TLS compliance
Transport Layer Security (TLS) is a security protocol that encrypts email for privacy. TLS prevents unauthorized access of your email when it's in transit over internet connections.
By default, Gmail always tries to use a secure TLS connection when sending email. However, a secure TLS connection requires that both the sender and recipient use TLS. If the receiving server doesn't use TLS, Gmail still delivers messages, but the connection isn't secure. Add the Secure transport (TLS) compliance setting to always use TLS for email sent to and from domains and addresses that you specify.
When composing a new Gmail message, a padlock image next to the recipient address means that the message will be sent with TLS. The padlock shows only for accounts with a Google Workspace subscription that supports S/MIME encryption.
Google Workspace supports TLS versions 1.0, 1.1, 1.2, and 1.3.
Before setup
Verify supported TLS versions for standards used in your organization
Before setting up TLS in your Google admin console, verify the TLS versions supported by any compliance, security, or other standards used in your organization. Not all standards support the TLS versions that Google Workspace supports.
If the standards used in your organization require TLS, enable it with the Secure transport (TLS) compliance setting.
Understand what happens to messages sent to or from servers that don't use TLS
Your Secure transports (TLS) compliance setting affects messages sent over non-TLS connections, for addresses and domains that you specify in the setting.
Outgoing messages |
Messages aren't delivered and will bounce. You'll get a non-delivery report. Gmail makes only one attempt to send messages over a non-TLS connection. |
Incoming messages |
Incoming messages from non-TLS connections are rejected without any notification to you. The sender gets a non-delivery report. |
Steps to set up TLS compliance in your Google admin console:
1. In the Admin console, go to Menu > Apps > Google Workspace > Gmail > Compliance.2. On the left, select an organizational unit.
3. Point to Secure transport (TLS) compliance and click Configure. To add more TLS settings,click Add Another
4. In the Add setting box, enter a name for the setting and take these steps:
5. In the Add setting box, enter a name for the setting
6. Email messages to affect:- Select Inbound, Outbound, or both. You must use an address list to enforce TLS for inbound and outbound messages. You'll set the address list in the next step.
- For address list matching, Gmail uses the From: sender for inbound messages and the recipients for outbound messages. For inbound messages, the From: sender must exactly match an address or domain in the setting. Authentication requirements are checked for outgoing messages.
- Select Outbound - messages requiring Secure Transport via another setting for outbound messages that have other secure connection settings. For example, you can set email routing to send outbound messages through a secure connection, or you can set an alternate secure route for outbound messages.
7. Use TLS for secure transport when corresponding with these domains/email addresses.
-->To select an existing address list that has the domains or email addresses that require TLS connections:
- Click Use existing list. The Select address list box opens.
- Select one or more address lists to use with the TLS setting.
- Click the X in the upper left to close the Select address list box.
- Click Create or edit list. The Manage address lists page opens in a new tab.
- On the Manage address lists page, click Add address list. The Add address list box opens.
- In the Name field, enter a unique name for the address list.
- To add addresses or domains to the new address list, click Bulk add addresses or Add address.
- Enter email addresses or domain names. Separate entries with a space or comma.
- Click Save, then return to the Compliance tab to finish setting up TLS.
8. Options
-->Select setting options:
- Require CA signed certificate (Recommended)—Requires the client SMTP server to present a certificate signed by a trusted Certificate Authority.
- Validate certificate hostname (Recommended)—Verifies that the receiving hostname matches the certificate presented by the SMTP server.
- (Optional) Click Test TLS connection to verify the connection to the receiving mail server.
10. At the bottom of the Add setting box, click Save. The new setting appears in the Secure Transport (TLS) compliance settings table.
NOTE: Changes can take up to 24 hours but typically happen more quickly.
Troubleshoot TLS errors
If you get an error when setting up TLS, follow the recommendations in this section.
If you click Test TLS connection and get a certificate validation error, messages sent from your organization will bounce, even though you could save the new mail route.
To fix the error, try one or more of these solutions:
- If your mail server has more than one hostname make sure you’re using the hostname that’s on the server’s certificate.
- If you have access to the mail server on the route, install a new certificate from a trusted Certificate Authority. Verify the new certificate has the correct hostname.
- If you use a third-party mail relay service, contact the service provider about this error.
- Uncheck the box for one or more of these options:
- Require mail to be transmitted over a secure transport (TLS) connection
- Require CA signed certificate
- Validate certificate hostname
Important: We recommend keeping these options turned on whenever possible so the connection can be verified.
Please check the below-supporting article for your further reference:
Require a secure connection for email - Google Workspace Admin Help