Set up routing for your domain or organization
G Suite administrators can configure numerous email routing and delivery options to suit your organization. For example, you can route mail to Gmail and an external server, or route incoming mail for non-Gmail users. You can also set up routing policies that vary by organization.
Although you can use various advanced Gmail settings to configure routing options, the Routing setting provides a consolidated set of options. This article provides instructions for configuring the Routing setting.
For an overview on routing settings and the types of delivery, such as dual and split delivery, see Email routing and delivery.
When a message matches a routing policy, you can:
- Reject it
- Quarantine it
- Deliver it with modifications
How settings are applied
Unless modified in the Options section, the setting applies to all users in an organizational unit. Users in child organizations inherit the settings you create for the parent organization. Inherited settings can be disabled in child organizations, preventing the disabled setting from applying to the child organization, as well as it's grandchild organizations. You can also add multiple settings to each organization.
Enhance message security with hosted S/MIME
You can enhance message security using advanced features for Secure/Multipurpose Internet Mail Extensions (S/MIME). For example, you can set up a rule that requires the use of S/MIME encryption for outgoing messages. You set this up with the Encryption option, described in Step 3.
For an overview, see Enhance message security with hosted S/MIME.
Before you begin
If you are changing the message destination to route messages to a different mail server, create a list of mail hosts, also called routes. Then, you need to add the routes in the Google Admin console.
From the Admin console Home page, go to AppsG SuiteGmailAdvanced settings.
Tip: To see Advanced settings, scroll to the bottom of the Gmail page.
(Optional) On the left, select the organization.
Scroll to the Routing setting in the Routing section, hover over the setting, and click Configure. If the setting is already configured, hover over the setting and click Edit or Add another.
Enter a unique name that'll help you identify the setting.
Go to the next step to configure the setting.
You can set up the routing policy for:
- Inbound (any incoming messages)
- Outbound (any outgoing messages)
- Internal sending (internal message with 'To field' as one of the domains and subdomains associated with your organization)
- Internal receiving (internal message with 'From field' as one of the domains and subdomains associated with your organization)
Note: This includes messages originating outside of Gmail that are SPF or DKIM authenticated by one of your domains.
For example, select Inbound, Internal-receiving, or both, to set up split delivery, dual delivery, or a catch-all address (or all 3) and to route messages to additional recipients.
Check the boxes next to the messages you want the policy to apply to.
For split delivery or dual delivery, select Inbound, Internal-receiving, or both.
To set up a catch-all address or to route messages to additional recipients, select Inbound, Internal-receiving, or both.
Go to the next step to continue.
You can choose to affect only specific envelope senders and recipients. You can specify a single recipient, a number of users using a regular expression, or email groups.
To set up an envelope filter, check the Only affect specific envelope senders box, the Only affect specific envelope recipients box, or both. Then, from the list, select an option:
Single email address—Specify a single user by entering one email address. It needs to be the complete email address and include @ and the domain name. The match is case insensitive.
Pattern match—Enter a regular expression to specify a set of senders or recipients in your domain. Click Test expression to make sure your syntax is correct. For example, you can ensure this setting applies only to 3 specific users by entering the list of users using the following regular expression syntax:
In the expression:
- ^ matches the start of a new line.
- (?i) makes the expression case insensitive.
- $ matches the end of a line.
Learn about using regular expressions.
Group membership—Select one or more groups in the list. For envelope senders, this option only applies to sent mail. For envelope recipients, it only applies to received mail. If you haven't, you'll need to create the group first.
Go to the next step to continue.
- Specify whether to modify, reject, or quarantine a message when conditions are met. Details below.
To set up split delivery, dual delivery, or a catch-all address, or to route messages to additional recipients, select Modify message.
Configure the options for the action you choose.
To set up split delivery:
- Select Change route.
- Select the external server from the list.
- Scroll down and click Save.
- Under Also deliver to, select Add more recipients and click Add.
- Under Recipients, click the Down arrow > Advanced.
- Select Change route and from the list, select the secondary mail route.
- Scroll down and click Save.
- Select Route to user username@[yourprimarydomain].
- Enter a catch-all address in the empty field next to @[yourprimarydomain]. For example, enter jsmith.
- Click Show options.
- Under Account types to affect, check the Unrecognized / Catch-all box. Uncheck Users and Groups.
- Click Add setting.
- Under Also deliver to, check the Add more recipients box.
- Click Add.
- Under Recipients, make sure that Basic is selected in the list.
- Enter the recipient’s email address and click Save.
- Click Add Setting or Save.
- (Optional) To configure additional parameters that limit the application of the setting, click Show options. See Configure additional parameters, below, for details.
- Go to Save the configuration.
Rejects the message before reaching the recipient. You can enter a message to notify the sender about why the message was rejected. For matching messages, no other routing or compliance rules are applied; the message is simply rejected.
Note: Gmail automatically adds an SMTP rejection code, such as 550 5.7.1. This is a requirement of the SMTP standard and can't be deleted.
Sends the message to an admin quarantine where you can review the message before deciding to send it or reject it. Available only for the Users account type. See Account types to affect below.
To notify your users when their sent messages are quarantined, check the Notify box.
Add X-Gm-Original-To header
Check this box to add a header tag if the recipient is changed. That way, the downstream server will know the original envelope recipient. An example of the header tag format is
Headers are useful if you're rerouting a copy of the message to another recipient. In this case, you're changing the recipient address, but the new recipient can still see the address of the original envelope recipient. They can see the original envelope recipient by checking the
X-Gm-Original-To header in the message.
Add X-Gm-Spam and X-GM-Phishy headers
Gmail messages are automatically filtered for spam and phishing. Check the Add X-Gm-Spam and X-Gm-Phishy headers box to add these headers to indicate the spam and phishing status of the message. For example, an administrator at a downstream server can use this information to set up rules that handle spam and phishing differently from clean mail.
X-Gm-Spam: 0indicates the message isn't spam.
X-Gm-Spam: 1indicates the message is spam.
X-Gm-Phishy: 0indicates the message is not phishing.
X-Gm-Phishy: 1indicates the message is phishing.
Any message marked phishy is automatically marked spam as well.
If you add X-Gm-Spam and X-Gm-Phishy headers to your messages, consider where the message is being routed to next. A rerouted message is often no longer classified as spam when it reaches its destination because elements of the message, such as the sending IP address, have changed.
If your messages are rerouted to your downstream server, set up rules on that server to read these headers and prevent messages with
X-Gm-Spam: 1 or
X-Gm-Phishy: 1 tags from being delivered to users’ inboxes.
Note: If the Account types to affect is set to Groups, the X-Gm-Spam and X-Gm-Phishy header tag values are always set to 0. See Account types to affect, below, for information on the account types.
Add custom headers
You can add one or more custom headers to messages that are affected by this setting. For example, you can add a header that matches the description that you entered for the setting. Doing this can help you analyze why a message was routed in a certain way or why a rule was triggered.
Prepend custom subject
You can enter a string to prepend to the subject of applicable messages. The string will appear in brackets at the beginning of the subject. For example, you could enter Confidential in this field for sensitive emails. If a message triggers the rule and its subject is Monthly report, recipients will see the following subject: [Confidential] Monthly report.
Change route and Also reroute spam
Change route—Changes the destination of the message. By default, the Gmail server is the primary delivery location. However, you can change it to route messages to a different mail server, such as Microsoft® Exchange.
Note: Before you can change the route, you need to add the route using the Hosts tab. After it's added, it'll appear in the Change route list.
Also reroute spam—Appears if you select Change route. Also reroute spam lets you route all email that matches the criteria of the setting, including messages marked as spam.
If you don't check the Also reroute spam box, then normal messages are rerouted, but spam messages aren't.
Whether or not you select Also reroute spam, blatant spam is not rerouted because it’s dropped instantly at delivery time.
If a message is classified as spam but one of the G Suite email settings overrides it (for example, due to a sender whitelist), then the message isn't considered to be spam for this purpose and it's routed as a normal message.
Change envelope recipient
You can change the envelope recipient in one of the following ways:
To replace the recipient’s entire email address, after Replace recipient, enter the full email address, such as firstname.lastname@example.org.
To replace just the username of the recipient's email address and keep the domain the same, before @existing-domain, enter the username, such as user.
To replace just the domain of the recipient's email address and keep the username the same, after existing-username@, enter the domain, such as solarmora.com.
Changing the envelope recipient for a message on the primary address is equivalent to forwarding a message to a different recipient. The message bypasses the original recipient’s mailbox and is routed back to the internet for delivery to the new recipient. The To: address remains the original recipient address, even though the envelope recipient is replaced.
The destination server is determined by an MX lookup on the new recipient's domain. Or, if you’re using the Change route control, the destination server determined by the specified route.
If you'd rather Bcc an additional recipient, use the Add more recipients option, described below.
Bypass spam filter for this message
Check this box to deliver incoming messages to recipients even if the spam filter identifies them as spam. This option applies to incoming messages only—you can’t bypass spam filters for outgoing messages.
Note: This option applies to the Users and Unrecognized / Catch-all account types, and not the Groups account type. See Account types to affect, below, for information on the account types.
Remove attachments from message
Check this box to remove any attachments from messages. Optionally, you can append text to notify recipients that attachments were removed.
Add more recipients
Check the Add more recipients box and then click Add to set up dual delivery or multiple delivery.
Select Basic from the list to add individual email addresses and then click Save. Click Add to add more addresses.
Select Advanced from the list to choose advanced options for your secondary delivery. Similar to the settings for primary delivery, you can change the envelope recipient, add headers, prepend a custom subject, and remove attachments for secondary deliveries.
A limit of 100 additional recipients applies for each rule. For this reason, consider using groups for large lists.
Any settings that you configure for the primary delivery also affect the secondary deliveries. For example, if you change the envelope recipient, prepend a custom subject, and add custom headers to the primary delivery, the same configuration is applied to the secondary deliveries. If you change the envelope recipient, the To: address still remains the original recipient address.
For secondary deliveries, the Do not deliver spam to this recipient and Suppress bounces from this recipient boxes are checked by default. If the message is spam, this option discards the copy of the message being sent to the additional recipient. Suppress bounces from this recipient prevents bounces from going back to the original sender.
Adding additional recipients to a message will generate a new message for each added recipient. As a result, all content compliance rules are applied for each new message.
Encryption (onward delivery only)
By default, Gmail always attempts to deliver messages using secure transport (TLS). If secure transport isn’t available, the message is delivered over a nonsecure connection.
Check the Require secure transport (TLS) box to include secure delivery as part of content compliance for outbound messages. This requires all messages meeting the conditions in the setting (such as match expressions, account types, and envelope filters) to be transmitted via a secure connection. If TLS isn't available on the sending or receiving side, the message won't be sent.
Check the Encrypt message if not encrypted (S/MIME) box to make sure that certain messages can’t be sent unless they are S/MIME encrypted. See note below.
Also check the Bounce message if unable to encrypt box to bounce messages that aren’t S/MIME encrypted.
Learn more about enhancing message security with hosted S/MIME.
Click Show options to configure additional options for this setting.
You can specify address lists as a criteria for whether to bypass or apply a given routing policy. These lists can contain email addresses, domains, or both.
There are two methods used to determine if the address list is matched. If multiple lists are specified, the address must match at least one of the lists:
Correspondent (default) G Suite considers the "from" field for received mail and the recipients for sent mail. For senders, the authentication requirement is also checked. (Details below.).
Recipient: G Suite always checks to see if the recipients are present in address lists.
The options for whether or not to bypass or apply a given content compliance policy are:
Bypass this setting for specific addresses / domains—Skips the setting entirely if the address list matches, regardless of any other criteria specified in the setting.
Only apply this setting for specific addresses / domains—The address list match becomes a condition for whether or not the setting is applied. If there are other criteria in the setting, such as match expressions, account types, or envelope filters, those conditions must also match for the setting to be applied.
To create an address list:
Under Address lists, check the Use address lists to bypass or control application of this setting box.
- Select one of the following address list applications from the drop-down menu:
- Apply address list to correspondent
- Apply address list to recipient
Select an option:
- Bypass this setting for specific addresses / domains
- Only apply this setting for specific addresses / domains
Click Use existing or create a new one.
Select the name of an existing list or enter a custom name for a new list and click Create.
Hover over the list name and click Edit.
Click Add to add addresses and domains to the list.
Enter a full email address or a domain name. Or, add a list by entering a comma or space-delimited list of addresses.
Note: To bypass the Content compliance setting for approved senders that do not have authentication enabled, check the Do not require sender authentication box. Use this option with caution as it can potentially lead to spoofing.
(Optional) To include additional email addresses or domains in the list, repeat steps 5–8.
When you're done, go to Account types to affect.
Select one or more account types that the setting applies to. The account types are Users, Groups, and Unrecognized/Catch-all. You must select an account type before you can save the setting.
If you’re configuring the setting for the top-level organization and you select the Modify message or Reject message action, all three account types are available. If the action is Quarantine message, just the Users account type is available.
If you’re configuring a sub-level organization, the only available account type is Users. Users is selected by default, but you can select more than one type. For example, you can configure an inbound setting that only applies to the Groups account type, and the group must be the recipient. If you're configuring an outbound setting, the account type must match the sender.
- Users (default)—If Users is selected, this setting will apply to provisioned G-Suite users. For sending and outbound mail, this setting will trigger when your users send email. For receiving and inbound mail, this setting will trigger when your users receive email.
- Groups—If Groups is selected, this setting will apply to your Google Groups. For sending and outbound mail, this setting will trigger when your groups forward email or summaries to members. For receiving and inbound mail, this setting will trigger when your groups receive email.
The Groups account type doesn't apply to the
X-Gm-Phishyheaders control. If the account type is Groups, the headers are always
X-Gm-Phishy: 0. The Groups account type also doesn't apply to the Bypass spam filter for this message control.
- Unrecognized/Catch-all—When selected, this setting will trigger when your company receives email that does not match one of your provisioned G-Suite users. This selection only applies to received and inbound email.
When you're finished:
(Optional) Specify an envelope filter.
Go to Save the configuration.
Final step: Add and save the setting
Click Add setting or Save. Any new settings are added to the Gmail Advanced settings page.
At the bottom, click Save.