Set up an inbound mail gateway

If you have the legacy free edition of G Suite, upgrade to Google Workspace to get this feature. 

As an administrator, you can set up Gmail servers to handle messages your domain receives from inbound mail gateways. Setting up an inbound gateway helps Gmail identify the correct source IP address to use for SPF authentication.

Learn more about how to Prevent spam, spoofing & phishing with Gmail authentication.

Inbound mail gateways and Gmail

An inbound mail gateway is a server that all your incoming mail passes through. The gateway typically processes email in some way before messages are sent to recipients. Processes include archiving messages and filtering spam. The inbound gateway then send messages to the mail server that delivers the messages to recipients.

Set up the inbound gateway setting to identify the gateway’s IP address or range of addresses. Gmail doesn't do SPF authentication for messages sent from IP addresses in the Gateway IPs list. The inbound gateway should do DMARC checks. DMARC authentication is bypassed for incoming messages from listed hosts.

Important: Inbound gateway settings don't support private IP addresses.

Optionally, you can:

  • Set up automatic detection of the external IP.
  • Reject messages that aren't sent from the gateway.
  • Require connections from the gateway use Transport Layer Security (TLS).
  • Set up spam management based on gateway message tags.

Set up an inbound gateway

To use an inbound mail gateway with Gmail:   

  1. Set up MX records for your domain to point to the gateway. Go to Set up MX records for instructions.

  2. Set up the gateway to deliver messages to Gmail servers. Configuration steps differ depending on your gateway server.

Initial steps

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Appsand thenGoogle Workspaceand thenGmailand thenSpam, Phishing and Malware.
  3. On the left, select your top-level organization. 
  4. Scroll to the Inbound gateway setting in the Spam... section. To add, edit, or delete a gateway, click Edit ""
  5. Enter a description.

Step 1: Enter gateway IP addresses and options

  1. Under Gateway IPs, click Add and enter the IP address or range of addresses.

    If messages pass through multiple gateways before reaching Gmail, include all gateway IP addresses in the Gateway IPs list.

    Note: Enter only public IP addresses. Gmail doesn't support private IP addresses for gateways.

  2. Click Save.
  3. Select any of the following options:
    • (Optional) To help Gmail determine the source IP address to use for the SPF evaluation, select Automatically detect external IP.

      If you select this option, Gmail scans Received:from message headers to find the first public IP address that’s not in the Gateway IP list. Gmail treats this IP address as the source IP for the message. This IP address is used for SPF authentication and spam evaluation.

      When this option is off, Gmail checks only one hop backwards for the sending IP address. Learn more about how Gmail determines the source IP.

    • (Optional) To reject messages from any source other than your inbound gateway, check the Reject all mail not from gateway IPs box.
    • (Optional) To reject connections from IP addresses in the Gateway IPs list when the connections don’t use  TLS, check the Require TLS for connections... box.

      TLS is a security standard that encrypts mail for secure delivery. Learn more about setting up TLS for Gmail.

Step 2: (Optional) Set up message tagging

Message tagging lets you use header values from the inbound gateway to determine whether messages are spam. Message tagging helps Gmail determine if an incoming message should be classified as spam.

If your inbound gateway adds a header tag, match the header tag using a regular expression. Gmail checks the header fields of incoming messages for matches. The regular expression can test for a simple header match, or can identify a numeric value to test against.

To set up message tagging:

  1. Check the Message is considered spam if the following header regexp matches box.
  2. Enter your gateway’s message header tag as a regular expression (regexp).
  3. Click Test expression to validate the expression you entered.
  4. Select an option:
    • If you want Gmail to treat the message as spam if it matches the header only, select Message is spam if regexp matches.

      For example, if your gateway adds the X-spam-gw header tag and you want Gmail to treat messages with this header as spam, enter ^X-spam-gw:. If you want Gmail to mark the message as spam if it matches the exact header and nothing else, enter ^X-spam-gw: spam$.

    • If you want Gmail to treat the message as spam if it matches a score in the header, select Regexp extracts a numeric score. Then, select a greater or less than comparator and enter the numeric score. The regexp for the numeric score must include a capture group.

      For example, if you want Gmail to handle messages as spam when the gateway adds the message header X-spam: or X-phishy: and a numerical score greater than or equal to .50, enter the regexp ^X-(?:spam|phishy): (0\.\d*|1\.0*)$, including just one capture group. Then, enter .50 for the numeric score. 0\.\d*|1\.0* indicates the decimal values from 0 to 1. The parentheses indicate the numeric group to extract.

      If your expression has multiple parentheses, include a question mark and colon after the opening parenthesis of the non-capturing group, as shown in the previous example.

  5. (Optional) To use primarily message header values to determine if a message is spam, check the Disable Gmail spam evaluation on mail from this gateway; only use header value box.

Complete the configuration

  1. Click Add Setting or Save.
  2. At the bottom, click Save.
  3. Verify incoming messages are properly delivered:
    1. After the Time to Live (TTL) has expired for the MX records, send a message to a user in your domain. Learn about avoiding bounced messages after changing MX records.
    2. Confirm the inbound gateway server processes the message, and the user receives the message in their inbox.

It can take up to 24 hours for changes to take effect. You can track changes in the Admin console audit log.

How the Inbound gateway setting works

How Gmail determines the source IP

Gmail uses the source IP of an email message to do SPF and spam checks. Determine the source IP using this information:

  • Inbound gateway setting
  • IP addresses in the Gateway IPs list
  • Automatically detect external IP option

When Gmail receives a message, it scans a message’s Received:from headers for the source IP:

  • If you haven’t set up the Inbound gateway, Gmail looks for the Received:from header with the MX record, and determines that the source IP is the one connecting to the Gmail server.
  • If you’ve configured the setting to include the connecting IP in the Gateway IPs list, and you’ve turned on the Automatically detect external IP option:
    • Gmail searches the Received:from headers for the first occurrence of an external public IP address that’s not in the list.
    • If it finds a public IP, Gmail uses it as the source IP for the SPF check.
    • If it doesn’t find a public IP, Gmail determines that the message is an internal message, and no SPF check is needed.
    • The source IP address in the message header for the SPF check is always the connecting IP address, not the message actual source IP address.

Note: If a Received:from header line is formatted in a nonstandard or unrecognizable way, Gmail can't determine the IP for that hop. If Gmail parses all Received: from headers and can't identify an external IP, Gmail reverts to using the connecting IP, even if it’s included in the Gateway IPs list.

If the setting includes the connecting IP in the Gateway IPs list, and the Automatically detect external IP option is off:

  • Gmail skips the connecting IP, and uses the IP of the previous hop as the source IP, even if it’s also included in the Gateway IPs list.

Example: How Gmail determines the source IP

To illustrate how different controls influence how the source IP is determined, here is an example message header:

Delivered-To: MrSmith@solarmora.com

Received: by 192.0.2.205 with SMTP id e3cs239nzb; Tue, 24 Mar 2020 15:11:47 -0800 (PST)

Return-Path: MrJones@bix-business.com

Received: from mail.emailprovider.com (mail.emailprovider.com [192.0.2.2]) by mx.gmail.com with SMTP id h19si826631rnb.2020.03.29.15.11.46; Tue, 24 Mar 2020 15:11:47 -0800 (PST)

Message-ID: <20200329231145.62086.mail@mail.emailprovider.com>

Received: from [192.0.2.55] by mail.emailprovider.com via HTTP; Tue, 24 Mar 2020 15:11:45 PST

Received: from [192.0.2.110] by mail.emailprovider.com via HTTP; Tue, 24 Mar 2020 15:11:44 PST

Received: from [192.0.2.136] by mail.emailprovider.com via HTTP; Tue, 24 Mar 2020 15:11:44 PST

Received: from [192.0.2.152] by mail.emailprovider.com via HTTP; Tue, 24 Mar 2020 15:11:44 PST

Date: Tue, 24 Mar 2020 15:11:45 -0800 (PST)

From: Mr Jones

Subject: Hello

To: Mr Smith

If you don’t configure the Inbound gateway

Gmail determines that the source IP is 192.0.2.2 because it’s the IP connecting to the Gmail server in the Received:from header line that contains the MX record:

Received: from mail.emailprovider.com (mail.emailprovider.com [192.0.2.2]) by mx.gmail.com 

If you select Automatically detect external IP

If you added 192.0.2.2 and 192.0.2.55 to the Gateway IPs list, when you select Automatically detect external IP, the source IP is 192.0.2.110.

  • Gmail determines that the connecting IP is 192.0.2.2 and the previous hop’s IP is 192.0.2.55.

  • Because they’re in the Gateway IPs list, Gmail skips these 2 IP addresses.

  • Gmail determines that the external IP is 192.0.2.110, because it’s the first IP not included in the list.

If you don’t select Automatically detect external IP

If you added 192.0.2.2 and 192.0.2.55 to the Gateway IPs list, and you don’t select Automatically detect external IP,  the source IP is 192.0.2.55.

Gmail skips the connecting IP, 192.0.2.2 and uses the IP of the previous hop, 192.0.2.55, even though it’s included in the Gateway IPs list.

 

How the setting affects an email allowlist

If you include the same IP address in the Gateway IPs list and in an email allowlist, the IP address entry in the allowlist doesn't affect message delivery or spam filters.

Gmail recognizes that inbound gateway IP addresses aren't originating, source IP addresses. Gmail scans Received:from entries in message headers to identify the first public IP address that isn't in the Inbound Gateway IPs list. This is the original sender's source IP address.

To bypass spam, add the original sender's source IP address to your email allowlist.

Was this helpful?
How can we improve it?

Need more help?

Sign in for additional support options to quickly solve your issue

Search
Clear search
Close search
Google apps
Main menu
Search Help Center
true
73010
false