This document describes the options for sending mail from a virtual machine (VM) instance and provides general recommendations on how to set up your instances to send email.
Using standard email ports
Google Cloud does not place any restrictions on traffic sent to external destination IP addresses using destination TCP ports 587 or 465. The implied allow egress firewall rule allows this traffic unless you've created egress deny firewall rules that block it.
Due to the risk of abuse, connections to destination TCP Port 25 are blocked when the destination is external to your VPC network. This includes using SMTP relay with Google Workspace. However, some projects do not have this restriction and do allow external SMTP egress on port 25. For more information, see Blocked and limited traffic.
Choosing an email service to use
In addition to using standard email ports, having a trusted third-party provider such as SendGrid, Mailgun, or Mailjet relieves Compute Engine and you from maintaining IP reputation with your receivers.
SendGrid, Mailgun, and Mailjet offer a free tier for Compute Engine customers to set up and send email through their servers. If you don't have a Google Workspace account, use these third-party partners to take advantage of features like click tracking, analytics, APIs, and other features to meet your email needs.
Alternatively, if you are familiar with Google Workspace and are already paying for a Google Workspace account that supports email, you can set up a relay service to send email through Google Workspace. Note that Gmail and Google Workspace enforce limits for email activity.
If you don't have a Google Workspace account or don't want to use Google Workspace or a third-party mail provider, you can set up your own email server on an instance by using a non-standard port. You can choose any ephemeral port that isn't blocked by Compute Engine.
- To use SendGrid, Mailgun, or Mailjet: Follow the instructions for Sending Email using SendGrid, Sending Email using Mailgun, or Sending Email using Mailjet.
- To use a Google Workspace domain: Follow the instructions for SMTP relay service settings in the Google Workspace documentation. SMTP relaying through Google Workspace is only allowed through ports 465 or 587. Port 25 is not supported through Google Workspace.
If you want to use your own email server on a custom port, use the documentation specific to your email service to configure a custom email port.
Setting up a firewall rule to allow outbound traffic on a custom port
To allow outbound traffic through a custom port, you need to set up a firewall rule. For example, the following steps set up a rule that allows outbound traffic on port 2525. Replace port 2525 with the custom port of your choice.
In the Google Cloud console, go to the Create a firewall rule page.
Choose a name for the firewall rule.
Under Network, select the network that is hosting the VM instance that you intend to send email messages from.
Under Direction of traffic, select Egress.
Under Targets, choose the appropriate target for this rule. For example, you might choose Specified target tags if you want the rule to apply to instances that have a specific tag.
Under Destination filter, set
0.0.0.0/0if you want to allow egress traffic from the VM instance to any destination. If you want to limit the destination, enter another IP range here.
Under Protocols and ports, select Specified protocols and ports, select tcp, and enter
Click Create to save your changes.
Sending mail through corporate mail servers
In some cases, you might have a corporate mail server that is already running an email service for you. If you need to send mail through a corporate mail server but are blocked by the port restrictions described at the top of this page, you can use a VPN to bypass these restrictions. This method requires running a VPN client on your Compute Engine cluster, and a VPN server on your corporate network router. This setup lets your instance appear "inside" your corporate firewall, and allows unrestricted access to your corporate mail server.
There are security implications for this configuration, and you should ensure that your Compute Engine instance has access to only the services it requires, and nothing more.
- Send emails from your instance using Sendgrid.
- Send emails from your instance using Mailgun.
- Send emails from your instance using Mailjet.
- Read the Google Workspace domain documentation to learn how to use the SMTP relay service.