How to find GMAIL IPs to allow at Firewall
Contents
How to find GMAIL IPs to allow at Firewall
If you are using a Hosting Provider that cares about security, you could have an issue connecting to Gmail's mail servers. They are probably blocking out bound connections over most ports. Which can cause it so that you have to add Gmail's ipaddress to the firewall rules.
How to find Gmail IPs
The first step you are going to want to do is dig for the spf record for gmail.com
dig gmail.com txt ; <<>> DiG 9.9.2-P1 <<>> gmail.com txt ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35581 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;gmail.com. IN TXT ;; ANSWER SECTION: gmail.com. 300 IN TXT "v=spf1 redirect=_spf.google.com" ;; Query time: 52 msec ;; SERVER: 127.0.1.1#53(127.0.1.1) ;; WHEN: Mon Apr 7 09:03:57 2014 ;; MSG SIZE rcvd: 8
Ok, now you have some information you can use, they are using _spf.google.com
Now you will want to dig at that
dig _spf.google.com txt ; <<>> DiG 9.9.2-P1 <<>> _spf.google.com txt ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26190 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;_spf.google.com. IN TXT ;; ANSWER SECTION: _spf.google.com. 213 IN TXT "v=spf1 include:_netblocks.google.com include:_netblocks2.google.com include:_netblocks3.google.com ~all" ;; Query time: 29 msec ;; SERVER: 127.0.1.1#53(127.0.1.1) ;; WHEN: Mon Apr 7 09:04:23 2014 ;; MSG SIZE rcvd: 160
Now you will notice they have 3 netblocks setup for _spf.google.com, you will need to dig each of them to get the ipaddress you need.
The first one is the ipv4, the second one is ipv6 and the last one is a normal spf record.
Gmails IPV4 IPs
dig _netblocks.google.com txt ; <<>> DiG 9.9.2-P1 <<>> _netblocks.google.com txt ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46828 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;_netblocks.google.com. IN TXT ;; ANSWER SECTION: _netblocks.google.com. 1149 IN TXT "v=spf1 ip4:216.239.32.0/19 ip4:64.233.160.0/19 ip4:66.249.80.0/20 ip4:72.14.192.0/18 ip4:209.85.128.0/17 ip4:66.102.0.0/20 ip4:74.125.0.0/16 ip4:64.18.0.0/20 ip4:207.126.144.0/20 ip4:173.194.0.0/16 ~all"
;; Query time: 29 msec ;; SERVER: 127.0.1.1#53(127.0.1.1) ;; WHEN: Mon Apr 7 09:04:50 2014 ;; MSG SIZE rcvd: 265
Gmails IPV6 IPs
dig _netblocks2.google.com txt ; <<>> DiG 9.9.2-P1 <<>> _netblocks2.google.com txt ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53721 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;_netblocks2.google.com. IN TXT ;; ANSWER SECTION: _netblocks2.google.com. 622 IN TXT "v=spf1 ip6:2001:4860:4000::/36 ip6:2404:6800:4000::/36 ip6:2607:f8b0:4000::/36 ip6:2800:3f0:4000::/36 ip6:2a00:1450:4000::/36 ip6:2c0f:fb50:4000::/36 ~all" ;; Query time: 30 msec ;; SERVER: 127.0.1.1#53(127.0.1.1) ;; WHEN: Mon Apr 7 09:05:07 2014 ;; MSG SIZE rcvd: 218
The last block does not provide any useful information needed for obtaining IPs.
_netblocks3.google.com. 1884 IN TXT "v=spf1 ~all"
Summary of IPs to allow in the Firewall
IPV4 IPs for Google
64.18.0.0/20
64.233.160.0/19
66.102.0.0/20
66.249.80.0/20
72.14.192.0/18
74.125.0.0/16
108.177.8.0/21
173.194.0.0/16
207.126.144.0/20
209.85.128.0/17
216.58.192.0/19
216.239.32.0/19
IPV6 IPs for Google
2001:4860:4000::/36
2404:6800:4000::/36
2607:f8b0:4000::/36
2800:3f0:4000::/36
2a00:1450:4000::/36
2c0f:fb50:4000::/36
Now you will want to take that list and add them to your firewall
