When setting up email for your domain, you might need the IP addresses for Google Workspace mail servers. For example, SPF authentication for your domain might require Google server IP addresses.
Google has a global mail server network that grows dynamically to support demand. This means Google Workspace mail servers have a large range of IP addresses, and the addresses change often.
Get the current range of Google Workspace IP addresses by checking Google's SPF record.
Note: Google publishes a list of IP address ranges in the DNS TXT record _spf.google.com, and the records it references. This TXT record is complete for SPF, but it doesn't include all IP address ranges used by Google APIs and services on the default domains. For all possible Google IP address ranges, refer to Obtain Google IP address ranges.
Find Google Workspace IP address ranges
To get the IP addresses of Google Workspace mail servers:
- Use DNS lookup commands (nslookup, dig, host) to retrieve the SPF records for the domain _spf.google.com:
nslookup -q=TXT _spf.google.com 18.104.22.168
This returns a list of the domains included in Google's SPF record, such as:
_netblocks.google.com, _netblocks2.google.com, _netblocks3.google.com
- Look up the DNS records associated with those domains, one at a time:
nslookup -q=TXT _netblocks.google.com 22.214.171.124
nslookup -q=TXT _netblocks2.google.com 126.96.36.199
nslookup -q=TXT _netblocks3.google.com 188.8.131.52
The results contain the current range of addresses.
IP address ranges for unverified forwarding
You can use Gmail’s advanced routing rules to forward incoming messages to different destinations. When Gmail routes SPF unauthenticated messages to a new destination, the messages keep their unauthenticated status. This is so receiving servers do their own authentication checks when they get the messages.
Gmail routes messages with unverified forwarding configurations through Google servers with public IP addresses. The public IP addresses are intentionally left out of Google's SPF record, and resolve to Google hostnames ending in unverified-forwarding.1e100.net. These servers use the IP address ranges in this article to route unverified messages.
If you route Gmail based on IP address, you might need to update your firewall routing settings to include the IP ranges below.
- The hostnames and IP address ranges below send unverified and unauthenticated messages. We recommend you strictly manage messages received from these IP ranges when they pass through firewalls and other security measures.
- Message from these IP addresses should be treated as unauthenticated by SPF.
- Do not add these hostnames or IP addresses to your SPF records. This puts your domain at risk of spoofing, phishing, and other forms of impersonation.
Ranges last updated: January 25, 2021
Hostname mask for unverified forwarding
If you use hostnames instead of IP addresses in your firewall routing settings, use this hostname mask when routing unauthenticated messages:
To identify untrusted forwarding servers, use this hostname mask in your firewall settings. Use the wildcard (
*) for subdomains. Subdomains can include multiple, nested subdomains.