Allow email from Google IPs to your email server

If you want to route mail through your Google Workspace service to an on-premise mail server—for example, if you have non-Gmail mailboxes or delivery endpoints, such as Exchange mailboxes, ticketing systems, or other on-premise systems—your on-premise email server and firewall must be configured to allow mail traffic from Google IP ranges. Any other IPs should not be allowed to connect to your infrastructure, unless they are trusted sources that you want to allow to connect directly to your server without additional filtering from Google.

We recommend that you make this change immediately if you're switching your service to Google Workspace, or your mail flow may be interrupted.

Configuring your firewall and mail server

We recommend that you configure your mail server and firewall to refuse port 25 traffic, except from Google IP ranges.

This prevents unexpected spam, which is sometimes the result of direct connections to your mail server. If a malicious sender is able to find your mail server and connect directly, your users may receive spam, viruses, and malware.

  • Configuring your firewall—The step-by-step instructions for configuring your firewall vary, depending on the type of firewall, so you may consider consulting directly with the manufacturer or vendor for instructions. Whatever firewall type you're using, configure it to allow email traffic from the current range of Google IP addresses (see Google IP ranges).
  • Configuring your mail server—When configuring your mail server to accept mail from Google IP ranges, see Mail server-specific instructions for details about specific types of mail servers.

Google IP ranges

Google maintains a global infrastructure that dynamically grows to accommodate an increasing demand. As a result, Google Workspace mail servers use a large range of IP addresses, and the addresses often change. The most effective means of finding the current range of Google IP addresses is to query Google's SPF record (for instructions, see Google IP address ranges for outbound SMTP).

Mail server-specific instructions

Microsoft Exchange 2013

Configure the Google IP ranges by creating a receive connector on the hub server (or you can reconfigure an existing receive connector).

Follow these steps:

  1. From the Exchange Control Panel, go to Mail flowand thenReceive connectors.
  2. Click Add + to create a Receive connector.
  3. Enter a name for the connector, such as Google or Google Workspace.
  4. Click Hub Transport.
  5. Click Internet.
  6. Add the Google IP ranges (see Google IP ranges).
  7. Click Finish.
Microsoft Exchange 2007/2010

For Microsoft Exchange 2007/2010, configure the Google IP ranges by creating a receive connector on the hub server (or you can reconfigure an existing receive connector).

Follow these steps:

  1. From the Exchange Management Console, expand Server Configuration.
  2. From the server roles list, choose Hub Transport.
  3. In the Details pane, choose the appropriate hub transport server.
  4. In the Properties pane, right-click the Receive Connectors tab and choose New Receive Connector.
  5. Enter a name for the connector, such as Google or Google Workspace, and click Next.
  6. From Default Properties, select the Permission Groups tab, and check the Anonymous users box.
    Note: You'll see the "Local Network Settings" page. If you haven’t made any customization to the IP settings of the Hub Server, keep the defaults; otherwise, use the settings appropriate for your customization.
  7. Click Next to go to the "Remote Network settings" page.
  8. Click the default range, and click Edit.
  9. From the "Edit Remote Servers" dialog box, add the Google IP ranges (see Google IP ranges).
  10. Click OK.
  11. Click Next to continue.
  12. Click Newand thenFinish.
Microsoft Exchange 2003 and Small Business Server 2003

For Microsoft Exchange 2003 and Small Business Server 2003, configure the Google IP ranges to be a trusted relay.

Follow these steps:

  1. From the Start menu, click Programs > Microsoft Exchangeand thenSystem Manager.
  2. Click Serversand then[Your Mail Server]and thenProtocolsand thenSMTP.
  3. Right-click Default SMTP Virtual Server and select Properties.
  4. Select the Access tab.
  5. Click Relay.
  6. Click Add to add all of the Google IP ranges (see Google IP ranges).
  7. Click OK to return to the Access tab.
  8. Click Connection. If the Connection list is set to Only the list below, add the same IP ranges that you added in the above step.
  9. Click OK to return to the Access tab.
  10. Click OK to close the "Default SMTP Virtual Server Properties" window.
  11. Stop and restart the SMTP services.
Microsoft Exchange 5.5

For Microsoft Exchange 5.5, configure the Google IP ranges to be a trusted relay.

Follow these steps:

  1. From the Start menu, click Programsand thenMicrosoft Exchangeand thenMicrosoft Exchange Administrator.
  2. Click [Your Mail Server]and thenConfigurationand thenConnectionsand thenInternet Mail Service.
  3. Right-click Internet Mail Service and select Properties.
  4. Click the Routing tab.
  5. Click Routing Restrictions.
  6. Check the Hosts and clients with these IP addresses box.
  7. Add the Google IP ranges (see Google IP ranges).
  8. Click OK to return to the Routing tab.
  9. Stop and restart the Exchange service.
IBM Lotus Domino

For IBM Lotus Domino, configure the Google IP ranges to be a trusted relay.

Follow these steps:

  1. Open Domino Administrator and click Administration.
  2. Click the Configuration tab.
  3. Click the icon next to Messaging, and then click Configurations.
  4. Double-click the name of your Domino Server.
  5. At the top of the window, click Edit Server Configuration.
  6. Select the following:
    • Router/SMTP tab in the first row
    • Restrictions and Controls tab in the second row
    • SMTP Inbound Controls tab in the third row
  7. Under Allow messages only from the following internet hosts to be sent to external internet domains, add the Google IP ranges (see Google IP ranges).
  8. Under Exclude these Connecting Hosts From Anti-Relay Checks, enter the same IP ranges.
  9. Click Saveand thenClose to exit.
  10. For the changes to take effect, stop and restart the Domino SMTP task.
Novell Groupwise

For Novell Groupwise, configure the Google IP ranges to be a trusted relay.

Follow these steps:

  1. Open the Groupwise ConsoleOne interface.
  2. Right-click the Internet Agent object and select Properties.
  3. Click the Access Control tab.
  4. Click SMTP Relay Settings.
  5. In the SMTP Relay Defaults section, verify that the Prevent message relaying option is selected.
  6. In the Exceptions section, click Create.
  7. In the From field, add the Google IP ranges (see Google IP ranges). Leave the To field blank to indicate that any recipient is allowed.
  8. Click OK twice to close the Properties dialog box.
Apple Macintosh OS X

For Mac OS X version 10.6 and 10.5, configure the Google IP ranges to be a trusted relay as follows:

  1. In Server Admin > Servers list, select a computer, and click Mail.
  2. Click Settings.
  3. Select the Relay tab.
  4. Check the Accept SMTP relays only from these hosts and networks box.
  5. Click Add (+) to add a Google IP range (see "Google IP ranges").

For Mac OS X version 10.4, configure the Google IP ranges to be a trusted relay as follows:

  1. In Server Admin, click Mail.
  2. Click Settings.
  3. Click Relay and add the Google IP ranges (see Google IP ranges).

For Mac OS X version 10.3, configure the Google IP ranges to be a trusted relay as follows:

  1. In Server Admin, click Mail.
  2. Click Settings.
  3. Click Filters and add the Google IP ranges (see Google IP ranges).
  4. Click Save to close the Server Admin.
Qmail

To configure Google IP ranges to be a trusted relay using qmail + tcpserver:

  1. Edit /etc/tcp.smtp to allow each of the Google IP ranges (see Google IP ranges) to relay:

    IP Range:allow,RELAYCLIENT="":allow

    where IP Range is the appropriate IP range.
  2. Run tcprules to reload allowed hosts:

    > cd /etc
    > tcprules tcp.smtp.cdb tcp.smtp.temp < tcp.smtp
     
  3. Verify that the tcp.smtp.cdb file is invoked in the mail server's startup script.
  4. Restart tcpserver so that the new rules take effect:

    /usr/local/bin/tcpserver -x/etc/tcp.smtp.cdb -R -H -c25 -u502 -g501 mailhost.domain.com smtp /var/qmail/bin/qmail-smtpd 2>&1

    (UID 502 and GID 501 may be different depending on server configuration.)

To configure Outbound Services IP ranges to be a trusted relay using qmail + inetd + tcpd:

Check to see if the Qmail line in the inetd.conf file is similar to the following:

smtp stream tcp nowait qmaild /usr/sbin/tcpd /var/qmail/bin/tcp-env /var/qmail/bin/qmail-smtpd

If yes, follow these steps:

  1. Edit /etc/hosts.allow to include the Google IP ranges (see "Google IP ranges").
  2. Disallow everything else.
Postfix

For Postfix, configure the Google IP ranges to be a trusted relay.

Follow these steps:

  1. Add the Google IP ranges (see Google IP ranges) to the mynetworks parameter of your configuration file (example path: /etc/postfix/main.cf).
    Note: Configuring the mynetworks parameter overrides the mynetworks_style parameter. If the mynetworks parameter was not previously used, you may also need to add your own subnets.
  2. Restart Postfix by running the following command:

    # sudo postfix reload
Google Workspace Support does not provide technical support for configuring on-premise mail servers or third-party products. These instructions are designed to work with the most common scenarios for the various types of servers. If you need help configuring your on-premise server, you should consult the administrator for that server (for example, your Microsoft Exchange administrator), and any changes should be made at their discretion.
Was this helpful?
How can we improve it?

Need more help?

Sign in for additional support options to quickly solve your issue