Inbound mail gateway

This feature is not available in the legacy free edition of Google Apps.

An inbound mail gateway is a server through which all incoming mail for your domain passes. The gateway typically processes the mail in some way—such as archiving it or filtering out spam—and then passes the mail on to the mail server that delivers the messages to the recipients.

When you use an inbound mail gateway, the MX records for your domain point to the inbound mail gateway server. You configure the gateway server to pass the incoming mail on to the Google Apps mail servers, and configure the Google Apps mail servers to accept a stream of incoming mail from the gateway server.

Note: Google recently updated the inbound gateway setting, and the onscreen options you see have changed. By default, if you configured this setting previously, we’ll retain your existing configuration.

To configure an inbound mail gateway:

  1. Update your domain’s MX records to refer to the inbound mail gateway server.

    See Set up MX records for detailed instructions.

  2. Configure the inbound mail gateway server to deliver mail to the Google Apps mail servers.

    The configuration steps differ depending on the gateway server.

  3. Sign in to the Google Admin console.
  4. From the dashboard, go to Apps > Google Apps > Gmail > Advanced settings.
  5. In the Organizations section, highlight your domain (top-level org).
  6. Scroll down to Inbound gateway (you can also enter Inbound gateway in the search field).
  7. Hover the cursor to the right of Inbound gateway. To create a new inbound gateway setting, click Configure. To edit an existing setting, click Edit.
  8. Under Gateway IPs, enter the IP address/range for each gateway:

    inbound_gateway_setting_1

    1. Click Add.
    2. Enter the IP address or range.
    3. Click Save.
  9. Select options for your gateways by checking any of the following boxes:
    • Automatically detect external IP (recommended)—Unchecking this box forces Google Apps to look a single hop backwards for the sending IP. Do this only if you’re certain you require this legacy behavior. Automatic detection scans backwards and finds the first occurrence of an IP that’s not within your specified range.
    • Reject all mail not from gateway IPs—If you check this box, Google Apps doesn’t accept mail from anywhere other than your inbound gateway.
    • Require TLS for connections from the email gateways listed above—If you check this box, Gmail rejects any connections from the inbound gateway IPs that aren’t TLS connections.
  10. Under Message Tagging, do the following to tag messages as spam based on the header:

    inbound_gateway_setting_2

    1. Check the Message is considered spam box. This enables reading header tags from an upstream system.
    2. Enter the header as a regular expression (regexp).
      Note: Click Learn more to learn about regular expressions. Click Test expression to validate the expression you entered.
    3. Select whether to mark a message as spam if the regexp matches, or to use the regexp to extract a numeric score.
      Note: If you select the option to use the regexp to extract a numeric score, the regexp you enter must include a capture group. For example, to extract the score 1.0 from the header X-spam-gw: 1.0, enter the regexp ^X-spam-gw: (\d\.\d*)$, not ^X-spam-gw: \d\.\d*$.
    4. If you selected the option to use the regexp to extract a numeric score, select the spam score option (Greater than, Greater than or equal toLess than, or Less than or equal to), and then enter the score.
    5. (Optional) Check the box to turn off Gmail spam evaluation and tag spam based on the header you entered only.
  11. Click Add setting or Save.
  12. Click Save changes at the bottom of the Gmail settings page.
  13. Verify that incoming mail is properly delivered:
    1. Once the Time to Live (TTL) has expired for the MX records that you changed in step 1, send an email message to a user in your domain (see Avoid bounced messages after changing MX records for more details about how TTL works).
    2. Confirm that (a) the inbound gateway server processes it and (b) the user receives the message in his or her inbox.