diff --git a/changelog.d/5-internal/sqservices-1118 b/changelog.d/5-internal/sqservices-1118
new file mode 100644
index 0000000000..0d24028303
--- /dev/null
+++ b/changelog.d/5-internal/sqservices-1118
@@ -0,0 +1 @@
+Tag integration tests for certification.
diff --git a/services/galley/test/integration/API.hs b/services/galley/test/integration/API.hs
index d394a30c02..801d020109 100644
--- a/services/galley/test/integration/API.hs
+++ b/services/galley/test/integration/API.hs
@@ -220,7 +220,9 @@ tests s =
           test s "cannot join private conversation" postJoinConvFail,
           test s "remove user with only local convs" removeUserNoFederation,
           test s "remove user with local and remote convs" removeUser,
-          test s "iUpsertOne2OneConversation" testAllOne2OneConversationRequests
+          test s "iUpsertOne2OneConversation" testAllOne2OneConversationRequests,
+          test s "post message - reject if missing client" postMessageRejectIfMissingClients,
+          test s "post message - client that is not in group doesn't receive message" postMessageClientNotInGroupDoesNotReceiveMsg
         ]
 
 emptyFederatedBrig :: F.BrigApi (AsServerT Handler)
@@ -366,6 +368,7 @@ postConvWithRemoteUsersOk = do
 
 -- | This test verifies whether a message actually gets sent all the way to
 -- cannon.
+-- @SF.Separation @TSFI.RESTfulAPI @S2
 postCryptoMessage1 :: TestM ()
 postCryptoMessage1 = do
   localDomain <- viewFederationDomain
@@ -450,6 +453,7 @@ postCryptoMessage1 = do
       assertNoMsg wsB2 (wsAssertOtr qconv qalice ac bc cipher)
 
 -- | This test verifies basic mismatch behaviour of the the JSON endpoint.
+-- @SF.Separation @TSFI.RESTfulAPI @S2
 postCryptoMessage2 :: TestM ()
 postCryptoMessage2 = do
   b <- view tsBrig
@@ -475,6 +479,7 @@ postCryptoMessage2 = do
     Map.keys <$> Map.lookup eve (userClientMap (getUserClientPrekeyMap p)) @=? Just [ec]
 
 -- | This test verifies basic mismatch behaviour of the protobuf endpoint.
+-- @SF.Separation @TSFI.RESTfulAPI @S2
 postCryptoMessage3 :: TestM ()
 postCryptoMessage3 = do
   b <- view tsBrig
@@ -501,7 +506,7 @@ postCryptoMessage3 = do
     Map.keys (userClientMap (getUserClientPrekeyMap p)) @=? [eve]
     Map.keys <$> Map.lookup eve (userClientMap (getUserClientPrekeyMap p)) @=? Just [ec]
 
--- | This test verfies behaviour when an unknown client posts the message. Only
+-- | This test verifies behaviour when an unknown client posts the message. Only
 -- tests the Protobuf endpoint.
 postCryptoMessage4 :: TestM ()
 postCryptoMessage4 = do
@@ -516,8 +521,63 @@ postCryptoMessage4 = do
   postProtoOtrMessage alice (ClientId "172618352518396") conv m
     !!! const 403 === statusCode
 
+-- | This test verifies the following scenario.
+-- A client sends a message to all clients of a group and one more who is not part of the group.
+-- The server must not send this message to client ids not part of the group.
+-- @SF.Separation @TSFI.RESTfulAPI @S2
+postMessageClientNotInGroupDoesNotReceiveMsg :: TestM ()
+postMessageClientNotInGroupDoesNotReceiveMsg = do
+  localDomain <- viewFederationDomain
+  cannon <- view tsCannon
+  (alice, ac) <- randomUserWithClient (someLastPrekeys !! 0)
+  (bob, bc) <- randomUserWithClient (someLastPrekeys !! 1)
+  (eve, ec) <- randomUserWithClient (someLastPrekeys !! 2)
+  (chad, cc) <- randomUserWithClient (someLastPrekeys !! 3)
+  connectUsers alice (list1 bob [eve, chad])
+  conversationWithAllButChad <- decodeConvId <$> postConv alice [bob, eve] (Just "gossip") [] Nothing Nothing
+  let qalice = Qualified alice localDomain
+      qconv = Qualified conversationWithAllButChad localDomain
+  WS.bracketR3 cannon bob eve chad $ \(wsBob, wsEve, wsChad) -> do
+    let msgToAllIncludingChad = [(bob, bc, toBase64Text "ciphertext2"), (eve, ec, toBase64Text "ciphertext2"), (chad, cc, toBase64Text "ciphertext2")]
+    postOtrMessage id alice ac conversationWithAllButChad msgToAllIncludingChad !!! const 201 === statusCode
+    let checkBobGetsMsg = void . liftIO $ WS.assertMatch (5 # Second) wsBob (wsAssertOtr qconv qalice ac bc (toBase64Text "ciphertext2"))
+    let checkEveGetsMsg = void . liftIO $ WS.assertMatch (5 # Second) wsEve (wsAssertOtr qconv qalice ac ec (toBase64Text "ciphertext2"))
+    let checkChadDoesNotGetMsg = assertNoMsg wsChad (wsAssertOtr qconv qalice ac ac (toBase64Text "ciphertext2"))
+    checkBobGetsMsg
+    checkEveGetsMsg
+    checkChadDoesNotGetMsg
+
+-- | This test verifies that when a client sends a message not to all clients of a group then the server should reject the message and sent a notification to the sender (412 Missing clients).
+-- The test is somewhat redundant because this is already tested as part of other tests already. This is a stand alone test that solely tests the behavior described above.
+-- @SF.Separation @TSFI.RESTfulAPI @S2
+postMessageRejectIfMissingClients :: TestM ()
+postMessageRejectIfMissingClients = do
+  (sender, senderClient) : allReceivers <- randomUserWithClient `traverse` someLastPrekeys
+  let (receiver1, receiverClient1) : otherReceivers = allReceivers
+  connectUsers sender (list1 receiver1 (fst <$> otherReceivers))
+  conv <- decodeConvId <$> postConv sender (receiver1 : (fst <$> otherReceivers)) (Just "gossip") [] Nothing Nothing
+  let msgToAllClients = mkMsg "hello!" <$> allReceivers
+  let msgMissingClients = mkMsg "hello!" <$> drop 1 allReceivers
+
+  let checkSendToAllClientShouldBeSuccessful =
+        postOtrMessage id sender senderClient conv msgToAllClients !!! do
+          const 201 === statusCode
+          assertMismatch [] [] []
+
+  let checkSendWitMissingClientsShouldFail =
+        postOtrMessage id sender senderClient conv msgMissingClients !!! do
+          const 412 === statusCode
+          assertMismatch [(receiver1, Set.singleton receiverClient1)] [] []
+
+  checkSendToAllClientShouldBeSuccessful
+  checkSendWitMissingClientsShouldFail
+  where
+    mkMsg :: ByteString -> (UserId, ClientId) -> (UserId, ClientId, Text)
+    mkMsg text (userId, clientId) = (userId, clientId, toBase64Text text)
+
 -- | This test verifies behaviour under various values of ignore_missing and
 -- report_missing. Only tests the JSON endpoint.
+-- @SF.Separation @TSFI.RESTfulAPI @S2
 postCryptoMessage5 :: TestM ()
 postCryptoMessage5 = do
   (alice, ac) <- randomUserWithClient (someLastPrekeys !! 0)
@@ -709,6 +769,7 @@ postMessageQualifiedLocalOwningBackendSuccess = do
 -- | Sets up a conversation on Backend A known as "owning backend". One of the
 -- users from Backend A will send the message but have a missing client. It is
 -- expected that the message will not be sent.
+-- @SF.Separation @TSFI.RESTfulAPI @S2
 postMessageQualifiedLocalOwningBackendMissingClients :: TestM ()
 postMessageQualifiedLocalOwningBackendMissingClients = do
   -- Cannon for local users
@@ -868,6 +929,7 @@ postMessageQualifiedLocalOwningBackendRedundantAndDeletedClients = do
 -- users from Backend A will send the message but have a missing client. It is
 -- expected that the message will be sent except when it is specifically
 -- requested to report on missing clients of a user.
+-- @SF.Separation @TSFI.RESTfulAPI @S2
 postMessageQualifiedLocalOwningBackendIgnoreMissingClients :: TestM ()
 postMessageQualifiedLocalOwningBackendIgnoreMissingClients = do
   -- WS receive timeout