Clear search
Close search
Google apps
Main menu

Inbound mail gateway

This feature is not available in the legacy free edition of Google Apps.

About inbound mail gateways

An inbound mail gateway is a server through which all incoming messages for your domain passes. The gateway typically processes messages in some way—such as archiving them or filtering out spam—and then passes the messages on to the email server that delivers them to the recipients.

Configure the inbound mail gateway 

You configure the inbound mail gateway by: 

  • Updating your domain’s MX records to point to the inbound mail gateway server
  • Configuring the inbound mail gateway server to pass incoming messages to the Gmail mail servers

You configure Gmail mail servers to accept incoming messages from the gateway server by:

  • Entering the IP address or range for each gateway
  • Selecting options to detect external IPs, reject messages that are not sent from the inbound gateway, and require TLS connections
  • Setting up message tagging for handling spam

For example, a common scenario has messages coming into the Gmail mail servers, then sent to an external server, such as for compliance reasons, and then sent back to Google. You first set up your routing rules to add an X-Gm-spam and X-GM-Phishy header, and then use the Inbound gateway setting to check for whether the header is on the message and the value is 1.

Note: Google recently updated the inbound gateway setting, and the onscreen options you see have changed. By default, if you've already configured this setting, we retain your configuration.

To configure an inbound mail gateway:

  1. Update your domain’s MX records to refer to the inbound mail gateway server.

    See Set up MX records for detailed instructions.

  2. Configure the inbound mail gateway server to deliver messages to the Google Apps mail servers.

    The configuration steps differ depending on the gateway server.

  3. Sign in to the Google Admin console.
  4. From the dashboard, go to Apps > Google Apps > Gmail > Advanced settings.
  5. On the left, select your top-level organization, typically your domain.
  6. Scroll to Inbound gateway or enter Inbound gateway in the search field.
  7. Point to the right of Inbound gateway. To create a new inbound gateway setting, click Configure. To edit an existing setting, click Edit.
  8. Under Gateway IPs, enter the IP address or range for each gateway:
    1. Click Add.
    2. Enter the IP address or range.
    3. Click Save.
  9. Select options for your gateways:
    • Automatically detect external IP (recommended)—Automatic detection provides support for customers whose messages pass through multiple inbound gateways before reaching Google. When this setting is on, Gmail scans backwards through the “Received” message header lines to find the first occurrence of a public IP that’s not within the Gateway IP ranges specified above—this is called the “external IP.” Gmail considers the first “external IP” detected as the sending IP and uses this IP for SPF checks and spam evaluation. If you uncheck this box, Gmail checks only a maximum of one hop backwards for the sending IP.

      Note: If a "Received" header line is not formatted in a standard or recognizable way, Gmail can't extract the IP for that hop. If it can't extract an external IP, Gmail reverts to the connecting IP for the SPF check even if that IP is in the inbound gateway.
    • Reject all mail not from gateway IPs—If you check this box, Google Apps doesn’t accept mail from anywhere other than your inbound gateway.
    • Require TLS for connections from the email gateways listed above—If you check this box, Gmail rejects any connections from the inbound gateway IPs that aren’t TLS connections.
  10. Under Message Tagging, you can tell Gmail’s spam filters how to process messages when it detects a message header tag added by your upstream gateway. Message tagging scans incoming emails for a header tag or numeric score that you specify and uses this to decide if the message is spam. With message tagging, you can also tell the Gmail spam filter not to analyze non-spammy emails and let them get through to users’ inboxes.

    To enable message tagging:

    1. Check the Message is considered spam box. 
    2. Enter your gateway’s message header tag as a regular expression (regexp).
    3. Click Test expression to validate the expression you entered.
    4. Select one of the following:
      • If you want Gmail to treat the message as spam based on a simple message header tag match, select Message is spam if regex matches.
      • If you want Gmail to treat the message as spam based on a specific numeric score in the header tag, select Regexp extracts a numeric score. If you select this option, the regexp you enter in step b above must include a capture group for the numeric score. For example, if your inbound gateway tags a message with a header X-spam-gw: [decimal score from 0.0 to 1.0], you could enter the regexp ^X-spam-gw: (0\.\d*|1\.0*)$, where 0\.\d*|1\.0* represents the decimal values from 0 to 1 and the parentheses indicate the numeric group to extract.
      • If you selected the option to use the regexp to extract a numeric score, you must also select the comparator (Greater than, Greater than or equal to, Less than, or Less than or equal to) and enter the numeric score.
    5. (Optional) Messages without the tag or score indicated above are still subject to Gmail spam filtering. To disable Gmail spam evaluation entirely for messages from your Gateway IPs, check the Disable Gmail spam evaluation on mail from this gateway box. With this box checked, Gmail treats messages that are not tagged or do not meet the numeric score as “not spam.”
  11. Click Add setting or Save.
  12. At the the bottom, click Save.
  13. Verify that incoming messages are properly delivered:
    1. Once the Time to Live (TTL) has expired for the MX records that you changed in step 1, send an email message to a user in your domain. See Avoid bounced messages after changing MX records for more details about how TTL works.
    2. Confirm that (a) the inbound gateway server processes it and (b) the user receives the message in their inbox.

Note: It can take up to an hour for changes to propagate to user accounts. You can track prior changes under Admin console audit log.

Was this article helpful?
Sign in to your account

Get account-specific help by signing in with your Apps for Work account email address, or learn how to get started with Apps for Work.