Ciphers for Gmail SMTP TLS connections

This page is actively maintained and reflects Gmail's current TLS and cipher support.

Ciphers are algorithms that help secure network connections that use Transport Layer Security (TLS). Ciphers are generally one of 3 types:

  • Key exchange algorithm: Exchanges a key between two devices. The key encrypts and decrypts messages sent between the two devices. 
  • Bulk encryption algorithm: Encrypts the data sent over the TLS connection.
  • MAC algorithm: Verifies that sent data does not change in transit. 

There are also ciphers that include signatures, and that authenticate servers or clients. Learn more about Gmail and TLS connections.

Support for TLS 1.0, 1.1, 3DES, and other less secure TLS connections

Gmail always attempts to use the latest, most secure TLS versions, and doesn’t use less secure versions when more secure versions are available. However, Gmail SMTP delivery supports less secure TLS versions for compatibility when more secure TLS versions aren’t supported or available. Less secure TLS versions that are supported by Gmail include TLS 1.0, TLS 1.1, and 3DES ciphers. 

To prevent malicious users from forcing connections to use less secure versions of TLS, connection negotiations are always encrypted. 

You can optionally add a content compliance setting in your Google Admin console to reject messages from connections that don’t use TLS 1.2 or stronger. Go to detailed steps below

Ciphers for TLS negotiation

Google’s SMTP servers accepts these ciphers for Transport Layer Security (TLS) negotiation.

TLS negotiation is also called a TLS handshake. During the handshake, the communicating sides acknowledge each other, verify each other, and agree on the ciphers and session keys they’ll use.

This list of ciphers for TLS negotiation was updated in March 2023.

TLS 1.3

TLS_AES_128_GCM_SHA256

TLS_AES_256_GCM_SHA384

TLS_CHACHA20_POLY1305_SHA256

TLS 1.2

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

TLS_RSA_WITH_3DES_EDE_CBC_SHA

TLS_RSA_WITH_AES_128_CBC_SHA

TLS_RSA_WITH_AES_128_GCM_SHA256

TLS_RSA_WITH_AES_256_CBC_SHA

TLS_RSA_WITH_AES_256_GCM_SHA384

TLS 1.1 and TLS 1.0

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

TLS_RSA_WITH_3DES_EDE_CBC_SHA

TLS_RSA_WITH_AES_128_CBC_SHA

TLS_RSA_WITH_AES_256_CBC_SHA

Outbound server ciphers

These ciphers are preferred by Gmail outbound servers.

Gmail tells the receiving server that it supports TLS versions 1.3, 1.2, 1.1, and 1.0. The receiving server then determines which TLS version is used for the connection.

Google doesn't support SSLv3.

This list of outbound server ciphers was updated in April 2020.

TLS_AES_128_GCM_SHA256

TLS_AES_256_GCM_SHA384

TLS_CHACHA20_POLY1305_SHA256

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256

TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

TLS_RSA_WITH_AES_128_GCM_SHA256

TLS_RSA_WITH_AES_256_GCM_SHA384

TLS_RSA_WITH_AES_128_CBC_SHA

TLS_RSA_WITH_AES_256_CBC_SHA

TLS_RSA_WITH_3DES_EDE_CBC_SHA

Reject connections less secure than 3DES or TLS 1.2

Follow these steps to configure Gmail SMTP connections to use TLS 1.2 or stronger. When you add this setting, more incoming messages are rejected, and aren’t delivered to recipients. For detailed information about the content compliance setting, visit Set up rules for advanced email content filtering.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Appsand thenGoogle Workspaceand thenGmailand thenCompliance.
  3. (Optional) On the left, select the organization.

  4. Scroll to the Content compliance setting in the Compliance section, hover over the setting, and click Configure. If the setting is already configured, hover over the setting and click Edit or Add another

  5. In the Add setting box, take these steps:

    Setting option What to do
    Under Content compliance

    Enter a description for the setting for example, Always use TLS 1.2

    Email messages to affect Select Inbound and Internal-receiving.
    Add expression to reject TLS 1.0 connections
    1. Under or in the Expressions table, click Add. The Add setting box appears.
    2. At the top of the box, click the menu  and select Advanced content match. Under Location, select Full headers.
    3. Under Match type, select Matches regex. The Regexp options appear.
    4. Under Regexp, enter this expression: ^Received:.*\(version=TLS1 cipher=
    5. Under Regex Description, enter a descriptive name, for example Match TLS 1.0.
    6. Leave the Minimum match count field empty.
    7. At the bottom of the Add setting box, click Save. The new expression appears in the Expressions table.
    Add expression to reject 3DES connections
    1. Under or in the Expressions table, click Add. The Add setting box appears.
    2. At the top of the box, click the menu  and select Advanced content match.
    3. Under Location, select Full headers.
    4. Under Match type, select Matches regex. The Regexp options appear.
    5. Under Regexp, enter this expression: ^Received:.\scipher=[A-Z,0-9,]*DES[A-Z,0-9,]\s
    6. Under Regex Description, enter a descriptive name, for example Match DES Cipher.
    7. Leave the Minimum match count field empty.
    8. At the bottom of the Add setting box, click Save. The new expression appears in the Expressions table.
    If the above expressions match, do the following

    This action applies if either of the above expressions match.

    1. Select Reject message.
    2. Under Custom rejection notice, enter the text of the message that senders get when their message is rejected due to the setting, for example: This server requires TLSv1.1 or higher, and doesn’t support DES/3DES.
    Show options
    1. To display more setting options, click Show options.
    2. Under B. Account types to affect, select Users and Unrecognized/Catch-all.
  6. Add the bottom of the Add setting box, click Save.
    Changes can take up to 24 hours but typically happen more quickly. Learn more You can monitor changes in the Admin console audit log.

Was this helpful?

How can we improve it?
Search
Clear search
Close search
Main menu
5946803116556224217
true
Search Help Center
true
true
true
true
true
73010
false
false