SMTP
------
Send mail from your device or application
To send mail from your device or application using Gmail servers, follow the steps for the option you chose.
Set up G Suite SMTP relay in the Admin console (recommended)
To use the G Suite SMTP relay (recommended and most secure setup option):
From the Admin console, click Apps
G Suite Gmail Advanced settings.
Add your network IP range to the SMTP relay service.
Configure your device to connect to smtp-relay.gmail.com on port 25, 465, or 587.
For more details about using this setting, see SMTP relay service setting.
SMTP relay: Route outgoing non-Gmail messages through Google
Step 1: Route outbound mail using the SMTP relay service
Note: After you enter and save an IP address or range, you can enable or disable it by checking or unchecking the box to the left of the entry.
In your Google Admin console (at admin.google.com)...
On the left, select the top-level organization. See Tailor advanced settings for Gmail for more details.
Note: You can configure the SMTP relay service setting for the top-level organization only. You can view the setting from the sub-organization level when it's added, but you can't add, edit, or delete the setting from the sub-organization level.
Scroll to the SMTP relay service setting in the Routing section, hover over the setting, and click Configure. If the setting is already configured, hover over the setting and click Edit or Add another.
For a new setting, enter a unique description.
In the Allowed senders section, select the users who are allowed to send messages through the SMTP relay service:
Only registered Apps users in my domain—The sender must be a registered user in one of your domains.
Only addresses in my domains—The sender doesn't have to be a recognized G Suite user, but must be in one of your registered domains. This can be useful when you have third-party or custom applications that need to send messages.
Any addresses (not recommended)—The sender address can be anything, even an address outside of your domain.
The Any addresses option makes you more vulnerable to abuse, either through malware on your user’s machines or by misconfiguration of your SMTP infrastructure. Therefore, we don't recommend this option.
For the Any address option to work properly, you must configure your mail server either to use SMTP AUTH to identify the sending domain or to present one of your domain names in the HELO or EHLO command. See the instructions below for configuring your specific server type. You must also configure your mail server in one of these ways if you send messages from a domain you don't own (such as yahoo.com), or if you send messages with an empty envelope-from, such as non-delivery reports or vacation “out of office” notifications.
If the envelope sender is not in one of your domains, the system changes the envelope sender from user@[domain you don't own] to postmaster@[your domain], where [your domain] is the domain the system receives from SMTP AUTH or from the HELO or EHLO command.
In the Authentication section, check one or both boxes to set an authentication method:
Only accept mail from the specified IP addresses—The system only accepts mail sent from these IP addresses as coming from your domains.
Require SMTP Authentication—Enforces the use of SMTP authentication to identify the sending domain. Using this option requires your clients to connect via TLS.
If you chose to only accept messages from specified IP addresses, enter the IP addresses:
Click Add IP RANGE.
Enter a description for the IP address or range.
Enter the IP address or range.
Use the Classless Inter-Domain Routing (CIDR) format to enter an IP range; for example, 123.123.123.123. Use your own public IP address. The maximum number of IP addresses that you can specify in the range is 65,536. We recommend that you keep the allowed IP range as narrow as possible for security reasons.
You can also use IPv6 address formats to specify an IP address; for example:
1050:0000:0000:0000:0005:0600:300c:326b or
1050:0:0:0:5:600:300c:326b or
1050::5:600:300c:326b
Check the Enabled box to enable (or uncheck to disable) this IP address or range.
Click Save.
Note: After you enter and save an IP address or range, you can enable or disable it in the future simply by checking the box to the left of the entry.
In the Encryption section, check the Require TLS encryption box to require that the communication between your server and Google’s server be TLS encrypted, including the message contents.
Note: If your email server does not support TLS, do not check this box. If you check this box, Google rejects messages that are not encrypted.
Click Add setting or Save. Any new settings are added to the Advanced settings page.
At the bottom, click Save.
Note: It can take up to an hour for changes to propagate to user accounts. You can track prior changes using the Admin console audit log.
Step 2: Point your on-premise outbound server to Google
Configure your on-premise outbound email server to point to smtp-relay.gmail.com. Click your server below for instructions.
Configuration notes
If you checked the box to require TLS encryption in step 9 above, configure your on-premise mail server to point to smtp-relay.gmail.com on port 587.
If you don’t require TLS encryption, you can configure your on-premise mail server to point to smtp-relay.gmail.com on port 25, port 465, or port 587.
Note: Your G Suite email address and password (SMTP AUTH) are always required for authentication when relaying through port 587 or 465. Without TLS encryption, you can't use SMTP authentication and must use IP address authentication.
We recommend that you configure your mail server to present a unique identifier (such as your domain name or the name of your mail server) in the HELO or EHLO command in the SMTP relay connections your server makes to Google. Avoid using generic names such as "localhost" or "smtp-relay.gmail.com," which can occasionally result in issues with DoS limits.
The SMTP Relay service doesn't support multiple envelope recipients (RCPT TO) when specifying a null envelope sender (MAIL FROM: <>).
Additional configuration requirements
In addition to the server configuration steps listed above, you might have to further configure your server if either of the following is true:
You click the Any address option in the Allowed senders setting and you send mail from a domain you do not own, such as yahoo.com.
You send mail without a “From” address, such as non-delivery reports or vacation “out of office” notifications.
In these cases, you need to configure your mail server to either ensure that the server is using SMTP AUTH to authenticate as a registered G Suite user or present one of your domain names in the HELO or EHLO command. See the instructions here.
-----