G Suite works surprisingly well with external mail servers to route, filter, scan, archive, and backup email. Spend enough time with Google’s help documentation and you’ll certainly figure it all out. Google’s help documents explain how to accomplish tasks. But Google’s documents don’t highlight why you might choose one specific mail server setup over another.
Long-term split email delivery
Different groups of people have different needs. If you need to run a legacy mail server side-by-side with Google Suite long term, you can. With long term split delivery, incoming mail is split by groups within the same organization (or domain name). One group uses the legacy system, while the other group uses Google Suite.
For example, a university might deliver student email to G Suite, while faculty email is sent to a legacy system, such as Microsoft Exchange. Or, a company might route the email of employees stationed at it’s headquarters to Google Suite, while sending mail for employees at a secondary location to a legacy system.
Set up mail routes
To use external mail servers with Google Suite, you need to define mail routes. A mail route identifies a legacy mail server by domain or IP address. Mail routes may also identify multiple hosts, which is useful if you’re working with legacy systems configured to offer failover or load balancing.
To configure mail routes, log in to your G Suite admin account at admin.google.com, then navigate to G Suite > Gmail > Hosts.
Filtering inbound email
It may seem redundant to pass email through an additional external filter before it arrives in Gmail. After all, Google Suite provides excellent antivirus scanning and spam filtering. It also blocks executable attachments, which is good.
Google also places suspected spam in the user’s spam folder. That’s the potential problem. Each person can access their spam folder, which means there’s a chance that someone could click on a harmful link or fall for a phishing scheme. An external filter might identify an email as spam before it even reaches Gmail, keeping the email entirely inaccessible to the user.
To set up an inbound mail gateway, your MX records need to be configured to direct mail for your domain to the gateway server. Configure this device to route all email — post scanning — to Google’s servers. You also need to set Gmail to accept email only from the gateway server, which ensures all incoming mail has been properly processed.
Outbound Email: Gateway or Relay?
Mail passes through a gateway, but mail is “handed off” to a relay server. While similar, an outbound gateway and outbound relay solve different problems.
An outbound gateway typically is used to filter or archive email. When mail passes through the gateway, it may be scanned and/or stored. An outbound relay lets you “hand off” an email to an external server to be sent, while still using Gmail to create the email.
People with two roles may find an outbound relay useful. For example, a corporate executive might send most email from their corporate account: AnExec@Company.com. But they may also play a role in a separate corporate foundation with a different domain name. The outbound relay would allow them to send email from this other domain: SameExec@Foundation.org. People who use an external help desk or customer relationship management system (CRM) may also benefit from an outbound relay.
An outbound relay solves another problem: it eliminates “on behalf of” messages. Without an outbound relay, a recipient might see the “From:” field as “SameExec@Foundation.org on behalf of AnExec@Company.com”. With an outbound relay, the “From:” field would be “SameExec@Foundation.org”.
Setup of outbound gateways and relays is slightly different. Administrators configure outbound gateways: the user has no control over outbound gateways. Yet while administrators may enable the use of outbound relays, individual users must then configure their own outbound relay account settings. (Relaying may also be prohibited.)
Relays present a potential problem: mail “handed off” to an outbound relay isn’t stored in Gmail’s “Sent Mail” folder, since the email is sent by the outbound relay mail server. To ensure that all mail created with Gmail is stored in Gmail — even if it is actually sent by another mail server — an administrator needs to enable Google’s comprehensive mail storage setting. In the G Suite admin dashboard, go to G Suite > Settings for Gmail > Advanced settings to enable this.
You may choose to require a secure connection for email between your organization and specific domains. Email between the two domains will be protected with Transport Layer Security (TLS).
Gmail will reject inbound mail, and will not send outbound mail if TLS isn’t available at the specified domain. (To enable this, log in to your G Suite admin console. Go to G Suite > Settings for Gmail > Advanced Settings. Choose your domain or organizational unit and go to “Secure Transport (TLS) Compliance”.)
Learn more from Google: Secure transport compliance setting
SMTP relay service
Google’s SMTP relay service is pretty much the opposite of using an outbound relay. With an outbound relay, you use Gmail, but send mail from another mail server.
The SMTP service is the opposite: you use a legacy mail server, but send mail from Google’s mail servers. As a result, your outbound email benefits from Google’s spam and virus filters.
To learn more, check out the full eBook: Setting Up External Mail Servers. This guide will teach you initial testing and migration best practices, long-term split email delivery, compliance and security requirements, content scanning and routing tips and tricks, and more. Download it today!