When you set up email for your domain (for example, when creating SPF records), you might need the IP addresses of the Google Workspace mail servers.
Google maintains a global infrastructure that grows dynamically to accommodate demand. As a result, Google Workspace mail servers use a large range of IP addresses, and the addresses often change. You can find the current range of Gmail IP addresses by checking Google's SPF record.
Set up SPF records
To set up SPF records for Gmail, follow these instructions.
Gather IP address ranges
To find the literal IP addresses of Google Workspace mail servers:
- Use DNS lookup commands (nslookup, dig, host) to retrieve the SPF records for the domain _spf.google.com:
nslookup -q=TXT _spf.google.com 220.127.116.11
This returns a list of the domains included in Google's SPF record, such as:
_netblocks.google.com, _netblocks2.google.com, _netblocks3.google.com
- Look up the DNS records associated with those domains, one at a time:
nslookup -q=TXT _netblocks.google.com 18.104.22.168
nslookup -q=TXT _netblocks2.google.com 22.214.171.124
nslookup -q=TXT _netblocks3.google.com 126.96.36.199
The results contain the current range of addresses.
IP address ranges for unverified forwarding
You can use Gmail’s advanced routing rules to route incoming messages to different destinations. For security, when Gmail routes messages that aren’t authenticated by SPF to a new destination, the messages retain their unauthenticated status. This ensures that receiving servers perform authentication checks on the messages, and take appropriate action on the messages.
Messages routed through unverified forwarding configurations are sent from Google mail servers that have public IP addresses intentionally left out of Google's SPF record. These IP addresses resolve to Google hostnames ending in unverified-forwarding.1e100.net. These servers use the IP address ranges below to route unverified messages.
If you have routing configurations that control mail traffic based on IP address, you might need to update your firewall routing settings to include the IP ranges below.
- The hostnames and IP address ranges below send unverified messages. Messages received from these IP ranges should undergo greater scrutiny when they’re allowed through firewalls or other security infrastructure, and should be treated as unauthenticated by SPF.
- Do not add these hostnames or IP addresses to your SPF records; this puts your domain at risk of spoofing and other forms of impersonation.
Ranges last updated: October 9, 2020
Hostnames—If you use hostnames (instead of IP addresses) in your firewall routing settings, and there’s a possibility of forwarding unauthenticated messages, use this hostname mask:
This hostname mask identifies untrusted forwarding servers, and can be used in your firewall settings. Subdomains represented by the wildcard (
*) can vary, and can include multiple, nested subdomains.