Route outgoing SMTP relay messages through Google (2024)

Set up your on-premise email server for SMTP relay through Google servers

If your organization uses MicrosoftExchange or anotherSMTP service or server, you can set up the SMTP relay service to route outgoing mail through Google. You can use it to:

Filter messages for spam and viruses before they reach external recipients
Apply email security and advanced Gmail settings to outgoing messages

Before you begin

Expandsection|Collapseall

Review server configuration

If you’re using TLS encryption, configure your on-premise mail server to point to smtp-relay.gmail.com on port 587.
If you’re not using TLS encryption, configure your on-premise server to point to smtp-relay.gmail.com on port 25, 465, or 587. Without TLS encryption, you can't use SMTP authentication and must use IP address authentication.

Turn on comprehensive mail storage

You can turn on comprehensive mail storage to help Gmail spam filters learn about your email recipients.

Turn on comprehensive mail storage when:

You use SMTP relay to route email messages forautomated notifications, such as ticketing and bug systems. Messages sent through the relay are delivered torecipients in your organization.
You use Google Vault and the SMTP relay service. Messages sent through the relay are archived in Vault.

To turn it on, go to Set up comprehensive mail storage.

Review sending limits for the SMTP relay service

Organization-wide limits

The number of recipients your organization’s account can send to is based on your overall sending practices. The maximum number of non-unique email recipients allowed per organization are:

4.6 million in a 24-hour period
319,444 per 10-minute window

If you exceed the limits, your users might get an error when they try to send a message.

Depending on your email sending practices, we might reduce therecipient address limit for your Google Workspace account. If the number of recipients is limited, the address maps for the account might also be limited. We recommend following best practices for sending mail to Gmail users. For more information, visit:

Redirect incoming messages with address maps
Prevent mail to Gmail users from being blocked or sent to spam

User and message limits

If a user exceeds a limit, they get an error when they try to send a message. For more information, visit SMTP relay service error messages.

Each user can send up to 10,000 messages in a 24-hour period. However, this limit might be lowerif yourGoogle Workspace account is still in a trial period. To learn more about account limits, go toGmail sending limits inGoogle Workspace.
AGoogle Workspace user can't send messages to more than 10,000 unique recipients in a 24-hour period.
There is a 100-recipient limit per SMTP transaction for smtp-relay.gmail.com. Exceeding this limit results in an error message. To send messages to additional recipients, start another transaction (new SMTP connection or RSET command).
Message count is based on the sender address used in the SMTP relay transaction. If the envelope sender is not a user registered with your Google Workspaceaccount, the per-user limits don't apply. Addresses in the From: and Reply-to: fields are ignored.
The SMTP relay service does not support multiple envelope recipients (RCPT TO) when using a null envelope sender (MAIL FROM: <>).

Trial accounts limits

Limits are lower for trial accounts. To increase the SMTP relay limits for a trial account, you must pay a Google-generated bill. Increasing relay limits is differentfrom increasing Gmail limits, which can be done byending yourtrial.

Per-user recipient and per-account limits

The per-user recipient limits are for unique recipients. Per-accountlimits are for total recipients. For example, when a userrelays 1,000 messages to Recipient-A and1,000 messages to Recipient-B, it counts as 2 messages towardthe per-user limitand2,000 toward your accountlimit.

Account limits for an unpaid balance

If you haven't yet paid a bill for your Google Workspaceaccount, your account limits are lower.

SMTP relay and Gmail user sending limits

There are different per-user sending limits for sending email with Gmail, rather than SMTP relay. The SMTP relay and Gmail user sending limits are independent and counted separately from each other.

Denial of Service (DoS) limits

Google WorkspaceSMTP relay servers support security methods that prevent DoS attacks. To avoid impacting these security methods, we recommend that SMTP agents sending large amounts of mail reuse connections. Reusing connections is called connection caching, and it lets servers send multiple messages per connection. Your email provider can help you set up connection caching.
We recommend that servers present unique identifiers in the HELO or EHLO arguments during SMTP connections. For example, use your domain name or the server name, instead of generic identifiers such as localhost or smtp-relay.gmail.com.

Relay abuse limits

To manage spam, Google monitors messages sent through the SMTP relay service. If we detect a user sending a significant amount of spam, we send an email notification to the super administrators for your Google Workspace account.

Learn more about the spam and abuse policy and handling SMTP relay abuse.

Attachment size limit

You can send up to 25 MB in attachments. If you have more than one attachment, they can't add up to more than 25 MB.

If your file is greater than 25 MB, Gmail automatically adds a Google Drive link in the email instead of including it as an attachment.Learn more aboutGoogle Drive attachment sharing settings.

Step 1: Set up SMTP relay in your Google Admin console

Sign in to your GoogleAdminconsole.
Sign in using your administrator account (does not end in @gmail.com).
In the Admin console, go to MenuAppsGoogle WorkspaceGmailRouting.

You can add, edit, and delete the SMTP relay service setting at the top-level organization only. You can view the setting at the child organizational unit level.
Scroll to SMTP relay service and click Configure. If the setting is already configured, click Edit or Add another.

Enter a name for the setting and set up the following options:

Setting options	What to do
Allowed senders	Choose an option: Only registered Apps users in my domains—Sender must be aGoogle Workspaceuser in one of your domains. Only addresses in my domains—Sender doesn't have to be aGoogle Workspace user, but must be a user in one of your registered domains. This option isuseful when you usethird-party or customapplications to send messages. Any addresses (not recommended)—Sender address can be any email address, including addresses outside of your domain. This option makes you more vulnerable to abuse, either by malicious software on your users' devicesor by incorrect SMTP settings. If you use the any address option and send messages from a domain that you don't own or with an empty envelope-from (for example, bounce messages or out-of-office notifications), set up your mail server to use SMTP AUTH to identify the sending domain or to present one of your domain names in the HELO or EHLO command. If thesender is not in one of your domains, the system changes the envelope sender from user@domain_you_don't_ownto postmaster@your_domain, where your_domainis the domain the system receives from SMTP AUTH or from the HELO or EHLO command. When sending messages onbehalf of an existing user account (as a MAIL FROMaddress)the user must have a Google Workspace license that allowsGmail.
Authentication	Check one or both boxes to set an authentication method: Only accept mail from the specified IP addresses—Systemaccepts only messages sent fromIP addresses that you specify. Require SMTP Authentication—Enforces SMTP authentication to identify the sending domain (connection through TLS required).SMTP authentication verifies the connection by checking the userGoogle Workspace email addressand password. If you select the specified IP addressesoption: Click Add. Enter a description and the IP address or range in IPv4 or IPv6 format. Use your own public IP address. You can specify up to 65,536 IP addresses in one range. For security reasons, we recommend that you keep the IP range as small as possible. Check or uncheck the Enable box to enable or disable the IP address or range. Click Save. To add more IP addresses or ranges, repeat the steps.
Encryption	(Optional) To require TLS for connections between your server and Google, check the Require TLS encryption box. Important: If your email server doesn't support TLS and you check this box, messages not sent over an encrypted TLS connection are rejected.

Setting options

What to do

Allowed senders

Choose an option:

Only registered Apps users in my domains—Sender must be aGoogle Workspaceuser in one of your domains.
Only addresses in my domains—Sender doesn't have to be aGoogle Workspace user, but must be a user in one of your registered domains. This option isuseful when you usethird-party or customapplications to send messages.
Any addresses (not recommended)—Sender address can be any email address, including addresses outside of your domain. This option makes you more vulnerable to abuse, either by malicious software on your users' devicesor by incorrect SMTP settings.
If you use the any address option and send messages from a domain that you don't own or with an empty envelope-from (for example, bounce messages or out-of-office notifications), set up your mail server to use SMTP AUTH to identify the sending domain or to present one of your domain names in the HELO or EHLO command.

If thesender is not in one of your domains, the system changes the envelope sender from user@domain_you_don't_ownto postmaster@your_domain, where your_domainis the domain the system receives from SMTP AUTH or from the HELO or EHLO command.

When sending messages onbehalf of an existing user account (as a MAIL FROMaddress)the user must have a Google Workspace license that allowsGmail.

Authentication

Check one or both boxes to set an authentication method:

Only accept mail from the specified IP addresses—Systemaccepts only messages sent fromIP addresses that you specify.
Require SMTP Authentication—Enforces SMTP authentication to identify the sending domain (connection through TLS required).SMTP authentication verifies the connection by checking the userGoogle Workspace email addressand password.

If you select the specified IP addressesoption:

Click Add.
Enter a description and the IP address or range in IPv4 or IPv6 format.
Use your own public IP address. You can specify up to 65,536 IP addresses in one range. For security reasons, we recommend that you keep the IP range as small as possible.
Check or uncheck the Enable box to enable or disable the IP address or range.
Click Save.
To add more IP addresses or ranges, repeat the steps.

Encryption

(Optional) To require TLS for connections between your server and Google, check the Require TLS encryption box.

Important: If your email server doesn't support TLS and you check this box, messages not sent over an encrypted TLS connection are rejected.

Click Save.

Changes can take up to 24 hours but typically happen more quickly.Learn more

Step 2: Set up your on-premise server to point to Google

ConfigureExchange servers

Expandsection|

Microsoft Exchange 2007/2010 without an Edge server

Google Workspace support provides technical support only for Google products. To get help with these steps, contact your mail server provider.

In this case, set up Outbound Services on a Hub Transport server.Don't change the default timeout settings for Microsoft Exchange 2007/2010 mail servers. The default timeout setting supports this SMTP relay configuration.

For Transport Settings Properties, click GeneralOrganization ConfigurationHub Transport.
Click Send Connectors.
Right-clickthe actions pane and selectNew SMTP Send Connector.
For Name, enter Outbound.
For Select the intended use for this Send connector,select Internetandclick Next.

See Also
Getting started with Postfix, an open source mail transfer agent Customer Community Senders see a "550 relay not permitted" error when they try to email me - Knowledge base - ScalaHosting Postfix SMTP relay and access control
Click Add.
For Domain, enter * (asterisk) so that all mail is routed through the new connector.
Check the Include all subdomains boxand click OK.
Click Next.
Under Network settings, selectRoute mail through the following smart hostsclick Add.
Select Fully qualified domain Name (FQDN) and enter smtp-relay.gmail.com.
ForConfigure smart host authentication settings, selectNoneandclick Next.
For Source Server, click Addand list each outbound hub server that will act as a bridgehead.
Click OKNext.
ForNew Connector, click New.

Click Finish.
Send a test message to confirm that your outbound mail is flowing.

Microsoft Exchange 2007/2010 with an Edge server

Google Workspace support provides technical support only for Google products. To get help with these steps, contact your mail server provider.

To send messages on an Edge server, configure a send connector. You can create and edit send connectors in the Exchange Management Console.Don't change the default timeout settings for Microsoft Exchange 2007/2010 mail servers. The default timeout setting supports this SMTP relay configuration.

To create and configure a send connector on your Hub Connector Server:

Click Organization ConfigurationHub Transport.
Click Send Connectors.
Double-clickEdgeSync – name of your siteto internet.
On the Address Space tab, verify that the asterisk (*) domain has been added.
On the Network tab, unchecktheEnable Domain Security (Mutual Auth TLS)box and selectRoute mail through the following smart hosts.
Click Add.
SelectFully qualified domain name, enter smtp-relay.gmail.com, and click OK.
On the Source Server tab, verify that the appropriate Edge subscriptions are listed.
From the Exchange Management Shell, run the start-edgesynchronization command.
On the Edge servers, verify that the new send connector settings have been received and are identical to those on the hub server.
Check your receive connectors on the Edge server and verify the following points:
- The Network tab has the IP range of all hub servers.
- The Authentication tab has the Exchange Server Authentication option selected.
- The Permission Groups tab has the Exchange Servers option selected.
Send a test message to confirm that your outbound mail is flowing.

Microsoft Exchange 2000/2003

Google Workspace support provides technical support only for Google products. To get help with these steps, contact your mail server provider.

Change the retry interval and configure the smart host to route traffic to Google:

Right-click SMTP Virtual Server and select Properties.
Click the Delivery tab.
For Outbound, change the default retry intervals to the following values:
- First retry interval (minutes): 1
- Second retry interval (minutes): 1
- Third retry interval (minutes): 3
- Subsequent retry interval (minutes): 5
Click Connectors, right-click the SMTP Connector (or the internet Mail SMTP Connector), and select Properties.
On the General tab, enter smtp-relay.gmail.com.
If you selected the Any address option for allowed senders and you send mail from a domain that you don't own. Or, if you send mail without a “From” address, for example bounce messages or vacation notifications, you need to choose one of the following options:
- Configure your mail server to use SMTP AUTH to authenticate as a Google Workspace user.
- Present one of your domain names in the HELO or EHLO command.
For detailed instructions, contact your mail server provider.
Click OK to save the changes.

Configure HCL, Novell, and Sendmail servers

Expandsection|

HCL Domino (formerly IBM Domino)

These instructions, which were written for Domino R5/R6, are designed to work with a majority of deployments.

Don't change the default timeout settings for Domino R5/R6 mail servers. The default timeout setting supports this SMTP relay configuration.

Set up a smart host and adjust the Retry Interval:

Open Domino Administrator.
Click Administrationthe Configuration tab.
Click Configurations.
Double-click the name of your Domino server.
At the top, click Edit Server Configuration.
Click the Router/SMTP tab.
ForRelay host for messages leaving the local internet domain,entersmtp-relay.gmail.com.
Click the Restrictions and Controls tabthe Transfer Controls tab.
See Also
Quick way to resolve Relay Access Denied email error
For Initial Transfer Retry Interval,enter a value of one minute or higher.
Click Save & Close.
If you selected the Any address option for allowed senders and you send mail from a domain that you don't own. Or, if you send mail without a “From” address, for example bounce messages or vacation notifications, you need to choose one of the following options:
- Configure your mail server to use SMTP AUTH to authenticate as a Google Workspace user.
- Present one of your domain names in the HELO or EHLO command.
For detailed instructions, contact your mail server provider.
Send a test message to confirm that your outbound mail is flowing.

Novell Groupwise

Step 1:Increase server timeouts

Open the Groupwise ConsoleOne interface.
Right-click the Internet Agent object and select Properties.
Select the SMTP/MIME Settings tab and click Timeouts.
Set the following values:
- Commands: 5 minutes
- Data: 3 minutes
- Connection Establishment: 2 minutes
- Initial Greeting: 5 minutes
- TCP Read: 5 minutes
- Connection Termination: 15 minutes
Click ApplyOK.

Step 2: Set up a smart host

Open the Groupwise ConsoleOne interface.
Right-click the Internet Agent object and select Properties.
If the SMTP/MIME Settings page is not the default page, click the SMTP/MIME tabSettings.
Set the number of SMTP Send Threads to the maximum number of simultaneous connections the Groupwise server will safely support.
ForRelay Host for Outbound Messages,enter smtp-relay.gmail.com.
Click ApplyOK.
If you selected the Any address option for allowed senders and you send mail from a domain that you don't own. Or, if you send mail without a “From” address, for example bounce messages or vacation notifications, you need to choose one of the following options:
- Configure your mail server to use SMTP AUTH to authenticate as a Google Workspace user.
- Present one of your domain names in the HELO or EHLO command.
For detailed instructions, contact your mail server provider.
Send a test message to confirm that your outbound mail is flowing.

Sendmail

In Sendmail, the server timeout default is one hour. If the timeout value is less than one hour, update the value to one hour before setting up SMTP relay.

To set up the SMTP relay service for Sendmail:

Add the following line to the /etc/mail/sendmail.mc file:
define(`SMART_HOST', `smtp-relay.gmail.com')
Stop and restart the sendmail server process.
If you selected the Any address option for allowed senders and you send mail from a domain that you don't own. Or, if you send mail without a “From” address, for example bounce messages or vacation notifications, you need to choose one of the following options:
- Configure your mail server to use SMTP AUTH to authenticate as a Google Workspace user.
- Present one of your domain names in the HELO or EHLO command.
For detailed instructions, contact your mail server provider.
Send a test message to confirm that your outbound mail is flowing.

Configure macOS, Qmail, and Postfix servers

Expandsection|

macOS

In Server Admin, select Mail and click Settings.
ForRelay all mail through this host, entersmtp-relay.gmail.com.
Click Save.
If you selected the Any address option for allowed senders and you send mail from a domain that you don't own. Or, if you send mail without a “From” address, for example bounce messages or vacation notifications, you need to choose one of the following options:
- Configure your mail server to use SMTP AUTH to authenticate as a Google Workspace user.
- Present one of your domain names in the HELO or EHLO command.
For detailed instructions, contact your mail server provider.
Restart the mail service.
Send a test message to confirm that your outbound mail is flowing.

Qmail

In Qmail, the server timeout default is 1,200 seconds. If the timeout value is less than 900 seconds, update the value to at least 900 seconds before setting up SMTP relay.

To set up a smart host for Qmail:

Edit (or create) the /var/qmail/control/smtproutes file and append the following line:
:smtp-relay.gmail.com:25
If you haveinternal domains wheretraffic shouldn't be routed to Google,addrouting settings to the appropriate mail server to the /var/qmail/control/smtproutes file, with the following syntax:<InternalDomain>:<ServerForInternalDomain>
If you selected the Any address option for allowed senders and you send mail from a domain that you don't own. Or, if you send mail without a “From” address, for example bounce messages or vacation notifications, you need to choose one of the following options:
- Configure your mail server to use SMTP AUTH to authenticate as a Google Workspace user.
- Present one of your domain names in the HELO or EHLO command.
For detailed instructions, contact your mail server provider.
Stop and restart the Qmail server.
Send a test message to confirm that your outbound mail is flowing.

Postfix

Don't change the default timeout settings for Postfix mail servers. The default timeout setting supports this SMTP relay configuration.

To set up a smart host for Postfix:

Add the following line to your configuration file (example path /etc/postfix/main.cf):
relayhost = smtp-relay.gmail.com:25
Restart Postfix by running the following command:
# sudo postfix reload
If you selected the Any address option for allowed senders and you send mail from a domain that you don't own. Or, if you send mail without a “From” address, for example bounce messages or vacation notifications, you need to choose one of the following options:
- Configure your mail server to use SMTP AUTH to authenticate as a Google Workspace user.
- Present one of your domain names in the HELO or EHLO command.
For detailed instructions, contact your mail server provider.
Send a test message to confirm that your outbound mail is flowing.

_{Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companieswith which they are associated.}

Was this helpful?

How can we improve it?

Need more help?

Try these next steps:

Post to the help community Get answers from community members Contact us Tell us more and we’ll help you get there

Advanced email routing

1 of 18
Email routing and delivery options for Google Workspace
2 of 18
Add mail servers for Gmail email routing
3 of 18
Set up Default routing for your organization
4 of 18
Add Gmail Routing settings
5 of 18
Deliver email to multiple inboxes with dual delivery
6 of 18
Send email to two email systems with split delivery
7 of 18
Get misaddressed email in a catch-all mailbox
8 of 18
Forward Gmail emails to another user
9 of 18
Forward email to a third-party CRM
10 of 18
Set up an outbound gateway to process outgoing email
11 of 18
Set up an inbound mail gateway
12 of 18
Allow per-user outbound gateways
13 of 18
Route journal messages to Google Vault
14 of 18
Send email over an alternate secure route (TLS)
15 of 18
Route outgoing SMTP relay messages through Google
16 of 18
Set up third-party servers for email from Google IP addresses
17 of 18
SMTP relay service error messages
18 of 18
Google IP address ranges for outbound mail servers

Start your free 14-day trial today

Professional email, online storage, shared calendars, video meetings and more. Start your free Google Workspace trial today.