Google IP address ranges

Configuring a ZixGateway to work with Google Apps as the mail

server.

At the time of writing this documentation the current list of Google mail server IP addresses is:

216.239.32.0/19,64.233.160.0/19,66.249.80.0/20,72.14.192.0/18209.85.128.0/17,66.102.0.0/2

0 74.125.0.0/16,64.18.0.0/20, 207.126.144.0/20, 173.194.0.0/16

These will need to be put in the (Networks Served by Mail Relay) field on the Configure Server

tab. This list can change at any time as Google adds additional servers. To obtain the current

list of Google mail servers follow the instruction on their support page:

http://support.google.com/a/bin/answer.py?hl=en&answer=60764

In case that page moves here is a copy of it:

Google IP address ranges

When you are configuring email handling for your domain, you might need to know the IP

addresses of the Google Apps mail servers, to help prevent Google messages from being marked

as spam.

Google maintains a global infrastructure, which grows dynamically to accommodate increasing

demand. As a result, Google Apps mail servers use a large range of IP addresses, and the

addresses often change. The most effective means of finding the current range of Google IP

addresses is to query Google's SPF record.

To create an SPF record for your domain, you can simply have the record refer to the Google

SPF record for the current list of IP addresses:

v=spf1 include:_spf.google.com ~all

With this method, your domain automatically inherits changes to the Google IP addresses as they

happen.

When you need the literal IP addresses for Google Apps mail servers, use one of the tools

available on the Internet to look up the SPF records for the domains google.com and

_netblocks.google.com. These records list the current range of addresses. The IP ranges of

Google services can be found at any given time by running the following command:

nslookup -q=TXT _netblocks.google.com 8.8.8.8

If you activate the Postini features in Google Apps for Business, you may also need the IP

addresses for the Postini servers.

The customer will need to make an internal MX record and then point that to a list of the Google

mail servers. A current list of these mail servers can be found here:

http://support.google.com/a/bin/answer.py?hl=en&answer=33915

Priority

Mail Server

ASPMX.L.GOOGLE.COM.

ALT1.ASPMX.L.GOOGLE.COM.

ALT2.ASPMX.L.GOOGLE.COM.

ASPMX2.GOOGLEMAIL.COM.

ASPMX3.GOOGLEMAIL.COM.

When loading the Domain Encryption key on the Configure Server tab input the customer’s

internal MX record in the (Mail Host) field. This will allow the ZixGateway to deliver inbound

e-mail that has been decrypted to any of the Google Apps mail servers.

Google Apps also needs to be configured to use the ZixGateway as an inbound and outbound

relay.

Outbound mail gateway:

http://support.google.com/a/bin/answer.py?hl=en&answer=178333

Google Apps Outbound mail gateway

Editions supported: Outbound gateways are available in Google Apps for Business and

Education. Compare editions now

An outbound mail gateway is a server through which all mail sent from your domain passes. The

gateway typically processes the mail in some way — such as archiving it or filtering out spam —

before delivering the mail. The Postini servers are an example of an outbound mail gateway: they

filter (and possibly archive) outgoing mail before delivering it.

When you use an outbound mail gateway, the Google Apps mail servers pass all outgoing mail

from your domain to the gateway server. You configure the gateway server to accept a stream of

mail from the Google Apps mail servers. You may also need to update your DKIM configuration

or the Sender Policy Framework (SPF) record for your domain.

To configure an outbound mail gateway:

1. Sign in to your Google Apps administrator control panel.

2. From the menu at the top of the page, click the Settings tab.

3. From the left-navigation menu, click Email.

4. From the Email settings page, click General Settings.

5. In the Organizations section near the top of the page, highlight your domain.

6. Scroll down to the Outbound gateway section.

7. In the Outbound gateway text box, enter the IP address of the outbound mail gateway server.

8. Save your changes.

9. Configure the outbound gateway server to accept and forward email from the Google Apps mail

servers.

The configuration steps differ depending on the gateway server.

For information about the IP addresses of the Google Apps mail servers, see Google IP address

ranges.

Then for Inbound mail gateway:

http://support.google.com/a/bin/answer.py?hl=en&answer=60730&topic=2683866&ctx=topic

Google Apps Inbound mail gateway

Editions supported: Inbound gateways are available in Google Apps for Business and

Education. Compare editions now

An inbound mail gateway is a server through which all incoming mail for your domain passes.

The gateway typically processes the mail in some way — such as archiving it or filtering out

spam — then passes the mail on to the mail server that delivers the messages to the recipients.

The Postini servers are an example of an inbound mail gateway: they filter (and possibly archive)

incoming mail before passing it on to the Google Apps mail servers.

When you use an inbound mail gateway, the MX records for your domain point to the inbound

mail gateway server. You configure the gateway server to pass the incoming mail on to the

Google Apps mail servers, and configure the Google Apps mail servers to accept a stream of

incoming mail from the gateway server.

To configure an inbound mail gateway:

1. Update your domain's MX records so that the highest priority record refers to the inbound

mail gateway server.

See Creating MX records for detailed instructions.

2. Configure the inbound mail gateway server to deliver mail to the Google Apps mail

servers.

The configuration steps differ depending on the gateway server.

3. Sign in to your Google Apps administrator control panel.

4. From the menu at the top of the page, select the Settings tab.

5. From the left-navigation menu, click Email.

6. From the Email settings page, click General Settings.

7. In the Organizations section at the top of the page, highlight your domain.

8. In the Inbound gateway box, enter the IP address of the inbound mail gateway server.

If you have more than one gateway server, enter an IP range in CIDR notation or separate

each IP address with a comma. If you are using the Postini Services, include the

addresses of the Postini servers:

64.18.0.0/20,207.126.144.0/20,74.125.148.0/22,74.125.244.0/22

9. Select the check box Only let my users receive email from the email gateways listed

above.

This setting ensures that all incoming email comes through the inbound gateway server

and is therefore properly filtered or archived. The Google Apps mail servers will reject

incoming mail from any other mail server.

10. Click Save changes at the bottom of the Email settings page.

11. Verify that incoming mail is properly delivered.

Once your MX record changes from step 1 have taken effect (that is, after the previous

MX record's TTL has expired), send an email message to a user in your domain. Confirm

that (a) the inbound gateway server processes it and (b) the user receives the message in

his or her inbox.