Route outgoing SMTP relay messages through Google

Set up your on-premise email server for SMTP relay through Google servers

If your organization uses Microsoft Exchange or another SMTP service or server, you can set up the SMTP relay service to route outgoing mail through Google. You can use it to:

  • Filter messages for spam and viruses before they reach external recipients
  • Apply email security and advanced Gmail settings to outgoing messages

Before you begin

Expand section  |  Collapse all

Review server configuration
  • If you’re using TLS encryption, configure your on-premise mail server to point to smtp-relay.gmail.com on port 587.
  • If you’re not using TLS encryption, configure your on-premise server to point to smtp-relay.gmail.com on port 25, 465, or 587. Without TLS encryption, you can't use SMTP authentication and must use IP address authentication.
Turn on comprehensive mail storage

You can turn on comprehensive mail storage to help Gmail spam filters learn about your email recipients. 

Turn on comprehensive mail storage when:

  • You use SMTP relay to route email messages for automated notifications, such as ticketing and bug systems. Messages sent through the relay are delivered to recipients in your organization.

  • You use Google Vault and the SMTP relay service. Messages sent through the relay are archived in Vault.

To turn it on, go to Set up comprehensive mail storage.

Review sending limits for the SMTP relay service

Organization-wide limits

The number of recipients your organization’s account can send to is based on your overall sending practices. The maximum number of non-unique email recipients allowed per organization are:

  • 4.6 million in a 24-hour period 
  • 319,444 per 10-minute window  

If you exceed the limits, your users might get an error when they try to send a message.

Depending on your email sending practices, we might reduce the recipient address limit for your Google Workspace account. If the number of recipients is limited, the address maps for the account might also be limited. We recommend following best practices for sending mail to Gmail users. For more information, visit:

User and message limits

If a user exceeds a limit, they get an error when they try to send a message. For more information, visit SMTP relay service error messages.

  • Each user can send up to 10,000 messages in a 24-hour period. However, this limit might be lower if your Google Workspace account is still in a trial period. To learn more about account limits, go to Gmail sending limits in Google Workspace.
  • A Google Workspace user can't send messages to more than 10,000 unique recipients in a 24-hour period. 
  • There is a 100-recipient limit per SMTP transaction for smtp-relay.gmail.com. Exceeding this limit results in an error message. To send messages to additional recipients, start another transaction (new SMTP connection or RSET command).  
  • Message count is based on the sender address used in the SMTP relay transaction. If the envelope sender is not a user registered with your Google Workspace account, the per-user limits don't apply. Addresses in the From: and Reply-to: fields are ignored.
  • The SMTP relay service does not support multiple envelope recipients (RCPT TO) when using a null envelope sender (MAIL FROM: <>).

Trial accounts limits

Limits are lower for trial accounts. To increase the SMTP relay limits for a trial account, you must pay a Google-generated bill. Increasing relay limits is different from increasing Gmail limits, which can be done by ending your trial.

Per-user recipient and per-account limits

The per-user recipient limits are for unique recipients. Per-account limits are for total recipients. For example, when a user relays 1,000 messages to Recipient-A and 1,000 messages to Recipient-B, it counts as 2 messages toward the per-user limit and 2,000 toward your account limit.

Account limits for an unpaid balance

If you haven't yet paid a bill for your Google Workspace account, your account limits are lower.

SMTP relay and Gmail user sending limits

There are different per-user sending limits for sending email with Gmail, rather than SMTP relay. The SMTP relay and Gmail user sending limits are independent and counted separately from each other.  

Denial of Service (DoS) limits

  • Google Workspace SMTP relay servers support security methods that prevent DoS attacks. To avoid impacting these security methods, we recommend that SMTP agents sending large amounts of mail reuse connections. Reusing connections is called connection caching, and it lets servers send multiple messages per connection. Your email provider can help you set up connection caching.
  • We recommend that servers present unique identifiers in the HELO or EHLO arguments during SMTP connections. For example, use your domain name or the server name, instead of generic identifiers such as localhost or smtp-relay.gmail.com.

Relay abuse limits

To manage spam, Google monitors messages sent through the SMTP relay service. If we detect a user sending a significant amount of spam, we send an email notification to the super administrators for your Google Workspace account.

Learn more about the spam and abuse policy and handling SMTP relay abuse.

Attachment size limit

You can send up to 25 MB in attachments. If you have more than one attachment, they can't add up to more than 25 MB.

If your file is greater than 25 MB, Gmail automatically adds a Google Drive link in the email instead of including it as an attachment. Learn more about Google Drive attachment sharing settings.

Step 1: Set up SMTP relay in your Google Admin console

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu ""and then"" Appsand thenGoogle Workspaceand thenGmailand thenRouting.

    You can add, edit, and delete the SMTP relay service setting at the top-level organization only. You can view the setting at the child organizational unit level.

  3. Scroll to SMTP relay service and click Configure. If the setting is already configured, click Edit or Add another.
  4. Enter a name for the setting and set up the following options:
    Setting options What to do
    Allowed senders

    Choose an option:

    • Only registered Apps users in my domains—Sender must be a Google Workspace user in one of your domains.
    • Only addresses in my domains—Sender doesn't have to be a Google Workspace user, but must be a user in one of your registered domains. This option is useful when you use third-party or custom applications to send messages.
    • Any addresses (not recommended)—Sender address can be any email address, including addresses outside of your domain. This option makes you more vulnerable to abuse, either by malicious software on your users' devices or by incorrect SMTP settings.

      If you use the any address option and send messages from a domain that you don't own or with an empty envelope-from (for example, bounce messages or out-of-office notifications), set up your mail server to use SMTP AUTH to identify the sending domain or to present one of your domain names in the HELO or EHLO command.

      If the sender is not in one of your domains, the system changes the envelope sender from user@domain_you_don't_own to postmaster@your_domain, where your_domain is the domain the system receives from SMTP AUTH or from the HELO or EHLO command.

    Authentication

    Check one or both boxes to set an authentication method:

    • Only accept mail from the specified IP addresses—System accepts only messages sent from IP addresses that you specify.
    • Require SMTP Authentication—Enforces SMTP authentication to identify the sending domain (connection through TLS required). SMTP authentication verifies the connection by checking the user Google Workspace email address and password.

    If you select the specified IP addresses option:

    1. Click Add.
    2. Enter a description and the IP address or range in IPv4 or IPv6 format.
      Use your own public IP address. You can specify up to 65,536 IP addresses in one range. For security reasons, we recommend that you keep the IP range as small as possible.
    3. Check or uncheck the Enable box to enable or disable the IP address or range.
    4. Click Save.
    5. To add more IP addresses or ranges, repeat the steps.
    Encryption

    (Optional) To require TLS for connections between your server and Google, check the Require TLS encryption box.

    Important: If your email server doesn't support TLS and you check this box, messages not sent over an encrypted TLS connection are rejected.
  5. Click Save.
Changes can take up to 24 hours but typically happen more quickly. Learn more

Step 2: Set up your on-premise server to point to Google

Configure Exchange servers

Expand section  |  Collapse all & go to top

Microsoft Exchange 2007/2010 without an Edge server

Google Workspace support provides technical support only for Google products. To get help with these steps, contact your mail server provider.

In this case, set up Outbound Services on a Hub Transport server. Don't change the default timeout settings for Microsoft Exchange 2007/2010 mail servers. The default timeout setting supports this SMTP relay configuration.

  1. For Transport Settings Properties, click Generaland thenOrganization Configurationand thenHub Transport.
  2. Click Send Connectors.
  3. Right-click the actions pane and select New SMTP Send Connector.
  4. For Name, enter Outbound.
  5. For Select the intended use for this Send connector, select Internet and click Next.

    ""
  6. Click Add.

    ""
     
  7. For Domain, enter * (asterisk) so that all mail is routed through the new connector.

    ""
  8. Check the Include all subdomains box and click OK.
  9. Click Next.
  10. Under Network settings, select Route mail through the following smart hostsand thenclick Add.

    ""
  11. Select Fully qualified domain Name (FQDN) and enter smtp-relay.gmail.com.

    ""
     
  12. For Configure smart host authentication settings, select None and click Next.

    ""
     
  13. For Source Server, click Add and list each outbound hub server that will act as a bridgehead.

    ""

    ""
     
  14. Click OKand thenNext.
  15. For New Connector, click New.

    ""

  16. Click Finish.

    ""
  17. Send a test message to confirm that your outbound mail is flowing.
Microsoft Exchange 2007/2010 with an Edge server

Google Workspace support provides technical support only for Google products. To get help with these steps, contact your mail server provider.

To send messages on an Edge server, configure a send connector. You can create and edit send connectors in the Exchange Management Console. Don't change the default timeout settings for Microsoft Exchange 2007/2010 mail servers. The default timeout setting supports this SMTP relay configuration.

To create and configure a send connector on your Hub Connector Server:

  1. Click Organization Configurationand thenHub Transport.
  2. Click Send Connectors.
  3. Double-click EdgeSync – name of your site to internet.

    ""
     
  4. On the Address Space tab, verify that the asterisk (*) domain has been added.

    ""
     
  5. On the Network tab, uncheck the Enable Domain Security (Mutual Auth TLS) box and select Route mail through the following smart hosts.

    ""
     
  6. Click Add.
  7. Select Fully qualified domain name, enter smtp-relay.gmail.com, and click OK.

  8. On the Source Server tab, verify that the appropriate Edge subscriptions are listed.
  9. From the Exchange Management Shell, run the start-edgesynchronization command.

    ""

  10. On the Edge servers, verify that the new send connector settings have been received and are identical to those on the hub server.
  11. Check your receive connectors on the Edge server and verify the following points:
    • The Network tab has the IP range of all hub servers.
    • The Authentication tab has the Exchange Server Authentication option selected.
    • The Permission Groups tab has the Exchange Servers option selected.
  12. Send a test message to confirm that your outbound mail is flowing.

Microsoft Exchange 2000/2003

Google Workspace support provides technical support only for Google products. To get help with these steps, contact your mail server provider.

Change the retry interval and configure the smart host to route traffic to Google:

  1. Right-click SMTP Virtual Server and select Properties.

  2. Click the Delivery tab.

  3. For Outbound, change the default retry intervals to the following values:

    • First retry interval (minutes): 1
    • Second retry interval (minutes): 1
    • Third retry interval (minutes): 3
    • Subsequent retry interval (minutes): 5
  4. Click Connectors, right-click the SMTP Connector (or the internet Mail SMTP Connector), and select Properties.

  5. On the General tab, enter smtp-relay.gmail.com.

  6. If you selected the Any address option for allowed senders and you send mail from a domain that you don't own. Or, if you send mail without a “From” address, for example bounce messages or vacation notifications, you need to choose one of the following options: 

    • Configure your mail server to use SMTP AUTH to authenticate as a Google Workspace user.
    • Present one of your domain names in the HELO or EHLO command.

    For detailed instructions, contact your mail server provider.

  7. Click OK to save the changes.

 

Configure HCL, Novell, and Sendmail servers

Expand section  |  Collapse all & go to top

HCL Domino (formerly IBM Domino)

These instructions, which were written for Domino R5/R6, are designed to work with a majority of deployments.

Don't change the default timeout settings for Domino R5/R6 mail servers. The default timeout setting supports this SMTP relay configuration.

Set up a smart host and adjust the Retry Interval:

  1. Open Domino Administrator.

  2. Click Administrationand thenthe Configuration tab.

  3. Click Configurations.

  4. Double-click the name of your Domino server.

  5. At the top, click Edit Server Configuration.

  6. Click the Router/SMTP tab.

  7. For Relay host for messages leaving the local internet domain, enter smtp-relay.gmail.com.

  8. Click the Restrictions and Controls taband thenthe Transfer Controls tab.

  9. For Initial Transfer Retry Interval, enter a value of one minute or higher.

  10. Click Save & Close.

  11. If you selected the Any address option for allowed senders and you send mail from a domain that you don't own. Or, if you send mail without a “From” address, for example bounce messages or vacation notifications, you need to choose one of the following options: 

    • Configure your mail server to use SMTP AUTH to authenticate as a Google Workspace user.
    • Present one of your domain names in the HELO or EHLO command.

    For detailed instructions, contact your mail server provider.

  12. Send a test message to confirm that your outbound mail is flowing.

Novell Groupwise

 

Step 1: Increase server timeouts

  1. Open the Groupwise ConsoleOne interface.

  2. Right-click the Internet Agent object and select Properties.

  3. Select the SMTP/MIME Settings tab and click Timeouts.

  4. Set the following values:

    • Commands: 5 minutes
    • Data: 3 minutes
    • Connection Establishment: 2 minutes
    • Initial Greeting: 5 minutes
    • TCP Read: 5 minutes
    • Connection Termination: 15 minutes
  5. Click Applyand thenOK.

Step 2: Set up a smart host

  1. Open the Groupwise ConsoleOne interface.

  2. Right-click the Internet Agent object and select Properties.

  3. If the SMTP/MIME Settings page is not the default page, click the SMTP/MIME taband thenSettings.

  4. Set the number of SMTP Send Threads to the maximum number of simultaneous connections the Groupwise server will safely support.

  5. For Relay Host for Outbound Messages, enter smtp-relay.gmail.com.

  6. Click Applyand thenOK.

  7. If you selected the Any address option for allowed senders and you send mail from a domain that you don't own. Or, if you send mail without a “From” address, for example bounce messages or vacation notifications, you need to choose one of the following options: 

    • Configure your mail server to use SMTP AUTH to authenticate as a Google Workspace user.
    • Present one of your domain names in the HELO or EHLO command.

    For detailed instructions, contact your mail server provider.

  8. Send a test message to confirm that your outbound mail is flowing.

Sendmail

In Sendmail, the server timeout default is one hour. If the timeout value is less than one hour, update the value to one hour before setting up SMTP relay.

To set up the SMTP relay service for Sendmail: 

  1. Add the following line to the /etc/mail/sendmail.mc file:
    define(`SMART_HOST', `smtp-relay.gmail.com')​​

  2. Stop and restart the sendmail server process.

  3. If you selected the Any address option for allowed senders and you send mail from a domain that you don't own. Or, if you send mail without a “From” address, for example bounce messages or vacation notifications, you need to choose one of the following options: 

    • Configure your mail server to use SMTP AUTH to authenticate as a Google Workspace user.
    • Present one of your domain names in the HELO or EHLO command.

    For detailed instructions, contact your mail server provider.

  4. Send a test message to confirm that your outbound mail is flowing.

Configure macOS, Qmail, and Postfix servers

Expand section  |  Collapse all & go to top

macOS
  1. In Server Admin, select Mail and click Settings.
  2. For Relay all mail through this host, enter smtp-relay.gmail.com.

  3. Click Save.

  4. If you selected the Any address option for allowed senders and you send mail from a domain that you don't own. Or, if you send mail without a “From” address, for example bounce messages or vacation notifications, you need to choose one of the following options: 

    • Configure your mail server to use SMTP AUTH to authenticate as a Google Workspace user.
    • Present one of your domain names in the HELO or EHLO command.

    For detailed instructions, contact your mail server provider.

  5. Restart the mail service.

  6. Send a test message to confirm that your outbound mail is flowing.

Qmail

In Qmail, the server timeout default is 1,200 seconds. If the timeout value is less than 900 seconds, update the value to at least 900 seconds before setting up SMTP relay.

To set up a smart host for Qmail:

  1. Edit (or create) the /var/qmail/control/smtproutes file and append the following line:
    :smtp-relay.gmail.com:25
  2. If you have internal domains where traffic shouldn't be routed to Google, add routing settings to the appropriate mail server to the /var/qmail/control/smtproutes file, with the following syntax: <InternalDomain>:<ServerForInternalDomain>
  3. If you selected the Any address option for allowed senders and you send mail from a domain that you don't own. Or, if you send mail without a “From” address, for example bounce messages or vacation notifications, you need to choose one of the following options: 

    • Configure your mail server to use SMTP AUTH to authenticate as a Google Workspace user.
    • Present one of your domain names in the HELO or EHLO command.

    For detailed instructions, contact your mail server provider.

  4. Stop and restart the Qmail server.
  5. Send a test message to confirm that your outbound mail is flowing.
Postfix

Don't change the default timeout settings for Postfix mail servers. The default timeout setting supports this SMTP relay configuration.

To set up a smart host for Postfix:

  1. Add the following line to your configuration file (example path /etc/postfix/main.cf):
    relayhost = smtp-relay.gmail.com:25
  2. Restart Postfix by running the following command:
    # sudo postfix reload
  3. If you selected the Any address option for allowed senders and you send mail from a domain that you don't own. Or, if you send mail without a “From” address, for example bounce messages or vacation notifications, you need to choose one of the following options: 

    • Configure your mail server to use SMTP AUTH to authenticate as a Google Workspace user.
    • Present one of your domain names in the HELO or EHLO command.

    For detailed instructions, contact your mail server provider.

  4. Send a test message to confirm that your outbound mail is flowing.


Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.

Was this helpful?
How can we improve it?

Need more help?

Sign in for additional support options to quickly solve your issue

Search
Clear search
Close search
Google apps
Main menu
Search Help Center
true
true
true
true
73010
false
false