Google Apps Administrator Help
Google Apps AdministratorHelp forumForum Contact us

Secure transport (TLS) compliance setting

By default, when you send email to or receive email from a given address or domain, Google Apps Gmail checks to see if secure transport (TLS) is available for that address or domain. If so, Gmail delivers the message using secure transport. If not, Gmail delivers the message over a non-secure connection. However, you can use the Secure transport (TLS) compliance setting to require mail to be transmitted via a secure connection when users correspond with specific domains and email addresses.

You can configure this setting for both inbound and outbound mail. If TLS is not available at a domain that you specify in this setting, inbound mail will be rejected and outbound mail will not be transmitted.

Note: Transport Layer Security (TLS) is an industry-wide standard based on Secure Sockets Layer (SSL) technology that encrypts mail for secure delivery.

Similar to other email security settings, the Secure transport (TLS) compliance setting applies to all users in an organizational unit. Users within child organizational units inherit the settings you create for the parent organization.

Changes to the Secure transport (TLS) compliance setting will require up to 1 hour to take effect. You can track prior changes under Admin console audit log.

To set up TLS compliance settings for your domain or organizational unit:

  1. Sign in to the Google Admin console
  2. From the dashboard, go to Apps > Google Apps > Gmail > Advanced settings
  3. In the Organizations section, highlight your domain or the organizational unit for which you want to configure settings (see Configure advanced settings for Gmail for more details).
  4. Scroll down to the Secure transport (TLS) compliance section:
    • If the setting's status is Not configured yet, click Configure (the Add setting dialog box displays).
    • If the setting's status is Locally applied, click Edit to edit an existing setting (the Edit setting dialog box displays), or click Add another to add a new setting (the Add setting dialog box displays).
    • If the setting’s status is Inherited, click View to view the inherited setting, or click Add another to add a new setting (the Add setting dialog box displays).
  5. Click Add description to enter a short description that will appear in the setting's summary.
  6. Check any of the following boxes:
    • Inbound - all messages: Configure this setting for all inbound mail.
    • Outbound - all messages: Configure this setting for all outbound mail.
    • Outbound - messages requiring Secure Transport via another setting: Configure this setting only for outbound messages to which another secure connection setting applies. For example, you may have your Mail Route setting set to send outbound mail through a secure connection, or you may have set an alternate secure route for outbound mail.
      Note: Inbound messages are messages received by your users from senders outside the set of domains associated with your company or organization. Outbound messages are messages sent by your users to recipients outside the set of domains associated with your company or organization.
  7. To specify the list of domains and/or email addresses that require TLS for secure transport, click Use existing or create a new one:
    • Enter a name for your new list in the Create new list field.
    • Click Create.
    • Move your pointer over the list name, and click Edit.
    • Click Add.
    • Enter comma or space delimited email addresses or domain names.
    • Click Save.
    Note: When you enter addresses or domain names, Gmail checks these against the From: part of the message header, not the envelope sender (or Return-Path section of the message header). Therefore, the From: sender must exactly match an address or domain you enter.
  8. (Optional) Check the Require CA signed cert when delivering outbound to the above-specified TLS-enabled domains box.

    If you check this box, the client SMTP server must present a valid CA signed certificate for messages that match the conditions in you set in steps 6 and 7. The cert requirement is enforced only for messages that match these conditions. For example, if you select Outbound - messages requiring Secure Transport via another setting in step 6, only outgoing messages sent through a smarthost or alternate secure route will require a CA signed cert. Messages sent through any other route are delivered without requiring a CA signed cert.

  9. When you are finished making changes, click Add setting or Save to close the dialog box.
    Note: Any settings you add will be highlighted on the Email settings page.
  10. Click Save changes at the bottom of the Email settings page.
Was this article helpful?
Sign in to your account

Get account-specific help by signing in with your Apps for Work account email address, or learn how to get started with Apps for Work.