How to allow SMTP on Google Cloud VM

Configuring a Google Cloud VM to allow SMTP traffic involves several steps.¹ By default, Google Cloud Platform (GCP) blocks outbound connections on ports 25, 465, and 587. This is a security measure to prevent the platform from being used for spam. To send emails from your VM, you need to use a third-party email service like SendGrid, Mailgun, or Mailjet and configure your VM to route SMTP traffic through their servers.²

Using a Third-Party Email Service 📧

Using a third-party email service is the recommended and most reliable method for sending emails from a GCP VM. These services handle the complexities of email delivery, including deliverability, reputation management, and security, which are difficult to manage on your own.

1. Choose an Email Provider

Select a third-party email service. Popular choices include:

• SendGrid
• Mailgun³

   

• Mailjet⁴

   

• Amazon SES

These services offer free tiers for a limited number of emails, which is great for testing and small-scale projects.

2. Sign Up and Configure 📝

Sign up for an account with your chosen provider. You’ll need to configure your domain’s DNS records (like MX, SPF, and DKIM) to verify ownership and ensure proper email authentication. The provider will give you specific instructions for this.

3. Install and Configure on Your VM 💻

On your Google Cloud VM, you will need to install and configure a mail client or library that uses the third-party service’s API or SMTP relay. Most programming languages and frameworks have libraries that make this easy.

• SMTP Relay: Configure your application to send emails through the provider’s SMTP server using the credentials they provide (username, password, and port). This is the most common method.
• API Integration: Use the provider’s API to send emails directly from your application. This is often more performant and feature-rich.

Alternative: Unblocking SMTP Ports (Not Recommended) 🚫

While it’s possible to send emails directly from your VM, it’s generally not recommended. GCP’s outbound port restrictions are in place to prevent abuse and maintain the platform’s reputation.⁵

However, if you must send emails directly, you can only use port 587 and need to configure a firewall rule to allow this traffic. Port 25 is permanently blocked, and while port 465 is also restricted, port 587 is the standard for secure email submission.⁶

Steps to Create a Firewall Rule:

1. Navigate to the VPC Network Section: In the Google Cloud Console, go to VPC network -> Firewall.
2. Create a New Rule: Click Create Firewall Rule.
3. Configure the Rule:
   • Name: Give the rule a descriptive name, like allow-smtp-outbound-587.⁷

      

   • Network: Select the network your VM is in (usually default).
   • Direction of traffic: Set to Egress (outbound).
   • Targets: Select All instances in the network or specify a service account or tags if you want to apply it to a specific subset of VMs.⁸

      

   • Destination filters: You can leave this as 0.0.0.0/0 to allow traffic to any destination.⁹

      

   • Protocols and ports: Select Specified protocols and ports and enter tcp:587.
4. Create the Rule: Click Create.

Even with this rule, you’ll still need to use a reputable mail server (like one provided by your domain registrar or a dedicated email service) and not a public one, as sending from a Google Cloud IP address directly is likely to result in your emails being marked as spam.

Summary

For reliable and secure email delivery from a Google Cloud VM, always use a third-party email provider and their authenticated SMTP relay or API. This method bypasses the default port restrictions and ensures your emails reach their intended recipients without being flagged as spam.