Cloud SMTP Relay

Overview

Check Point’s Cloud SMTP Relay provides a secure and scalable solution for organizations to send outbound emails from internal systems, applications, and services.

By using standard authentication and encryption mechanisms such as SPF, DKIM, DMARC, and TLS, the Cloud SMTP Relay ensures that emails are properly validated, protected, and delivered reliably while maintaining sender reputation and high deliverability rates.

Administrators can configure and monitor domain-level settings directly in the Avanan Administrator Portal.

Note - The Cloud SMTP Relay feature is currently in EA (Early Access). To enable it, contact Avanan Support.

SMTP Relay Configuration Flow

The setup process for Cloud SMTP Relay involves the following steps:

  1. Access the Domains section

  2. Configure a Domain

    1. Onboard or Select a Domain

    2. Configure DNS Records

      1. Configure the Relay MX record

      2. Configure the SPF record

      3. Configure the DKIM record

  3. Configure a Relay Source

    1. Add or Select a Relay Source and Define all allowed IP Addresses

    2. Verify and Activate a Cloud Email Relay

Access the Domains Section

  1. Access the Avanan Administrator Portal.

  2. From the left navigation panel, go to Security Settings > Domains.

Domains Table

The Domains table displays all domains associated with your tenant, including their current relay status and configuration progress.

Name

Description
Domain Shows the domain address.
Relay MX Setup Status of the Relay MX record setup.
SPF Status of the SPF record setup.
DKIM Status of the DKIM record setup.

Description

Description relevant to the domain.

For example, a domain such as example.com may show Not Verified for Relay MX Setup and Not Configured for SPF and DKIM until DNS entries are added and verified.

Relay Sources Table

The Relay Sources Table displays all IP addresses of your email sending system and the statuses of the relay to route outbound traffic through Cloud Email Relay.

Name

Description
Source name Shows the name of the relay source.
IP Shows your sending IP address that the relay will receive emails from or the network range of your authorized sending system.
Type Status of the SPF record setup.
Status Status of the relay source.

Description

Description relevant to the relay source.

Configure a Domain

Onboard a Domain

To send outbound emails, onboard your domain and configure DNS records (MX, SPF, and DKIM) to authorize secure email delivery.

To onboard a new domain:

  1. Go to Security Settings > Domains.

  2. Click Onboard Domain.

    The Onboard Domain pop-up appears.

  3. In the Domain address field, enter the domain address you want to send emails from.

  4. In the Type section:

    • External (Default) - Sends emails to recipients outside your organization.

  5. In the Description field, enter the required description.

  6. Click Onboard.

Configure DNS Records

Note - The detection of these DNS records can take up to 72 hours.
Configure the Relay MX Record

You must configure an MX record in your domain’s DNS to enable secure mail delivery through the Check Point relay infrastructure.

To configure the relay MX record:

  1. Go to Security Settings > Domains.

  2. In the Domains tab, click the icon.

  3. Select Configure MX.

  4. In the Set Up Relay MX pop-up that appears, follow the instructions provided below:

    DNS Record Example:

    Entry

    Value
    Type MX
    Host cpmails.test.com
    Value 10 feedback-smtp.us-east-1.amazonses.com
    TTL 1 hour

    Note - This configuration applies only to the relay subdomain (for example, cpmail.example.com) and does not modify your main domain’s MX record.

  5. After the record is added to your domain’s DNS, click Verify to confirm the configuration.

Configure the SPF Record

Configure the SPF record in your domain’s DNS to allow Check Point to send emails on behalf of your domain, prevent spoofing, and improve deliverability.

To configure the SPF record:

  1. Go to Security Settings >Domains.

  2. In the Domains tab, click the icon.

  3. Click Configure SPF.

    The Configure SPF pop-up appears.

  4. In the DNS Entry section, add or update the SPF record as shown below:

    SPF Record Example:

    Entry

    Value
    Type MX
    Name/Host cpmails.example.com
    TTL 3600
    Value/Points to v=spf1 include:spfr.cpmails.com ~all

  5. After the DNS record is created, click Verify to validate and activate the configuration.

Configure the DKIM Record

DKIM ensures that emails sent through the relay are cryptographically signed, validating authenticity and preventing tampering.

Configure the DKIM record in your domain’s DNS to allow Check Point to send emails on behalf of your domain.

To configure the DKIM record:

  1. Go to Security Settings > Domains.

  2. In the Domains tab, click the icon.

  3. Click Configure DKIM.

    The Configure DKIM pop-up appears.

  4. In the DNS Entry section, add or update the DKIM record for your domain as shown below:

    Note - Ensure that you enter all five DKIM records into your domain's DNS

    DKIM Record Example:

    Entry

    Value
    Type CNAME
    Name/Host cp1._domainkey.example.com
    TTL 3600
    Value cp2.domainkey.hfgfbfddf921-hfgfb5dsas.cp-mta.com

  5. After the DNS record is created, click Verify to validate and activate the configuration.

    After the DNS changes are verified, the corresponding domain status changes to Verified. The relay becomes active and ready for outbound email traffic.

Configure a Relay Source

Adding a New Relay Source

Administrators can add, modify, or remove relay sources that specify the sending systems or IP addresses permitted to connect to the SMTP relay.

  1. Access the Avanan Administrator Portal.

  2. From the left navigation panel, go to Security Settings > Domains > Relay Sources tab.

  3. Click Add Relay Sources.

  4. In the Add Relay Source pop-up that appears, configure the following fields as required:

  5. In the Name field, enter a descriptive identifier for the relay source. For example, Invoice Server, CRM Platform, and Internal Relay Gateway.

  6. In the IP field, enter your sending IP address that the relay will receive emails from or the network range (CIDR format) of the authorized sending system. For example,192.168.1.100 or 192.168.1.0/24.

  7. In the Type section, by default, the system specifies External, which means the relay source will send messages to recipients outside your organization.

  8. (Optional) In the Description field, enter the required description about the relay source purpose or usage. For example, Marketing campaign emails, Finance system alerts.

  9. Expand the Advanced section.

    1. TLS Version - By default, the version is set to TLS 1.3 and ensures encrypted email transmission between the relay and the recipient servers.

    2. Preserve original headers? - By default, No is enabled, meaning original message headers from the internal sender are retained and enable identification of the internal sending server, but require valid SPF, DKIM, and DMARC alignment.

  10. Click Add.

Activate Cloud Email Relay

After adding a new relay source, you have to activate the Cloud Email Relay to get the SMTP connection details required to route outbound emails through Check Point’s Cloud Email Relay service.

To activate a cloud email relay:

  1. Go to Security Settings > Domains and click the Relay Sources tab.

  2. Click the icon next to the relay source you want to activate.

  3. Click Enable source.

    The Activate Cloud Email Relay confirmation pop-up displays the relay host details:

    Entry

    Value
    Relay host

    The hostname of the Check Point Cloud SMTP relay server used to send outbound emails.

    For example: us-east-1.cp-mta.com
    Port

    The port number used for SMTP transmission.

    Default: 25 (supports STARTTLS)

    STARTTLS ensures secure encryption for outgoing messages.

    Notes:

    • Review the displayed relay host and port configuration.

    • Go to Domains > Relay Sources and verify that your domain and sending IP addresses are properly configured.

    • Ensure that SPF, DKIM, and authentication records align with the relay configuration.

  4. Click Activate.

When Cloud SMTP Relay is activated, it begins processing and delivering outbound emails from the configured relay sources through Check Point’s Cloud SMTP infrastructure. All emails are scanned for spam and malware based on your configured domain, IP, and authentication settings before delivery to recipients.

Activating a Cloud Email Relay finalizes the SMTP relay configuration, allowing trusted mail servers or applications to use the Check Point Cloud Relay for outbound delivery, and it ensures authenticated, encrypted transmission and centralized email control.

Note - Before activating a Cloud Email Relay, ensure all domains, IP addresses, and authentication settings are correctly configured before proceeding.

Managing Domains and Relay Sources

Reviewing the Relay Host Details

To view relay host details:

  1. Go to Security Settings > Domains and click the Relay Sources tab.

  2. Click the icon for the relay source you want to view.

  3. Click View relay host.

    The Relay Host Details pop-up appears and provides the following information.

    Entry

    Value
    Relay host

    The hostname of the Check Point Cloud SMTP relay server used to send outbound emails.

    For example: us-east-1.cp-mta.com
    Port

    The port number used for SMTP transmission.

    Default:25 (supports STARTTLS)

    STARTTLS ensures secure encryption for outgoing messages.

  4. Click Done.

Deleting a Domain

To delete a domain:

  1. Go to Security Settings > Domains.

  2. In the Domains tab, click the icon for the domain you want to delete.

  3. Click Delete.

  4. In the Delete confirmation pop-up that appears, click Yes.

Disabling a Relay Source

To disable a relay source:

  1. Go to Security Settings > Domains and click the Relay Sources tab.

  2. Click the icon for the relay source you want to disable.

  3. Click Disable Source.

  4. In the Disable confirmation pop-up that appears, click Disable.

    Note - Disabling a relay source prevents that IP from sending emails through Cloud Email Relay.

Deleting a Relay Source

To delete a relay source:

  1. Go to Security Settings > Domains and click the Relay Sources tab.

  2. Click the icon for the relay source you want to delete.

  3. Click Delete.

  4. In the Delete ESTP confirmation pop-up that appears, click Delete.

    Note - Deleting a relay source permanently removes all associated configurations in Avanan. Emails sent from that IP will no longer be relayed through Cloud Email Relay.

Deliverability Reporting

The Deliverability Reporting page provides detailed visibility into the delivery status of outbound emails processed through the Cloud SMTP Relay.

It allows administrators to:

  • Monitor outbound email delivery

  • Track performance

  • Identify delivery failures

  • Analyze trends such as bounces, rejections, or delays.

Using built-in filters and customizable columns, administrators can quickly isolate emails by delivery status, sender, recipient, or subject, making it easier to troubleshoot deliverability issues and maintain a strong sender reputation.

Note - If an email provider does not update their user reporting emails as spam or phishing, these reports will not appear in the Deliverability Reporting page.

To view and monitor outbound emails processed through the cloud SMTP relay:

  1. Access the AvananAdministrator Portal.

  2. From the left navigation panel, go to Analytics > Deliverability Reporting.

    Column Name

    Description
    Sent Show the date and time when the email was sent.
    Status

    Shows the status of the email delivery.

    • Rejected – Email refused by the recipient's mail server.

    • Hard Bounce – Permanent delivery failure (invalid address or domain).

    • Soft Bounce – Temporary delivery issue (mailbox full, server busy).

    • Delivered – Email successfully accepted by the recipient.

    • Expired – Delivery retries failed and the email expired.

    • Pending – Email queued for delivery.

    • Hard Bounce (OOB) – Out-of-band permanent delivery failure.

    • Delayed – Email still retrying for delivery.

    • Blocked Recipient – Blocked by policy or reputation filter.

    • Detected as Spam - Email flagged as spam by the security engine.

    • Detected as Malware - Email flagged as malware by the security engine.

    • Reported as Spam – The recipient reported the email as spam.

    Sender

    Shows the sender domain address.

    Recipient

    Shows the recipient's email address.

    Subject

    Shows the email subject line.