Set up an inbound mail gateway
If you have the legacy free edition of Google Apps, upgrade to G Suite to get this feature.
As a G Suite administrator, you can set up Gmail servers to properly handle mail received from an inbound mail gateway. This helps ensure that Gmail determines the proper source ID for performing a Sender Policy Framework (SPF) check, so that it doesn’t classify a message as spam.
How an inbound mail gateway works with Gmail
An inbound mail gateway is a server that all your incoming mail passes through. The gateway typically processes the mail in some way, such as archiving it or filtering spam. It then passes the mail to the mail server that delivers the mail to recipients.
To use an inbound mail gateway with Gmail, you configure the MX records for your domain to point to it, and you configure the gateway to pass incoming mail to the Gmail servers.
You configure the Inbound gateway setting to identify the gateway’s IP address or range of addresses. Gmail skips performing SPF checks on IP addresses included in the Gateway IPs list.
Optionally, you can:
- Set up automatic detection of the external IP
- Reject mail that wasn’t sent from the gateway
- Require that connections from the gateway use Transport Layer Security (TLS)
- Configure how to handle spam based on gateway message tags
Note: You don't have to set up your MX records to point to the mail server you plan to use; you can use the inbound gateway to allow traffic from specific hosts, regardless of where mail flow is routed.
Update your domain’s MX records to point to the inbound mail gateway server. See Set up MX records for instructions.
- Configure the server to deliver messages to Gmail servers. Configuration steps differ depending on your gateway server.
From the Admin console dashboard, go to AppsG SuiteGmailAdvanced settings.
Tip: To see Advanced settings, scroll to the bottom of the Gmail page.
- On the left, select your top-level organization (typically your primary domain).
- Scroll to the Inbound gateway setting in the Spam section. Hover over the setting and click Configure to create a new setting or click Edit to edit an existing one.
- Enter a description.
Step 1: Enter gateway IP addresses and configure options
- Under Gateway IPs, click Add and enter the IP address or range of addresses.
If your messages pass through multiple gateways before reaching Gmail, you should include all of the gateway IP addresses in the Gateway IPs list.
- Click Save.
- Configure any of the following options.
- (Optional) To help Gmail determine the source IP address to use for the SPF evaluation, select Automatically detect external IP.
If you select this option, Gmail scans through the Received: from message header to find the first public IP address that’s not in the Gateway IP list and determines that it’s the “external” IP address. Gmail considers the first detected external IP as the sending IP and uses this IP for SPF checks and spam evaluation.
If you don’t select this option, Gmail checks only a maximum of one hop backwards for the sending IP. Learn more about how Gmail determines the source IP.
- (Optional) To reject messages from anywhere other than your inbound gateway, check the Reject all mail not from gateway IPs box.
- (Optional) To reject connections from IP addresses in the Gateway IPs list if the connections don’t use (TLS), check the Require TLS for connections from the email gateways listed above box.
TLS is an industry standard based on Secure Sockets Layer (SSL) technology that encrypts mail for secure delivery. Learn about setting up TLS.
Step 2: (Optional) Configure message tagging
You can configure message tagging to tell Gmail’s spam filters how to process messages when it detects a message header tag added by your inbound gateway. With message tagging, Gmail scans incoming messages for a header tag or numeric score that you specify and uses it to determine if the message is spam. With message tagging, you can also tell the Gmail spam filter not to analyze non-spam emails and allow them to pass through to recipient inboxes.
Configure message tagging:
- Check the Message is considered spam if the following header regexp matches box.
- Enter your gateway’s message header tag as a regular expression (regexp). For example, if your gateway adds the message header tag
X-spam-gwto spammy messages, you’d enter
- Click Test expression to validate the expression you entered.
- Select one of the following:
- Select Message is spam if regex matches if you want Gmail to treat the message as spam based on a simple message header tag match.
- Select Regexp extracts a numeric score if you want Gmail to treat the message as spam based on a specific numeric score in the header tag. Then, select the comparator, Greater than, Greater than or equal to, Less than, or Less than or equal to, and enter the numeric score. The regex for the numeric score must include a capture group.
For example, if your inbound gateway tags a message with a header
X-spam-gw: [decimal score from 0.0 to 1.0], you could enter the regexp:
0\.\d*|1\.0*represents the decimal values from 0 to 1 and the parentheses indicate the numeric group to extract.
- (Optional) To disable Gmail spam evaluation entirely for messages from your gateway IP addresses, check the Disable Gmail spam evaluation on mail from this gateway; only use header value box.
For example, if you want Gmail to handle messages as spam when the gateway adds the message header
X-Gm-Spam: 1 or
X-Gm-Phishy: 1 to a suspicious message, enter the regex
^X-Gm-(Spam|Phishy): 1$ and select Message is spam if regex matches.
If you want Gmail to handle messages as spam when the gateway adds the message header
X-spam: or X-phishy: and a numerical score greater than or equal to .50, enter the regex
^X-(?:spam|phishy): (0\.\d*|1\.0*)$, including just one capture group. Then, select Regexp extracts a numeric score and Greater than or equal to, and enter
Note: If your expression has multiple parentheses, include a question mark and colon after the opening parenthesis of the non-capturing group, as shown in the previous example.
Complete the configuration
- Click Add Setting or Save.
- At the bottom, click Save.
- Verify that incoming messages are properly delivered:
- After the Time to Live (TTL) has expired for the MX records that you changed in step 1 above, send an email message to a user in your domain. Learn about avoiding bounced messages after changing MX records.
- Confirm that the inbound gateway server processes the message and that the user receives the message in their inbox.
It can take up to an hour for changes to take effect. You can track changes in the Admin console audit log.
How the Inbound gateway setting works
It’s important to know how Gmail determines a message’s source IP, because it uses the source IP to perform SPF checks and spam classification. How the source IP is determined depends on whether you configure the Inbound gateway setting, what IP addresses you include in the Gateway IPs list, and whether you turn on the Automatically detect external IP option.
When Gmail receives a message, it scans a message’s Received: from header lines to look for the source IP.
If you haven’t configured the Inbound gateway setting, Gmail looks for the Received: from header line that contains the MX record and determines that the source IP is the one connecting to the Gmail server.
If you’ve configured the setting to include the connecting IP in the Gateway IPs list and you’ve turned on the Automatically detect external IP option:
- Gmail searches the Received: from header lines for the first occurrence of an external public IP address that’s not in the list.
- If it finds a public IP, Gmail uses it as the source IP for the SPF check.
- If it doesn’t find a public IP, Gmail determines that the message is an internal message, and therefore no SPF check is needed.
Note: If a Received: from header line isn’t formatted in a standard or recognizable way, Gmail can't extract the IP for that hop. If Gmail parses all Received: from header lines and it can't extract an external IP, Gmail reverts to using the connecting IP, even if it’s included in the Gateway IPs list.
If you’ve configured the setting to include the connect IP in the Gateway IPs list and you haven’t turned on the Automatically detect external IP option:
Gmail skips the connecting IP and uses the IP of the previous hop as the source IP, even if it’s also included in the Gateway IPs list.
Example: How Gmail determines the source IP
To illustrate how different controls influence how the source IP is determined, consider the following message header.
Received: by 10.36.81.3 with SMTP id e3cs239nzb; Tue, 29 Mar 2005 15:11:47 -0800 (PST)
Received: from mail.emailprovider.com (mail.emailprovider.com [184.108.40.206]) by mx.gmail.com with SMTP id h19si826631rnb.2005.03.29.15.11.46; Tue, 29 Mar 2005 15:11:47 -0800 (PST)
Received: from [220.127.116.11] by mail.emailprovider.com via HTTP; Tue, 29 Mar 2005 15:11:45 PST
Received: from [18.104.22.168] by mail.emailprovider.com via HTTP; Tue, 29 Mar 2005 15:11:44 PST
Received: from [22.214.171.124] by mail.emailprovider.com via HTTP; Tue, 29 Mar 2005 15:11:44 PST
Received: from [126.96.36.199] by mail.emailprovider.com via HTTP; Tue, 29 Mar 2005 15:11:44 PST
Date: Tue, 29 Mar 2005 15:11:45 -0800 (PST)
From: Mr Jones
To: Mr Smith
If you don’t configure the Inbound gateway
Gmail determines that the source IP is 188.8.131.52, because it’s the IP connecting to the Gmail server in the Received: from header line that contains the MX record.
Received: from mail.emailprovider.com (mail.emailprovider.com [184.108.40.206]) by mx.gmail.com
If you select Automatically detect external IP
Assuming that you’ve added 220.127.116.11 and 18.104.22.168 to the Gateway IPs list, if you select Automatically detect external IP, the source IP is 22.214.171.124.
Gmail determines that the connecting IP is 126.96.36.199 and the previous hop’s IP is 188.8.131.52.
- Because they’re included in the Gateway IPs list, Gmail skips these 2 IP addresses.
Gmail determines that the external IP is 184.108.40.206, because it’s the first IP not included in the list.
If you don’t select Automatically detect external IP
Assuming that you’ve added 220.127.116.11 and 18.104.22.168 to the Gateway IPs list, if you don’t select Automatically detect external IP, the source IP is 22.214.171.124.
Gmail skips the connecting IP, 126.96.36.199 and uses the IP of the previous hop, 188.8.131.52, even though it’s included in the Gateway IPs list.
How the setting affects an email whitelist
If you include an IP address in the Gateway IPs list and include the same IP address in an email whitelist, the IP address won’t be whitelisted. Gmail knows that if an IP address is for an inbound gateway, it isn’t the true sender of the message. It’ll therefore scan the Received: from entries in the message header to find the first non-private IP address that’s not included in the Gateway IPs list. This is the IP address you should use for email whitelisting.