Transport Layer Security (TLS) is a protocol that encrypts email messages for security and privacy. TLS prevents unauthorized access of messages when they're sent over internet connections.
By default, Gmail always tries to send messages over a secure TLS connection. A secure, end-to-end TLS connection requires that both the sending and receiving server use TLS. If the receiving server doesn't use TLS, Gmail still sends messages but the connection isn't secure.
If you require that email always be sent over a secure TLS connection, even when you're not sure receiving servers use TLS, add an Alternate secure route setting. When you add an alternate secure route with this setting, outgoing email from your domain is sent through a host or third-party service that encrypts messages before they're delivered to receiving servers.
Note:To use TLS for messages to and from email addresses or domains that you specify, follow the steps in Send email over a secure TLS connection .
Step 1: Add the host
Add a host that will add encryption to outgoing messages. Make sure the host that supports the TLS version required for your organization's email. For detailed steps, visit Add mail servers for Gmail email routing .
Step 2: Add a alternate secure route
Add an alternate secure route through the host you added in Step 1:
- Sign in to your Google Admin console .
Sign in using your administrator account (does not end in @gmail.com).
- In the Admin console, go to Menu Apps Google Workspace Gmail Routing.
- On the left, select the top-level organization.
- Scroll to the Alternate secure route setting and click Edit.
- Check the Use an alternate route when secure transport is requiredbox.
- Under the box, select the host you added in Step 1.
- Click Save
Changes can take up to 24 hours but typically happen more quickly. Learn more
To track changes, go to the Admin audit log .