This document describes the options for sending mail from a virtualmachine (VM) instance and provides general recommendations on how to set up yourinstances to send email.

Using standard email ports

Google Cloud does not place any restrictions on traffic sent to externaldestination IP addresses using destination TCP ports 587 or 465. Theimplied allow egress firewall ruleallows this traffic unless you've created egress deny firewall rules that blockit.

Due to the risk of abuse, connections to destination TCP Port 25 are blockedwhen the destination is external to your VPC network. Thisincludes using SMTP relay with Google Workspace. However, some projects do nothave this restriction and do allow external SMTP egress on port 25. For moreinformation, seeBlocked and limitedtraffic.

In addition to using standard email ports, having a trusted third-party emailprovider such as SendGrid, Mailgun, or Mailjet improves yourIP reputation score.

SendGrid, Mailgun, and Mailjet offer a free tier for Compute Enginecustomers to set up and send email through their servers. If you don't have aGoogle Workspace account, use these third-party partners to take advantage offeatures like click tracking, analytics, APIs, and other features to meet youremail needs.

Alternatively, if you are familiar withGoogle Workspace and are already paying for aGoogle Workspace account that supports email, you canset up a relay serviceto send email throughGoogle Workspace. Note thatGmail and Google Workspace enforcelimits for email activity.

If you don't have a Google Workspace account or don't want to useGoogle Workspace or a third-party mail provider, you can set up your ownemail server on an instance by using a non-standard port. You can choose anyephemeral port that isn't blocked by Compute Engine.

• To use SendGrid, Mailgun, or Mailjet: Follow the instructions forSending Email using SendGrid,Sending Email using Mailgun,orSending Email using Mailjet.
• To use a Google Workspace domain: Follow the instructions forSMTP relay service settingsin the Google Workspace documentation. SMTP relaying through Google Workspace isonly allowed through ports 465 or 587. Port 25 is not supported throughGoogle Workspace.

If you want to use your own email server on a custom port, use thedocumentation specific to your email service to configure a customemail port.

Setting up a firewall rule to allow outbound traffic on a custom port

To allow outbound traffic through a custom port, you need to set up a firewallrule. For example, the following steps set up a rule that allows outboundtraffic on port 2525. Replace port 2525 with the custom port of your choice.

1. In the Google Cloud console, go to theCreate a firewall rule page.

   Go to Create a firewall rule

2. Choose a name for the firewall rule.

3. UnderNetwork, select the network that is hosting the VM instance thatyou intend to send email messages from.

4. UnderDirection of traffic, selectEgress.

5. UnderTargets, choose the appropriate target for this rule. For example,you might chooseSpecified target tags if you want the rule to applyto instances that have aspecific tag.

6. UnderDestination filter, set0.0.0.0/0 if you want to allow egresstraffic from the VM instance to any destination. If you want to limit thedestination, enter another IP range here.

7. UnderProtocols and ports, selectSpecified protocols and ports,selecttcp, and enter2525.

8. ClickCreate to save your changes.

Sending mail through corporate mail servers

In some cases, you might have a corporate mail server that is already runningan email service for you. If you need to send mail through a corporate mailserver but are blocked by the port restrictions described at the top ofthis page, you can use a VPN to bypass these restrictions. This method requiresrunning a VPN client on your Compute Engine cluster, and a VPN serveron your corporate network router. This setup lets your instance appear"inside" your corporate firewall, and allows unrestricted access to yourcorporate mail server.

There are security implications for this configuration, and you should ensurethat your Compute Engine instance has access toonly the servicesit requires, and nothing more.

What's next

• Send emails from your instanceusing Sendgrid.
• Send emails from your instanceusing Mailgun.
• Send emails from your instanceusing Mailjet.
• Read the Google Workspace domain documentation to learn how to use theSMTP relay service.