Google IP address ranges for outbound mail servers

When you set up email for your domain (for example, when creating SPF records), you might need the IP addresses of the Google Workspace mail servers.

Google maintains a global infrastructure that grows dynamically to accommodate demand. As a result, Google Workspace mail servers use a large range of IP addresses, and the addresses often change. You can find the current range of Gmail IP addresses by checking Google's SPF record.

Set up SPF records

To set up SPF records for Gmail, follow these instructions.

Gather IP address ranges

To find the literal IP addresses of Google Workspace mail servers:

  1. Use DNS lookup commands (nslookup, dig, host) to retrieve the SPF records for the domain _spf.google.com:

    nslookup -q=TXT _spf.google.com 8.8.8.8

    This returns a list of the domains included in Google's SPF record, such as:

    _netblocks.google.com, _netblocks2.google.com, _netblocks3.google.com
     
  2. Look up the DNS records associated with those domains, one at a time:
nslookup -q=TXT _netblocks.google.com 8.8.8.8
nslookup -q=TXT _netblocks2.google.com 8.8.8.8
nslookup -q=TXT _netblocks3.google.com 8.8.8.8
 

The results contain the current range of addresses.

IP address ranges for unverified forwarding

You can use Gmail’s advanced routing rules to route incoming messages to different destinations. For security, when Gmail routes messages that aren’t authenticated by SPF to a new destination, the messages retain their unauthenticated status. This ensures that receiving servers perform authentication checks on the messages, and take appropriate action on the messages.

Messages routed through unverified forwarding configurations are sent from Google mail servers that have public IP addresses intentionally left out of Google's SPF record. These IP addresses resolve to Google hostnames ending in unverified-forwarding.1e100.net. These servers use the IP address ranges below to route unverified messages.

If you have routing configurations that control mail traffic based on IP address, you might need to update your firewall routing settings to include the IP ranges below.

Important:

  • The hostnames and IP address ranges below send unverified messages. Messages received from these IP ranges should undergo greater scrutiny when they’re allowed through firewalls or other security infrastructure, and should be treated as unauthenticated by SPF.
  • Do not add these hostnames or IP addresses to your SPF records; this puts your domain at risk of spoofing and other forms of impersonation.
IPv4 IPv6

108.177.16.0/24

108.177.17.0/24

142.250.220.0/24

142.250.221.0/24

2600:1901:101::0/126

2600:1901:101::4/126

2600:1901:101::8/126

2600:1901:101::10/126

Ranges last updated: October 9, 2020

Hostnames—If you use hostnames (instead of IP addresses) in your firewall routing settings, and there’s a possibility of forwarding unauthenticated messages, use this hostname mask:

*.unverified-forwarding.1e100.net

This hostname mask identifies untrusted forwarding servers, and can be used in your firewall settings. Subdomains represented by the wildcard (*) can vary, and can include multiple, nested subdomains.

Related topics

Obtain Google IP address ranges

 

Was this helpful?
How can we improve it?

Need more help?

Sign in for additional support options to quickly solve your issue