App Engine applications can send email messages on behalf of the app's email receiving addresses and on behalf of some users with Google Accounts. Apps can receive email at various addresses. Apps send messages using the Mail service and receive messages in the form of HTTP requests initiated by App Engine and posted to the app.
The Mail service can send email messages to one or more recipients. A message contains a subject, a plaintext body, and an optional HTML body. It can also contain file attachments and a limited set of headers.
You can use any email address for a recipient. A recipient can be in the message's "to" field, in the "cc" field, or hidden from the message recipients (a "blind carbon copy" or "bcc").
When an application calls the Mail service to send a message, the message is queued, and the call returns immediately. The Mail service uses standard procedures for contacting each recipient's mail server, delivering the message, and retrying if the mail server cannot be contacted.
Who can send mail
For security purposes, the sender address of a message must be one of the following:
- The Gmail or Google Workspace Account of the user who is currently signed in
- Any email address of the form
- Any email address listed in the Cloud Console under Email API Authorized Senders
All email addresses on the Email API Authorized Senders list need to be valid Gmail or Google-hosted domain accounts. App Administrators can add the following accounts to the list of Authorized Senders:
- Their own email address
- Any group for which they are an Owner or Manager
- Applications hosted in a Google Workspace domain:
noreply@[DOMAIN].com, as long as
noreply@[DOMAIN].comis a valid account (user or group).
In addition, domain administrators of domains managed by Google Workspace can add any user in their domain to the list of authorized senders.
You are limited to a maximum of 50 authorized senders.
Mail from Google Workspace
If you will be sending email from a domain managed by Google Workspace, you
should set the DNS
SPF records for your domain to indicate that Google is a
trusted source for your email. For instructions on how to do this, see SPF
in the Google Workspace Help Center.
Note that if you use aliases set up for your Google Workspace domain, you cannot send email from email addresses that use the domain alias.
Bounce notifications when mail is not delivered
Mail that matches a known signature for spam, viruses, or other malicious content may not be accepted for delivery.
If the Mail service cannot deliver a message, or if a recipient's mail server returns a bounce message (for example, because there is no account for that address on that system), an error message can be sent by email to the address of the sender for the message. The application itself does not receive any notification about whether delivery succeeded or failed.
By default, email bounce notifications are not enabled. In order to receive email bounce notifications, you need to configure your application. For more details, see Receiving Bounce Notification.
Mail and the development server
The development server can be configured to send email messages directly from your computer when you test a feature of your app that sends messages. You can configure the development server to use an SMTP server of your choice. Alternatively, you can tell the development server to use Sendmail, if Sendmail is installed on your computer and set up for sending email.
If you do not configure an SMTP server or enable Sendmail, when your app calls the Mail service, the development server will log the contents of the message. The message will not actually be sent.
Authentication with DomainKeys Identified Mail (DKIM)
When you send mail, App Engine uses the DomainKeys Identified Mail
(DKIM) standard to authenticate the domain. If your application sends messages
from an email address that is part of a Google Workspace domain,
App Engine can
cryptographically sign the emails it sends. This signature says that an email
that purports to be from
email@example.com really came from
recipient can check this signature; if the signature is correct, the recipient
knows that the sender's domain wasn't spoofed.
To enable DKIM authentication for messages sent from Google Workspace email addresses, follow these instructions in the Google Workspace Help Center. Note that it can take up to 48 hours before DKIM authentication is active for your Google Workspace domain.
You must also ensure that your application is using a custom
and is the same as your Google Workspace domain. Also note that Google Workspace
domains with subdomains such as
subdomain.example.com are not permitted.
App Engine will sign the application's outgoing mails if the sender address is part of a Google Workspace domain with DKIM enabled. Additionally, the sender address must be formatted such that the domain part of the email address only consists of lowercase letters.
Quotas and limits
To see the current quota usage of your application, go to the Quota Details page in the Google Cloud Console.
Each Mail service request counts toward the Mail API Calls quota. There are also quotas for the number of messages you can send, the number of Admin messages you can send, and the amount of data and attachments you can send. For more details, see Mail quotas.
The quota is reset daily. If you exceed the daily quota, you will get an over quota exception. If you need to send more mail than the quota allows, you can use a third-party mail provider, such as SendGrid or Mailgun .
In addition to quotas, the following limits apply to the Mail service:
|Maximum size of outgoing mail messages, including attachments||31.5 MB|
|Maximum size of incoming mail messages, including attachments||31.5 MB|
|Maximum size of message when an administrator is a recipient||16 KB|
|Maximum number of authorized senders||50|