntax:
    <InternalDomain>:<ServerForInternalDomain>
  3. Stop and restart the Qmail server.
  4. When you've completed your configuration, send a test message to confirm that your outbound mail is flowing.

In addition to the server configuration steps listed above, you may need to perform an additional configuration on your server if either of the following is true:

  • You click the Any address option in the Allowed senders setting and you send mail from a domain you do not own, such as yahoo.com.
  • You send mail without a “From” address, such as non-delivery reports or vacation “out of office” notifications.

In these cases, you must configure your mail server to either ensure that the server is using SMTP AUTH to authenticate as a registered apps user or to present one of your domain names in the HELO or EHLO command. See the instructions here.

Important: Google Apps Support does not provide technical support for configuring on-premise mail servers or third-party products. In the event of a Qmail issue, you should consult your Qmail administrator. These instructions are designed to work with the most common Qmail scenarios. Any changes to your Qmail configuration should be made at the discretion of your Qmail administrator.
Postfix

Follow the instructions below to set up the SMTP relay service for Postfix. These instructions are designed to work with a majority of deployments. There is no need to increase the timeouts for Postfix servers. The default timeout settings are appropriate.

To set up a smarthost for Postfix:

  1. Add the following line to your configuration file (example path /etc/postfix/main.cf):
    relayhost = smtp-relay.gmail.com:25
  2. Restart Postfix by running the following command:
    # sudo postfix reload
  3. When you've completed your configuration, send a test message to confirm that your outbound mail is flowing.

In addition to the server configuration steps listed above, you may need to perform an additional configuration on your server if either of the following is true:

  • You click the Any address option in the Allowed senders setting and you send mail from a domain you do not own, such as yahoo.com.
  • You send mail without a “From” address, such as non-delivery reports or vacation “out of office” notifications.

In these cases, you must configure your mail server to either ensure that the server is using SMTP AUTH to authenticate as a registered apps user or to present one of your domain names in the HELO or EHLO command. See the instructions here.

Important: Google Apps Support does not provide technical support for configuring on-premise mail servers or third-party products. In the event of a Postfix issue, you should consult your Postfix administrator. These instructions are designed to work with the most common Postfix scenarios. Any changes to your Postfix configuration should be made at the discretion of your Postfix administrator.
Note: You must enable the Comprehensive mail storage setting if you have a non-Gmail system that uses the SMTP Relay Service to route mail on behalf of your users; for example, for ticket tracking systems, bug databases, or automated notification systems, and to display that mail in your users’ Gmail mailboxes. If you use Google Apps Vault and enable SMTP relay, you must also enable enable the Comprehensive mail storage setting to have any messages sent through the relay archived in Vault.
Was this article helpful?
Sign in to your account

Get account-specific help by signing in with your Apps for Work account email address, or learn how to get started with Apps for Work.