Inbound mail gateway
This feature is not available in the legacy free edition of Google Apps.
An inbound mail gateway is a server through which all incoming mail for your domain passes. The gateway typically processes the mail in some way—such as archiving it or filtering out spam—and then passes the mail on to the mail server that delivers the messages to the recipients.
When you use an inbound mail gateway, the MX records for your domain point to the inbound mail gateway server. You configure the gateway server to pass the incoming mail on to the Google Apps mail servers, and configure the Google Apps mail servers to accept a stream of incoming mail from the gateway server.
After you configure an advanced Gmail setting, it may take up to one hour for that configuration to propagate to individual user accounts. You can track prior changes under Admin console audit log.
To configure an inbound mail gateway:
- Update your domain’s MX records to refer to the inbound mail gateway server.
See Set up MX records for detailed instructions.
- Configure the inbound mail gateway server to deliver mail to the Google Apps mail servers.
The configuration steps differ depending on the gateway server.
- Sign in to the Google Admin console.
- From the dashboard, go to Apps > Google Apps > Gmail > Advanced settings.
- In the Organizations section, highlight your domain (top-level org).
- Scroll down to Inbound gateway (you can also enter Inbound gateway in the search field).
- Hover the cursor to the right of Inbound gateway. To create a new inbound gateway setting, click Configure. To edit an existing setting, click Edit.
- Under Gateway IPs, enter the IP address/range for each gateway:
- Click Add.
- Enter the IP address or range.
- Click Save.
- Select options for your gateways by checking any of the following boxes:
- Automatically detect external IP (recommended)—Automatic detection provides support for customers whose mail passes through multiple inbound gateways before reaching Google. When this setting is on, Gmail scans backwards through the “Received” message header lines to find the first occurrence of an IP that’s not within the Gateway IP ranges specified above—this is called the “external IP.” Gmail considers the first “external IP” detected as the sending IP and uses this IP for SPF checks and spam evaluation. If you uncheck this box, Gmail checks only a maximum of one hop backwards for the sending IP.
- Reject all mail not from gateway IPs—If you check this box, Google Apps doesn’t accept mail from anywhere other than your inbound gateway.
- Require TLS for connections from the email gateways listed above—If you check this box, Gmail rejects any connections from the inbound gateway IPs that aren’t TLS connections.
- Under Message Tagging, you can tell Gmail’s spam filters how to process messages when it detects a message header tag added by your upstream gateway. Message tagging scans incoming emails for a header tag or numeric score you specify and uses this to decide if the message is spam. With message tagging, you can also tell the Gmail spam filter not to analyze non-spammy emails and let them get through to users’ inboxes.
To enable message tagging, do the following:
- Check the Message is considered spam box.
- Enter your gateway’s message header tag as a regular expression (regexp). For example, if your gateway adds the message header tag X-spam-gw to spammy messages, you could enter ^X-spam-gw$ here.
Note: Click Learn more to learn about regular expressions. Click Test expression to validate the expression you entered.
- Select one of the following:
- If you want Gmail to treat the message as spam based on a simple message header tag match, select Message is spam if regex matches.
- If you want Gmail to treat the message as spam based on a specific numeric score in the header tag, select Regexp extracts a numeric score. If you select this option, the regexp you enter in step b above must include a capture group for the numeric score. For example, if your inbound gateway tags a message with a header X-spam-gw: [decimal score from 0.0 to 1.0], you could enter the regexp ^X-spam-gw: (0\.\d*|1\.0*)$, where 0\.\d*|1\.0* represents the decimal values from 0 to 1 and the parentheses indicate the numeric group to extract.
- If you selected the option to use the regexp to extract a numeric score, you must also select the comparator (Greater than, Greater than or equal to, Less than, or Less than or equal to) and enter the desired numeric score.
- (Optional) Messages without the tag or score indicated above are still subject to Gmail spam filtering. To disable Gmail spam evaluation entirely for messages from your Gateway IPs, check the Disable Gmail spam evaluation on mail from this gateway box. With this box checked, Gmail treats messages that are not tagged or do not meet the numeric score as “not spam.”
- Click Add setting or Save.
- Click Save changes at the bottom of the Gmail settings page.
- Verify that incoming mail is properly delivered:
- Once the Time to Live (TTL) has expired for the MX records that you changed in step 1, send an email message to a user in your domain (see Avoid bounced messages after changing MX records for more details about how TTL works).
- Confirm that (a) the inbound gateway server processes it and (b) the user receives the message in his or her inbox.