Set up an inbound mail gateway

As an administrator, you can set up Gmail to accept messages it gets from inbound mail gateways.

An inbound mail gateway is a mail server that processes inbound email in some way, before messages are delivered to recipients. For example, inbound gateways typically check for spam, archive messages, and scan for harmful attachments or software. Inbound gateways are useful for larger organizations with a lot of email. The processing that gateways perform frees up primary email servers to deliver messages to recipients.

Specify the inbound mail gateway IP address, or range of IP addresses, in the Inbound gateway setting.

Optionally, you can set up the gateway to:

  • Automatically detect the external IP.
  • Reject messages that aren't sent from the gateway.
  • Require that connections from the gateway use Transport Layer Security (TLS).
  • Manage spam based on gateway message tags.

Important: Inbound gateway settings don't support private IP addresses.

Before you begin

Before you set up your inbound gateway, point the MX records for your domain to the gateway. For detailed instructions, visit Set up MX records.

Set up an inbound gateway

Set up the gateway to deliver messages to Gmail servers. Configuration steps differ depending on your gateway server.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Appsand thenGoogle Workspaceand thenGmailand thenSpam, Phishing and Malware.
  3. On the left, select your top-level organization. 
  4. Scroll to the Inbound gateway setting, then click Edit . The Inbound gateway settings open on the page.
  5. Take these steps in inbound gateway settings:

     

    Setting What to do
    1. Gateway IPs

    Set up the IP addresses and options for your gateway:

    1. Click Add. The Add IP address/range box opens. In the Add IP address/range box, enter the gateway IP address or range of addresses.
      • If messages pass through multiple gateways before reaching Gmail, add all gateway IP addresses.
      • Enter only public IP addresses. Gmail doesn't support private IP addresses for gateways.
    2. In the Add IP address/range box, click Save.
    3. Automatically detect external IP—(Optional) When this option is selected, Gmail determines the source IP address to use for the SPF authentication.

      How Gmail determines the source IP address: Gmail scans Received: from message headers to find the first public IP address that’s not in the Gateway IP list. Gmail treats this IP address as the source IP for the message. This IP address is used for SPF authentication and spam evaluation. Learn more about how Gmail determines the source IP.

      When this option is off, Gmail checks only one hop backwards for the sending IP address.

    4. Reject all mail not from gateway IPs—(Optional) When this option is selected, messages from senders other than the inbound gateway are rejected.
    5. Require TLS for connections—(Optional) When this option is on, connection attempts gateways that don't use TLS are rejected. Learn more about setting up TLS for Gmail.
    2. Message tagging (Optional)

    To set up message tagging options, check the Message is considered spam if the following header regexp matches box.

    1. In the field below Regexp, enter the gateway message header tag as a regular expression.
    2. To verify the header tag, click Test expression.
    3. Select one of these options:
      • Message is spam if regexp matches—With this option, Gmail treats messages as spam when only the header is a match.

        For example, if your gateway adds the X-spam-gw header tag and you want Gmail to treat messages with this header as spam, enter ^X-spam-gw:. If you want Gmail to mark the message as spam if it matches the exact header and nothing else, enter ^X-spam-gw: spam$.

      • Regexp extracts a numeric score—With this option, Gmail treats messages as spam when a score in the header matches the value for this option. Below this option, enter a numeric value in the field. The regexp for the numeric score must include a capture group.

        For example, if you want Gmail to handle messages as spam when the gateway adds the message header X-spam: or X-phishy: and a numerical score greater than or equal to .50, enter the regexp ^X-(?:spam|phishy): (0\.\d*|1\.0*)$, including just one capture group. Then, enter .50 for the numeric score. 0\.\d*|1\.0* indicates the decimal values from 0 to 1. The parentheses indicate the numeric group to extract.

        If your expression has multiple parentheses, include a question mark and colon after the opening parenthesis of the non-capturing group, as shown in the previous example.

    4. Disable Gmail spam evaluation on mail from this gateway; only use header value—(Optional) With this option, message header values are the main method used to determine if a message is spam.

     

  6. At the bottom, click Save.

    Changes can take up to 24 hours but typically happen more quickly. Learn more
    You can track changes in the Admin console audit log.

  7. Verify that incoming messages are delivered as expected:
    1. After the Time to Live (TTL) has expired for the MX records, send a message to a user in your domain. Learn about avoiding bounced messages after changing MX records.
    2. Confirm the inbound gateway server processes the message, and the recipient gets the message in their inbox.

How the Inbound gateway setting works

How Gmail determines the source IP

Gmail uses the source IP of an email message to do SPF and spam checks. Determine the source IP using this information:

  • Inbound gateway setting
  • IP addresses in the Gateway IPs list
  • Automatically detect external IP option

When Gmail receives a message, it scans a message’s Received: from headers for the source IP:

  • If you haven’t set up the Inbound gateway, Gmail finds the Received: from header with the MX record, and determines that the source IP is the one connecting to the Gmail server.
  • If you included the connecting IP in the Gateway IPs list, and you’ve turned on the Automatically detect external IP option:
    • Gmail searches the Received: from headers for the first occurrence of an external public IP address that’s not in the list.
    • If Gmail identifies a public IP address, the address is used as the source IP for SPF authentication.
    • If Gmail doesn’t identify a public IP address, the message is treated as an internal message, and no SPF authentication is required.
    • The source IP address in the message header for the SPF check is always the connecting IP address, not the message actual source IP address.

Note: If a Received: from header line is formatted in a nonstandard or unrecognizable way, Gmail can't determine the IP for that hop. If Gmail parses all Received: from headers and can't identify an external IP, Gmail reverts to using the connecting IP, even if it’s included in the Gateway IPs list.

If the setting includes the connecting IP in the Gateway IPs list, and the Automatically detect external IP option is off:

  • Gmail skips the connecting IP, and uses the IP of the previous hop as the source IP, even if it’s also included in the Gateway IPs list.

Example: How Gmail determines the source IP

Here's an example message header that shows how controls help determine the source IP address:

Delivered-To: [email protected]

Received: by 192.0.2.205 with SMTP id e3cs239nzb; Tue, 24 Mar 2020 15:11:47 -0800 (PST)

Return-Path: [email protected]

Received: from mail.emailprovider.com (mail.emailprovider.com [192.0.2.2]) by mx.gmail.com with SMTP id h19si826631rnb.2020.03.29.15.11.46; Tue, 24 Mar 2020 15:11:47 -0800 (PST)

Message-ID: <[email protected]>

Received: from [192.0.2.55] by mail.emailprovider.com via HTTP; Tue, 24 Mar 2020 15:11:45 PST

Received: from [192.0.2.110] by mail.emailprovider.com via HTTP; Tue, 24 Mar 2020 15:11:44 PST

Received: from [192.0.2.136] by mail.emailprovider.com via HTTP; Tue, 24 Mar 2020 15:11:44 PST

Received: from [192.0.2.152] by mail.emailprovider.com via HTTP; Tue, 24 Mar 2020 15:11:44 PST

Date: Tue, 24 Mar 2020 15:11:45 -0800 (PST)

From: Mr Jones

Subject: Hello

To: Mr Smith

If you don’t set up the Inbound gateway

Gmail determines that the source IP is 192.0.2.2 because it’s the IP connecting to the Gmail server in the Received: from header line that contains the MX record:

Received: from mail.emailprovider.com (mail.emailprovider.com [192.0.2.2]) by mx.gmail.com 

Using the "Automatically detect external IP" option

If you added 192.0.2.2 and 192.0.2.55 to the Gateway IPs list, when you select Automatically detect external IP, the source IP is 192.0.2.110.

  • Gmail determines that the connecting IP is 192.0.2.2 and the previous hop IP is 192.0.2.55.

  • Because they’re in the Gateway IPs list, Gmail skips these two IP addresses.

  • Gmail determines that the external IP is 192.0.2.110, because it’s the first IP not included in the list.

If you added 192.0.2.2 and 192.0.2.55 to the Gateway IPs list, and you don’t select Automatically detect external IP, the source IP is 192.0.2.55.

Gmail skips the connecting IP, 192.0.2.2 and uses the IP of the previous hop, 192.0.2.55, even though it’s included in the Gateway IPs list.

 

How the setting affects an email allowlist

When the same IP address is in the Gateway IPs list and in an email allowlist, the allowlist entry doesn't affect message delivery or spam filters.

Gmail recognizes that inbound gateway IP addresses aren't originating, source IP addresses. Gmail scans Received: from entries in message headers to identify the first public IP address that isn't in the Inbound Gateway IPs list. This is the original sender source IP address.

To bypass spam, add the original sender source IP address to your email allowlist.

Was this helpful?

How can we improve it?
Search
Clear search
Close search
Main menu
1650598847044479308
true
Search Help Center
true
true
true
true
true
73010
false
false