Ciphers for Gmail SMTP TLS connections

This page is actively maintained and reflects Gmail's current TLS and cipher support.

Ciphers are algorithms that help secure network connections that use Transport Layer Security (TLS). Ciphers are generally one of 3 types:

• Key exchange algorithm: Exchanges a key between two devices. The key encrypts and decrypts messages sent between the two devices. 
• Bulk encryption algorithm: Encrypts the data sent over the TLS connection.
• MAC algorithm: Verifies that sent data does not change in transit. 

There are also ciphers that include signatures, and that authenticate servers or clients. Learn more about Gmail and TLS connections.

Support for TLS 1.0, 1.1, 3DES, and other less secure TLS connections

Gmail always attempts to use the latest, most secure TLS versions, and doesn’t use less secure versions when more secure versions are available. However, Gmail SMTP delivery supports less secure TLS versions for compatibility when more secure TLS versions aren’t supported or available. Less secure TLS versions that are supported by Gmail include TLS 1.0, TLS 1.1, and 3DES ciphers. 

To prevent malicious users from forcing connections to use less secure versions of TLS, connection negotiations are always encrypted. 

You can optionally add a content compliance setting in your Google Admin console to reject messages from connections that don’t use TLS 1.2 or stronger. Go to detailed steps below

Ciphers for TLS negotiation

Google’s SMTP servers accepts these ciphers for Transport Layer Security (TLS) negotiation.

TLS negotiation is also called a TLS handshake. During the handshake, the communicating sides acknowledge each other, verify each other, and agree on the ciphers and session keys they’ll use.

This list of ciphers for TLS negotiation was updated in March 2023.

Outbound server ciphers

These ciphers are preferred by Gmail outbound servers.

Gmail tells the receiving server that it supports TLS versions 1.3, 1.2, 1.1, and 1.0. The receiving server then determines which TLS version is used for the connection.

Google doesn't support SSLv3.

This list of outbound server ciphers was updated in April 2020.

​Reject connections less secure than 3DES or TLS 1.2

Follow these steps to configure Gmail SMTP connections to use TLS 1.2 or stronger. When you add this setting, more incoming messages are rejected, and aren’t delivered to recipients. For detailed information about the content compliance setting, visit Set up rules for advanced email content filtering.

1. Anmelden to your Google Admin console.

   Sign in using your administrator account (does not end in @gmail.com).

2. In the Admin console, go to Menu  AppsGoogle ArbeitsbereichGmailCompliance.

3. (Optional) On the left, select the organization.

4. Scroll to the Content compliance setting in the Compliance section, hover over the setting, and click Configure. If the setting is already configured, hover over the setting and click Edit or Add another. 

5. In the Add setting box, take these steps:

   Setting option	What to do
   Under Content compliance	Enter a description for the setting for example, Always use TLS 1.2
   Email messages to affect	Select Inbound and Internal-receiving.
   Add expression to reject TLS 1.0 connections	Under or in the Expressions table, click Add. The Add setting box appears. At the top of the box, click the menu  and select Advanced content match. Under Standort, select Full headers. Under Match type, select Matches regex. The Regexp options appear. Under Regexp, enter this expression: ^Received:.*\(version=TLS1 cipher= Under Regex Description, enter a descriptive name, for example Match TLS 1.0. Leave the Minimum match count field empty. At the bottom of the Add setting box, click Save. The new expression appears in the Expressions table.
   Add expression to reject 3DES connections	Under or in the Expressions table, click Add. The Add setting box appears. At the top of the box, click the menu  and select Advanced content match. Under Location, select Full headers. Under Match type, select Matches regex. The Regexp options appear. Under Regexp, enter this expression: ^Received:.\scipher=[A-Z,0-9,]*DES[A-Z,0-9,]\s Under Regex Description, enter a descriptive name, for example Match DES Cipher. Leave the Minimum match count field empty. At the bottom of the Add setting box, click Save. The new expression appears in the Expressions table.
   If the above expressions match, do the following	This action applies if either of the above expressions match. Select Reject message. Under Custom rejection notice, enter the text of the message that senders get when their message is rejected due to the setting, for example: This server requires TLSv1.1 or higher, and doesn’t support DES/3DES.
   Show options	To display more setting options, click Show options. Under B. Account types to affect, select Users and Unrecognized/Catch-all.

6. Add the bottom of the Add setting box, click Save.
   Changes can take up to 24 hours but typically happen more quickly. Mehr erfahren You can monitor changes in the Admin console audit log.