Route outgoing SMTP relay messages through Google

Set up your on-premise email server for SMTP relay through Google servers

If your organization uses Microsoft Exchange or another SMTP email server, you can set up SMTP relay to route outgoing mail through Google. Use SMTP relay service options to:

  • Filter messages for spam and viruses before they reach external recipients
  • Apply email security and advanced Gmail settings to outgoing messages

Before you begin

Expand section  |  Collapse all

Turn on comprehensive mail storage

We recommend you turn on comprehensive mail storage. Gmail spam filters learn about your email recipients from comprehensive mail storage. So, incoming messages sent from those addresses are less likely to be marked as spam.

Turn on comprehensive mail storage when:

  • You use SMTP relay to route email messages for ticketing and bug systems, and other automated notifications. Messages sent through the relay are delivered to recipients in your organization.
  • You use Google Vault and the SMTP relay service. Messages sent through the relay are archived in Vault.
Review sending limits for the SMTP relay service

Limits per customer

The number of recipients your account can send to is based on your organization’s email sending practices. The maximum number of non-unique email recipients we may allow per customer:

  • 4.6 million in a 24-hour period. If you exceed this, users in your organization might get this message: 550 5.7.1 Daily SMTP relay limit exceeded for customer
  • 319,444 per 10-minute window. If you exceed this, users in your organization might get this message: 450 4.2.1 Peak SMTP relay limit exceeded for customer

Depending on your email sending practices, we may reduce the recipient address limit for your Google Workspace account. This can affect recipient limits for your address maps. We recommend you follow best practices for sending mail to Gmail users. For more information, visit Prevent mail to Gmail users from being blocked or sent to spam.

Limits per user

  • Each user can send up to 10,000 messages in a 24-hour period. However, this limit might be lower if your Google Workspace account is still in a trial-like period. To learn more about account limits, visit Gmail sending limits in Google Workspace.
  • A Google Workspace user can't relay messages to more than 10,000 unique recipients in a 24-hour period. 
  • When users exceed these limits, they get this error: 550 5.4.5 Daily SMTP relay limit exceeded for user.
  • Google servers can support more than 100 recipients per transaction. However, limits defined by RFC 5321 can result in blocked transactions.

Message count is based on the sender address used in the SMTP relay transaction. If the envelope sender is not a registered user, the per-user limits don't apply. Addresses in the From: and Reply-to: fields are ignored.

If the SMTP relay limit is reached for your account, senders might get an error and can't send more messages.

Other considerations for SMTP limits

  • Limits are lower for trial accounts. To increase the SMTP relay limits for a trial account, you must pay a Google-generated bill. This is different from increasing Gmail limits, which can be done by ending your trial.
  • The per-user recipient limits are for unique recipients. Per-account limits are for total recipients. For example, when a user relays 1000 messages to Recipient-A and 1000 messages to Recipient-B, this counts as 2 messages toward the per-user limit, and 2000 toward your account limit.
  • If you haven't yet paid a bill for your Google Workspace account, your account limits are lower.
  • There are different per-user sending limits for sending email with Gmail, rather than SMTP relay. The SMTP relay and Gmail user sending limits are independent and are counted separately from each other. For details about Gmail sending limits, visit Gmail sending limits in Google Workspace.

Denial of Service (DoS) limits

Google Workspace SMTP relay servers support security methods that prevent DoS attacks. To avoid impacting these security methods, we recommend that SMTP agents sending large amounts of mail reuse connections. Reusing connections is called connection caching, and it lets servers send multiple messages per connection. Your email provider can help you set up connection caching.

We recommend that servers presents unique identifiers in the HELO or EHLO arguments during SMTP connections. For example, use your domain name or the server name, instead of generic identifiers such as localhost or smtp-relay.gmail.com.

Relay abuse limits

To manage spam, Google monitors messages sent through the SMTP relay service. If we detect a user sending a significant amount of spam, we send an email notification to the super administrators for your Google Workspace account.

Learn more about the spam and abuse policy and handling SMTP relay abuse. Learn more about the spam and abuse policy and handling SMTP relay abuse.

Attachment size limit

You can send up to 25 MB in attachments. If you have more than one attachment, they can't add up to more than 25 MB.

If your file is greater than 25 MB, Gmail automatically adds a Google Drive link in the email instead of including it as an attachment. Learn more about Google Drive attachment sharing settings.

Step 1: Set up SMTP relay in your Google Admin console

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu ""and then"" Appsand thenGoogle Workspaceand thenGmailand thenRouting.
  3. On the left, select the top-level organization.

    You can add, edit, and delete the SMTP relay service setting at the top-level organization only. You can view the setting at the suborganization level.

  4. Scroll to the SMTP relay service setting in the Routing section.
  5. Point to the setting, and click Configure. If the setting is already configured, click Edit or Add another.
  6. In the Add setting box, enter a name for the setting and take these steps:
     
    Setting What to do
    1. Allowed senders

    Select the user type that can send messages with the SMTP relay service:

    • Only registered Apps users in my domains—The sender must be a registered Google Workspace user in one of your domains.
    • Only addresses in my domains—The sender doesn't have to be a Google Workspace user, but must be in one of your registered domains. This option is useful when you use third-party or custom applications to send messages.
    • Any addresses (not recommended)—The sender address can be any email address, including addresses outside of your domain. This option makes you more vulnerable to abuse, either by malicious software on your users' devices, or by incorrect SMTP settings.

      To use the Any address option, set up your mail server to use SMTP AUTH to identify the sending domain, or to present one of your domain names in the HELO or EHLO command. Configure your mail server this way if you send messages from a domain you don't own, or if you send messages with an empty envelope-from, for example bounce messages or out-of-office notifications.

      If the sender is not in one of your domains, the system changes the envelope sender from user@[domain you don't own] to postmaster@[your domain], where [your domain] is the domain the system receives from SMTP AUTH or from the HELO or EHLO command.

    2. Authentication

    Select one or both options to set an authentication method:

    • Only accept mail from the specified IP addresses—The system accepts only messages sent from IP addresses that you specify in this setting.
    • Require SMTP Authentication—Enforces SMTP authentication to identify the sending domain. Using this option requires your clients to connect via TLS. SMTP authentication verifies the connection by checking the user Google Workspace email address and password.

    If you select the Specified IP addresses option, enter the IP address ranges:

    1. Click Add.
    2. Enter a description for the IP address or range.
    3. Enter the IP address or range in IPv4 or IPv6 format.

      Use your own public IP address. You can specify up to 65,536 IP addresses in one range. For security reasons, we recommend that you keep the IP range as small as possible.

    4. Check the Enable box to enable or disable the IP address or range.
    5. To save the IP address or range, click Save.
    6. Add more IP addresses or ranges as needed.
    3. Encryption

    To require TLS for connections between your server and Google, select the Require TLS encryption checkbox.

    Important: If your email server doesn't support TLS, don't select the checkbox. If this option is selected, messages not sent over an encrypted TLS connection are rejected.

  7. At the bottom of the Add setting box, click Save.
Changes can take up to 24 hours but typically happen more quickly. Learn more

Step 2: Set up your on-premise server to point to Google

To configure your on-premise email server to point to smtp-relay.gmail.com, follow the steps for your server type.

Important: Google Workspace support doesn't provide technical support for non-Google products. To get help with these steps, contact your mail server provider.

Before you begin

Review these guidelines before configuring your server:

  • Depending on your selected Require TLS encryption option (from Step 1):
    • Require TLS encryption enabled: Configure your on-premise mail server to point to smtp-relay.gmail.com on port 587.
    • Require TLS encryption not enabled: Configure your on-premise server to point to smtp-relay.gmail.com on port 25, port 465, or port 587. Without TLS encryption, you can't use SMTP authentication and must use IP address authentication.
  • We recommend that servers presents unique identifiers in the HELO or EHLO arguments during SMTP connections. For example, use your domain name or the server name, instead of generic identifiers such as localhost or smtp-relay.gmail.com.
  • The SMTP Relay service doesn't support multiple envelope recipients (RCPT TO) when using a null envelope sender (MAIL FROM: <>).
  • In these cases, configure your mail server to use SMTP AUTH to authenticate as a Google Workspace user, or present one of your domain names in the HELO or EHLO command. Get detailed instructions from your mail server provider:
    • You selected the Any address option for the Allowed senders setting, and you send mail from a domain you don't own.
    • You send mail without a “From” address, for example bounce messages or vacation notifications.

Configure Microsoft Exchange servers

Expand section  |  Collapse all & go to top

Microsoft Exchange 2007/2010 without an Edge Server

If you don't have an Edge Server, follow the instructions below to set up the SMTP relay service for Exchange 2007/2010. In this case, set up Outbound Services on a Hub Transport server.

Don't change the default timeout settings for Microsoft Exchange 2007/2010 mail servers. The default timeout setting supports this SMTP relay configuration.

To create and configure a Send Connector on your Hub Connector Server:

  1. Click Organization Configurationand thenHub Transport.
  2. Click Send Connectors.
  3. Right-click in the actions pane and select New SMTP Send Connector.
  4. Name the connector Outbound.
  5. Click the list, select Internet, and then click Next.


     
  6. Click Add to open the Add Address Space dialog.


     
  7. In the Domain field, enter an asterisk (*) so that all mail is routed through the new connector.


     
  8. Check the Include all subdomains box, and click OK.
  9. In the New SMTP Send Connector dialog, click Next.
  10. Under Network settings, click the Route mail through the following smart hosts option.
  11. Click Add.


     
  12. In the Add smart host dialog, enter smtp-relay.gmail.com in the Fully qualified domain name field.

  13. Under Configure smart host authentication settings, click the None option, and then click Next.


     
  14. On the Source Server page, click Add, and list each outbound hub server that will act as a bridgehead.




     
  15. Click OKand thenNext.
  16. On the New SMTP Send Connector page, click New.


     
  17. Click Finish to complete the send connector configuration.


     
  18. In these cases, configure your mail server to use SMTP AUTH to authenticate as a registered Google Workspace user, or to present your domain name in the HELO or EHLO command.

    • You selected the Any address option for the Allowed senders setting, and you send mail from a domain you don't own.
    • You send mail without a “From” address, for example bounce messages or vacation notifications.

    Important: Google Workspace support doesn't provide technical support for non-Google products. To get help with these steps, contact your mail server provider.

  19. When you've completed your configuration, send a test message to confirm that your outbound mail is flowing.
Microsoft Exchange 2007/2010 with an Edge Server

With Microsoft Exchange 2007/2010, servers are assigned distinct roles. An Edge Server is one type of server role. Edge Servers:

  • Connect all other Exchange Servers to the internet
  • Provide filtering and security for your email

To send messages on an edge server, configure a send connector. Send connectors are created and edited in the Exchange Management Console. 

Don't change the default timeout settings for Microsoft Exchange 2007/2010 mail servers. The default timeout setting supports this SMTP relay configuration

To create and configure a Send Connector on your Hub Connector Server:

  1. Click Organization Configurationand thenHub Transport.
  2. Click Send Connectors.
  3. Double-click the EdgeSync – [your site] to internet connector, where [your site] is the name of your site.


     
  4. On the Address Space tab, verify that the asterisk (*) domain has been added.


     
  5. On the Network tab, uncheck the Enable Domain Security (Mutual Auth TLS) box, and click the Route mail through the following smart hosts option.


     
  6. Click Add to display the Add smart host dialog.
  7. Enter smtp-relay.gmail.com in the Fully qualified domain name field, and click OK.

  8. On the Source Server tab, verify that the appropriate edge subscriptions are defined.
  9. From the Exchange Management Shell, run the start-edgesynchronization command.

     
  10. On the Edge servers, verify that the new Send Connector settings have been received and are identical to those on the hub server.
  11. Check your receive connectors on the Edge server and verify the following:
    • The Network tab has the IP range of all hub servers included.
    • The Authentication tab has the Exchange Server Authentication option checked.
    • The Permission Groups tab has the Exchange Servers option checked.
  12. In these cases, configure your mail server to use SMTP AUTH to authenticate as a registered Google Workspace user, or to present your domain name in the HELO or EHLO command.

    • You selected the Any address option for the Allowed senders setting, and you send mail from a domain you don't own.
    • You send mail without a “From” address, for example bounce messages or vacation notifications.

    Important: Google Workspace support doesn't provide technical support for non-Google products. To get help with these steps, contact your mail server provider.

  13. When you've completed your configuration, send a test message to confirm that your outbound mail is flowing.

     

Microsoft Exchange 2000/2003

Change the retry interval and configure the smart host to route traffic to Google:

  1. Right-click SMTP Virtual Server and select Properties.

  2. Click the Delivery tab.

  3. Under Outbound, change the default retry interval values to the following:

    • First retry interval (minutes): 1
    • Second retry interval (minutes): 1
    • Third retry interval (minutes): 3
    • Subsequent retry interval (minutes): 5
  4. Click Connectors, right-click the SMTP Connector (or the internet Mail SMTP Connector), and select Properties.

  5. On the General tab, type smtp-relay.gmail.com.

  6. In these cases, configure your mail server to use SMTP AUTH to authenticate as a registered Google Workspace user, or to present your domain name in the HELO or EHLO command.

    • You selected the Any address option for the Allowed senders setting, and you send mail from a domain you don't own.
    • You send mail without a “From” address, for example bounce messages or vacation notifications.

    Important: Google Workspace support doesn't provide technical support for non-Google products. To get help with these steps, contact your mail server provider.

  7. Click OK to save the changes.

Configure HCL, Novell, and Sendmail servers

Expand section  |  Collapse all & go to top

HCL Domino (formerly IBM Domino)

Follow the instructions below to set up the SMTP relay service for HCL Domino. These instructions, which were written for Domino R5/R6, are designed to work with a majority of deployments.

Don't change the default timeout settings for Domino R5/R6 mail servers. The default timeout setting supports this SMTP relay configuration.

Set up a smart host and adjust the Retry Interval:

  1. Open Domino Administrator.

  2. Click Administration and select the Configuration tab.

  3. Click Configurations.

  4. Double-click the name of your Domino Server.

  5. At the top of the window, click Edit Server Configuration.

  6. Select the Router/SMTP tab in the first row. This selects the Basics tab of the second row of tabs.

  7. Under Relay host for messages leaving the local internet domain, add smtp-relay.gmail.com.

  8. Select the Restrictions and Controls tab from the second row.

  9. Select the Transfer Controls tab from the third row.

  10. Set the configuration Initial Transfer Retry Interval to one minute or higher.

  11. Click Save & Close to exit.

  12. In these cases, configure your mail server to use SMTP AUTH to authenticate as a registered Google Workspace user, or to present your domain name in the HELO or EHLO command.

    • You selected the Any address option for the Allowed senders setting, and you send mail from a domain you don't own.
    • You send mail without a “From” address, for example bounce messages or vacation notifications.

    Important: Google Workspace support doesn't provide technical support for non-Google products. To get help with these steps, contact your mail server provider.

  13. When you've completed your configuration, send a test message to confirm that your outbound mail is flowing.

Novell Groupwise

Follow the instructions below to set up the SMTP relay service for Novell Groupwise. First, increase server timeouts, then set up a smart host.

Increase server timeouts:

  1. Open the Groupwise ConsoleOne interface.

  2. Right-click the Internet Agent object and select Properties.

  3. Select the SMTP/MIME Settings tab and click Timeouts.

  4. Set the following values:

    • Commands: 5 minutes
    • Data: 3 minutes
    • Connection Establishment: 2 minutes
    • Initial Greeting: 5 minutes
    • TCP Read: 5 minutes
    • Connection Termination: 15 minutes
  5. Click Apply > OK.

Set up a smart host:

  1. Open the Groupwise ConsoleOne interface.

  2. Right-click the Internet Agent object and select Properties.

  3. If the SMTP/MIME Settings page is not the default page, select the SMTP/MIME tab and click Settings.

  4. Set the number of SMTP Send Threads to the maximum number of simultaneous connections the Groupwise server will safely support.

  5. Enter smtp-relay.gmail.com in the Relay Host for Outbound Messages field.

  6. Click Apply > OK.

  7. In these cases, configure your mail server to use SMTP AUTH to authenticate as a registered Google Workspace user, or to present your domain name in the HELO or EHLO command.

    • You selected the Any address option for the Allowed senders setting, and you send mail from a domain you don't own.
    • You send mail without a “From” address, for example bounce messages or vacation notifications.

    Important: Google Workspace support doesn't provide technical support for non-Google products. To get help with these steps, contact your mail server provider.

  8. When you've completed your configuration, send a test message to confirm that your outbound mail is flowing.

Sendmail

Follow the instructions below to set up the SMTP relay service for Sendmail. 

In Sendmail, the server timeout default is 1 hour. If the timeout value is less than 1 hour, update the value to 1 hour before setting up SMTP relay.

  1. Add the following line to the /etc/mail/sendmail.mc file:
    define(`SMART_HOST', `smtp-relay.gmail.com')​​

  2. Stop and restart the sendmail server process.

  3. In these cases, configure your mail server to use SMTP AUTH to authenticate as a registered Google Workspace user, or to present your domain name in the HELO or EHLO command.

    • You selected the Any address option for the Allowed senders setting, and you send mail from a domain you don't own.
    • You send mail without a “From” address, for example bounce messages or vacation notifications.

    Important: Google Workspace support doesn't provide technical support for non-Google products. To get help with these steps, contact your mail server provider.

  4. When you've completed your configuration, send a test message to confirm that your outbound mail is flowing.

Configure macOS, Qmail, and Postfix servers

Expand section  |  Collapse all & go to top

macOS

Follow the instructions below to set up the SMTP relay service for macOS.

  1. In Server Admin, select Mail and click Settings.

  2. Under Relay all mail through this host, enter smtp-relay.gmail.com.

  3. To close the Server Admin, click Save.

  4. In these cases, configure your mail server to use SMTP AUTH to authenticate as a registered Google Workspace user, or to present your domain name in the HELO or EHLO command.

    • You selected the Any address option for the Allowed senders setting, and you send mail from a domain you don't own.
    • You send mail without a “From” address, for example bounce messages or vacation notifications.

    Important: Google Workspace support doesn't provide technical support for non-Google products. To get help with these steps, contact your mail server provider.

  5. Restart the mail service.

  6. When you've completed your configuration, send a test message to confirm that your outbound mail is flowing.

Qmail

Follow these instructions to set up the SMTP relay service for Qmail. 

In Qmail, the server timeout default is 1200 seconds. If the timeout value is less than 900 seconds, update the value to at least 900 seconds before setting up SMTP relay.

To set up a smart host for Qmail:

  1. Edit (or create) the /var/qmail/control/smtproutes file and append the following line:
    :smtp-relay.gmail.com:25
  2. If you have internal domains where traffic shouldn't be routed to Google,  add routing settings to the appropriate mail server to the /var/qmail/control/smtproutes file, with the following syntax: <InternalDomain>:<ServerForInternalDomain>
  3. In these cases, configure your mail server to use SMTP AUTH to authenticate as a registered Google Workspace user, or to present your domain name in the HELO or EHLO command.

    • You selected the Any address option for the Allowed senders setting, and you send mail from a domain you don't own.
    • You send mail without a “From” address, for example bounce messages or vacation notifications.

    Important: Google Workspace support doesn't provide technical support for non-Google products. To get help with these steps, contact your mail server provider.

  4. Stop and restart the Qmail server.
  5. When you've completed your configuration, send a test message to confirm that your outbound mail is flowing.
Postfix

Follow the instructions below to set up the SMTP relay service for Postfix. 

Don't change the default timeout settings for Postfix mail servers. The default timeout setting supports this SMTP relay configuration.

To set up a smart host for Postfix:

  1. Add the following line to your configuration file (example path /etc/postfix/main.cf):
    relayhost = smtp-relay.gmail.com:25
  2. Restart Postfix by running the following command:
    # sudo postfix reload
  3. In these cases, configure your mail server to use SMTP AUTH to authenticate as a registered Google Workspace user, or to present your domain name in the HELO or EHLO command.

    • You selected the Any address option for the Allowed senders setting, and you send mail from a domain you don't own.
    • You send mail without a “From” address, for example bounce messages or vacation notifications.

    Important: Google Workspace support doesn't provide technical support for non-Google products. To get help with these steps, contact your mail server provider.

  4. Send a test message to confirm that your outbound mail is flowing.


Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.

Was this helpful?
How can we improve it?

Need more help?

Sign in for additional support options to quickly solve your issue

Search
Clear search
Close search
Google apps
Main menu
Search Help Center
true
73010
false
false