Use G Suite certificates for secure transport (TLS)

You can use Transport Layer Security (TLS) certificates to encrypt your users' mail for inbound and outbound secure delivery.

How to access the TLS certificates

You can access the G Suite inbound and outbound Transport Layer Security (TLS) certificates in one of two ways:

  • Run the following command:
    openssl s_client -starttls smtp -connect [hostname]:25 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'
  • Use the following Python snippet:
    import smtplib
    import ssl

    connection = smtplib.SMTP()
    connection.connect('[hostname].')
    connection.starttls()
    print(ssl.DER_cert_to_PEM_cert(connection.sock.getpeercert(binary_form=True)))

For the [hostname], use the correct value as follows:

  • Inbound SMTPaspmx.l.google.com
  • Outbound (SMTP relay)smtp-relay.gmail.com
  • Outbound (MSA)smtp.gmail.com

Search for other ways to access TLS certificates

To find other ways to access the certificates, search for extracting certificate from TLS server.

Note these guidelines about TLS certificates:

  • The certificates are signed by GlobalSign R2 CA (GS Root R2)
  • At minimum, trust the certificates listed in https://pki.goog/roots.pem.
  • The certificates are shared across hosts.
  • Any given set of certificates has an expiration date. New certificates are rotated in before this date and while the new certificates are being deployed, you can use either certificate for a connection.
  • For communication between Gmail clients and servers, messages are encrypted over an HTTPS connection with 128-bit encryption, using TLS 1.2. The connection is encrypted and authenticated using AES_128_GCM. The key exchange mechanism is ECDHE_RSA.

  • Communication between Gmail and non-Gmail clients and servers is supported using SSL3 through TLS1.2, and the client chooses from a list of ciphers, key exchange, and bit lengths.

  • Supported bits are 112/168 for DES, 128 for RC4, and 128 or 256 for Advanced Encryption Standard (AES).

Related topics

SSL connections overview

Require mail to be transmitted via a secure (TLS) connection

Was this article helpful?
How can we improve it?