Your MTA architecture

  • 5 minute(s) read

Step 1 – Verifying the plan and user type

Navigate to the “My Plan” page and verify that your plan type is “PRO” and your access level is “Admin“.

Note: If you don’t have a “Pro” plan, or you do not have admin-level access, please contact support@trustificorp.com

Step 2 – Navigating to outbound plan settings

Open the “Outbound Management” section on the left-side navigation panel and click on the “Plan Settings” page.

Step 3 – Selecting “Your MTA” architecture

First, open the “Email Flow Integration” tab. Under “Email Flow Architecture“, switch from the default (“Via Trustifi MTA“) to “Via your MTA“.

Step 4 – Adding your domain and MTA

First, click on “Confirm” to change the architecture.

After selecting “Via your MTA”, a new section will appear - “Domain and MTA”. Enter the following inputs:

  • In the “domain” field, enter your domain (e.g. “mydomain.com”)

  • In the “MTA” field enter the Google SMTP relay address: smtp-relay.gmail.com

  • In the “port” field enter 587

  • Click on the blue checkmark icon to confirm

Step 5 – Enabling the Email Relay

First, verify the domain and MTA have been save correctly.

Once ready, click on the “Enable Relay” toggle to enable the Email Relay and generate your secret key.

Step 6 – Copying the Email Relay key

After the integration is enabled, your secret key will be generated.
You can click on the “copy” button to copy the Email Relay secret key for later use.

Google Admin Center

Step 7 – Navigating to the Google Admin Center – Mail flow

Navigate to the “Google Admin Center” via the following link –https://admin.google.com/.
After you have logged in, input “hosts” in the search bar and select the first option.

Adding host route

Step 8 – Adding a new route

Click on “ADD ROUTE” under “Hosts“.

Step 9 – Creating the host

Follow the steps below to configure the host:

  1. Name your host

  2. Select “Single host

  3. In the “Host name” field enter “smtp.trustifi.com” (without the quotes) with port 25

  4. Check these boxes:

    • Require mail to be transmitted via a secure (TLS) connection

    • Require CA signed certificate

    • Validate certificate hostname

  5. Click “Save

Step 10 – Validate the host

Make sure your host’s address and port are correct.

Step 11 – Navigating to “Settings for Gmail”

In the navigation bar at the top of the screen, click on “Settings for Gmail“.

Step 12 – Navigating to “Compliance”

Scroll down to the bottom of the page and click on “Compliance“.

Step 13 – Adding a new rule

Now we will need to configure a set of rules to guide mail flow to our new host. In the “Compliance” page, scroll down to the “Content Compliance” section and click on “Add another rule“.

Adding a new compliance rule

Step 14 – Configuring the rule

Name your compliance rule, and check the “Outbound” box.

If you also want to send internal emails with Trustifi, check the “Internal - Sending” box as well.

Naming the rule and selecting routing

Step 15 – Configuring the IP routing condition

In section 2, select “If ALL of the following match the message” and click “Add“.

Creating a rule condition

Step 16 – Configuring the IP routing condition

This condition is made to skip emails that have already been sent by Trustifi’s inbound IPs, which can result in email loops. Set the following configurations:

  1. Select “Advanced content match

  2. Under “Location“, select “Full headers

  3. Under “Match type“, select “Not matches regex

  4. Add this regex (without the quote marks) –
    “^Received[:].+(3[.]93[.]139[.]220|3[.]93[.]243[.]176|52[.]54[.]159[.]237|52[.]73[.]143[.]252|3[.]251[.]32[.]127|54[.]195[.]145[.]1|3[.]227[.]182[.]193|54[.]161[.]96[.]109|52[.]89[.]220[.]23|52[.]37[.]228[.]167)”

  5. Click “Save

Step 17 – Adding a custom header

Scroll down to section number 3, make sure the “Modify message” is selected, and check the “Add custom headers” checkbox. Click on “Add” to add the headers (see next step).

Step 18 – Adding the custom header

In the “Header key” field, enter the value “trustifi-creds” (without the quotes).
Note: the full header value is “x-trustifi-creds“. However, since Google adds the initial “X” by default, it’s important to only add the value “trustifi-creds” here to avoid a malformed header.
In the “Header value” field, enter the value copied over from step 6. Once both values have been entered, click on “Save“.

Step 19 – Verifying the custom header

Make sure the custom header key and value were added correctly before continuing.

Step 20 – Setting the route

Now we will have to set the route for this routing rule for our new host. Check the “Change route” box, click on “Normal routing” and select the host you’ve created by name.

Step 21 – Bypassing spam and displaying more options

Under the “Spam” section, check the box for “Bypass spam filter for this message“.
Then, click the “Show options” button to display advanced routing options.

Step 22 – Selecting account types to affect

Under “Account types to affect“, make sure both “Users” and “Groups” are selected.

Step 23 – Deployment for a limited scope

If you wish to deploy the email relay in a limited scope (instead of having all users affected), view our guide for Limited Scope Deployment and follow the steps there.

Step 24 – Saving the changes

Once all the correct route changes have been made, click on “SAVE” at the bottom-right corner.

Step 25 – Adding the Trustifi IP set to your SPF record

To make sure incoming emails will not be tagged as spam/phishing by Google after being routed through the Trustifi relay, it is highly recommended to add the following IPs to your domain’s SPF record:

  • 3.93.243.176

  • 3.93.139.220

  • 3.251.32.127

  • 54.195.145.1

  • 52.37.228.167

  • 52.89.220.23

  • 52.73.143.252

  • 52.54.159.237

Note: This step is not strictly mandatory, but we recommend it to avoid disruption of mail flow.

Step 26 – Editing the inbound gateway

Find “Inbound gateway” section and click to edit it.

Step 27 – Adding the Trustifi IPs to the inbound gateway

First, make sure the gateway is enabled, then add the following IPs:

  • 3.93.243.176

  • 3.93.139.220

  • 3.251.32.127

  • 54.195.145.1

  • 52.37.228.167

  • 52.89.220.23

  • 52.73.143.252

  • 52.54.159.237

You will also need to check the boxes for “Automatically detect external IP (recommended)” and “Require TLS for connections from the email gateways listed above“.

Step 28 - Creating an SMTP Relay Service

Use the main search bar to find and navigate to the “Routing” page.

From this page, scroll down until you find the “SMTP relay service” section and click to add a new service.

To start configuring the SMTP relay, follow these steps:

  1. Provide a descriptive name for the service (for example “Trustifi Outbound (Receive)“)

  2. In the “Allowed Senders” section, select “Only addresses in my domains

  3. In the “Authentication” section, select “Only accept mail from the specified IP addresses

  4. Click on the “ADD” button to add IP addresses

Step 29 - Adding the Trustifi IP Addresses

When adding an IP address, first you will need to provide a description for each address. You can specify “Trustifi outbound IP“.

You will need to add these IPs one by one:

  • 52.73.143.252

  • 52.54.159.237

After adding each IP, click on the “Save” button at the bottom.

After the IP addresses have been added, verify they are both present.

Then, in section 3, select the “Require TLS encryption” setting.

After these configurations have been made, click on the “Save” button to save the SMTP relay configuration.