This document describes the options for sending mail from a virtual machine instance and provides general recommendations on how to set up your instances to send email.
Using standard email ports
Google Compute Engine does not allow outbound connections on ports 25, 465, and 587. By default, these outbound SMTP ports are blocked because of the large amount of abuse these ports are susceptible to. In addition, having a trusted third-party provider such as SendGrid or Mailgun relieves Compute Engine and you from maintaining IP reputation with your receivers.
While sending email from blocked ports is not allowed, your instances can still receive email.
Choosing an email service to use
Although standard email ports are blocked, you can choose a non-standard port to send email through. You can also take advantage of the mail services offered by Compute Engine partners.
SendGrid and Mailgun are Compute Engine's third-party partners that offer a free tier for Compute Engine customers to set up and send email through their servers. If you don't have a Google Apps account, use these third-party partners to take advantage of features like click tracking, analytics, APIs, and other features to meet your email needs.
Alternatively, if you are familiar with Google Apps and are already paying for a Google Apps account that supports email, you can set up a relay service to send email through Google Apps. Note that Gmail and Google Apps enforce limits for email activity. For details, see Google Apps email sending limits.
If you don't have a Google Apps account or don't want to use Google Apps, SendGrid, or Mailgun, you can set up your own email server on an instance using a non-standard port. You can choose any ephemeral port that isn't blocked by Compute Engine.
- To use SendGrid or Mailgun: Follow the instructions for Sending Email using SendGrid or Sending Email using Mailgun.
- To use a Google Apps domain: Follow the instructions for SMTP relay service settings on the Google Apps documentation. Note that SMTP relaying through Google Apps is only allowed through ports 465 or 587. Port 25 is not supported through Google Apps.
If you want to use your own email server on a custom port, use the documentation specific to your email service to configure a custom email port.
Sending mail through corporate mail servers
In some cases, you might have a corporate mail server that is already running an email service for you. If you need to send mail through a corporate mail server but are blocked by the port restrictions described at the top of this page, you can use a VPN to bypass these restrictions. This method requires running a VPN client on your Compute Engine cluster, and a VPN server on your corporate network router. This setup would allow your instance to appear "inside" your corporate firewall, and allow unrestricted access to your corporate mail server.
There are security implications for this configuration, and you should ensure that your Compute Engine instance access to only the services it requires, and nothing more.