Configuring Google Workspace (Gsuite)

Situation – You want to set-up Spambrella with Google Workspace (Gsuite) service.

Solution – Outline to setting up Google Workspace (Gsuite) in conjunction with Spambrella. See below for how to setup both Inbound and Outbound mail flow.

This article explains how to configure Google Workspace (Gsuite) to use Spambrella Email Security (SES) as your mail gateway.

What Is Google Workspace?

Google Workspace (also known as Gsuite) is a cloud-based solution from Google which offers email, messaging, security, archiving and other capabilities delivered from Google’s worldwide network of cloud data centers.

For more information please see: https://workspace.google.com

Before You Start

Before continuing with the provisioning and configuration of the Spambrella service, it is recommended that you have the information listed below.

INFORMATION NEEDED FOR CONFIGURING SPAMBRELLA

  • MX record(s) for domain(s) you are configuring

INFORMATION NEEDED FOR CONFIGURING G SUITE

 



Setting up Inbound Mail Flow

Spambrella is deployed between the customer’s Google Workspace environment and the Internet. Inbound mail is routed to Spambrella by changing the customer’s MX records. After email is processed by Spambrella it is routed to Google Workspace.

Configure Spambrella

LOCATE YOUR MX RECORD FOR THE DOMAIN IN G SUITE

  1. Sign-In to the Google Admin console.
  2. From the dashboard go to Apps > Google Workspace > Gmail > Setup.
  3. Under Setup, scroll down to MX records and make note of all the Points to values (Instead of scrolling, you can navigate to this information by entering ‘MX records’ in the search field).

These values will be necessary when you add your domains to Spambrella.

ADDING DOMAIN(S) TO SPAMBRELLA

  1. Sign-in to the Spambrella user interface.
  2. Navigate to Administration > Account Management > Domains > New Domain.
  3. Enter the domain name you wish to configure.
  4. Ensure the domain purpose is set to Relay.
  5. For Delivery Destination, put the MX record from Google that you copied earlier (Generally this is aspmx.l.google.com).
  6. For the Failovers, enter the additional MX Records (e.g. SMTP Failover 1: alt1.aspmx.l.google.com).

You can verify your domain at this stage or you can verify at a later time. However, the domain must be verified before it can be enabled.

  1. Under Verification Method, select Verify by TXT Record, and then press Verify Later.
  2. Repeat for each subsequent domain

The delivery and failover destinations refers to the ‘points to’ values captured in the previous section.

 


 

Configure Google Workspace

CONFIGURE INBOUND MAIL GATEWAY

Skipping Inbound Mail Gateway Configuration

Skipping this step has been verified to cause bounce errors if the original sender side has a valid SPF or DMARC configuration in place. Please ensure to set this in order to ensure mail delivery.

  1. Sign in to the Google Admin console.
  2. From the dashboard go to Apps > Google Workspace > Gmail > Spam, phishing, and malware.
  3. Hover the cursor to the right of Inbound gateway and when the pencil icon is shown, click on it.
  4. Under Gateway IPs, do the following:
    1. Add ALL IP addresses, for the appropriate US or EU stack you are using.
    2. Add these additional Google IP addresses:
·         35.190.247.0/24

·         64.233.160.0/19

·         66.102.0.0/20

·         66.249.80.0/20

·         72.14.192.0/18

·         74.125.0.0/16

·         108.177.8.0/21

·         173.194.0.0/16

·         209.85.128.0/17

·         216.58.192.0/19

·         216.239.32.0/19

·         172.217.0.0/19

·         172.217.32.0/20

·         172.217.128.0/19

·         172.217.160.0/20

·         172.217.192.0/19

·         172.253.56.0/21

·         172.253.112.0/20

·         108.177.96.0/19

·         35.191.0.0/16

·         130.211.0.0/22

·         2001:4860:4000::/36

·         2404:6800:4000::/36

·         2607:f8b0:4000::/36

·         2800:3f0:4000::/36

·         2a00:1450:4000::/36

·         2c0f:fb50:4000::/36

  1. Check Automatically detect external IP. This causes Gmail to scan the message header to locate the first occurrence of an IP address that is not listed in the Gateway IPs. This is referred to as the “external IP”, which Gmail considers the sending IP and uses for SPF checks and spam evaluation.
  2. Check Reject all mail not coming from gateway IPs.
  3. Check Require TLS for connection from the email gateways listed above.
  4. Click Save and then Enable the Inbound Gateway.

Workspace selections

Note that, there have been instances where Google has prevented delivery from it’s own IP addresses. In this case, the only solution that they have provided is to clear the “Reject all mail not from gateway IPs” checkbox.

If you do this, however, your mail server is not locked down so as to only accept external mail from our IP’s. As a result, it is possible for senders to route directly to your mail system instead of following normal MX lookups to route through Spambrella. This approach should only be used if Google is preventing delivery from its own IPs.

If you experience delivery issues, check the bounce to confirm if this scenario is applicable to your organization.
The error received is similar to this:

Google tried to deliver your message, but it was rejected by the relay <a href=”http://aspmx.l.google.com” target=”_blank”>aspmx.l.google.com</a> [Google IP]. We recommend contacting the other email provider at <a href=”mailto:postmaster@aspmx.l.google.com” target=”_blank”>postmaster@aspmx.l.google.com</a> for further information about the cause of this error. The error that the other server returned was: 421 4.7.0 IP not in whitelist for RCPT domain, closing connection. 

UPDATE SAFETY SETTINGS

G Suite’s safety settings allow organizations to enable or disable policies related to viewing and accessing email. If you currently have enabled some or all of these settings enabled, you may experience delivery issues. Please review the following steps to ensure your settings align with the Spambrella best practice.

  1. On the Google Admin console, go to Apps > Google Workspace > Gmail.
  2. Click Safety to expand options.

It is not necessary to change the Attachments or Links and external images settings.

  1. If you have any Spoofing and authentication settings enabled, these all need to be disabled to ensure proper mail flow, including turning off the “Apply future recommended settings automatically” Enabling this option may automatically enable these settings and cause issues with mailflow

DMARC and Trusted Source Errors

Leaving these features enabled has been known to cause bounce-back errors indicating a DMARC issue.
Please ensure you disable this as instructed.

The error message would be: Unauthenticated email from proofpoint.com is not accepted due to domain’s DMARC policy

Leaving these setting enabled can also cause errors indicating emails are not coming from a trusted source`

 



Setup Inbound And Outbound Mail Flow

Spambrella is deployed between the customer’s Google Workspace environment and the Internet. Outbound mail is routed to Spambrella/Proofpoint by configuring an outbound mail gateway. This will route all outbound mail to Spambrella.

Configure Spambrella

ENABLE OUTBOUND RELAYING

  1. Sign-in to the Spambrella user interface.
  2. Navigate to Administration > Features.
  3. Check Enable Outbound Relaying.
  4. Click Save.

Google Setup - Spambrella

 

ADD SERVICE IP ADDRESSES TO YOUR INBOUND GATEWAY

  1. While logged into the Spambrella user interface, navigate to Administration > Domains.
  2. Click Managed Hosted Services.
  3. Choose Google Apps.
  4. Click Save

Spambrella - Manage Hosted Services

Enable here:

Enable Google - Proofpoint

 


 

Configure Google Workspace

CONFIGURE OUTBOUND MAIL GATEWAY

  1. Sign in to the Google Admin console.
  2. From the console go to Apps > Google Workspace > Gmail > Hosts.
  3. Click Add Route
  4. Give the entry an appropriate name like “Outbound” and in the Outbound Gateway text field, enter the Smart host value.

Edit Email Route

  1. Click Save.
  2. Navigate to Apps > Google Workspace > Gmail > Routing, and under routing, click “Configure” or if a rule is there, then “Add another Rule”
  3. Enter an appropriate Routing name, e.g.,”Outbound Through Spambrella”
  4. For “Emails messages to affect”, select “Outbound”.
  5. For “For the types of messages above do the following”, check “Change the route” and “Also reroute spam”. 
  6. Under this section there is a dropdown box. Select the Outbound route.
  7. Click “Show Options” to show additional fields (as shown in the screenshot above).
  8. Under “B. Account types to affect”, select all the choices (users, groups and unrecognized/catch-all).
  9. Under “C. Envelope Filter”, select Only affect specific envelope senders and then change the dropdown from “Single email address” to Pattern match​​​​​
  10. In the Regexp field, enter your domain name.

 

Edit Setting - Google

Please Note:

Please note that if you have more than one sending domain, you have two options:

 



CONFIGURE INTERNAL ROUTING

  1. Navigate to Apps > Google Workspace > Gmail Hosts.
  2. Select Add Route.
  3. For Name, enter Internal Google Workspace, for single host, enter aspmx.l.google.comand then, in the second field, enter 25.
  4. Make sure that the option Perform MX lookup on host is NOTchecked, and that the following options are checked:
    – Require mail to be transmitted via a secure connection,
    – Require CA signed certificate

Internal G-Suite - Spambrella

– Validate certificate hostname are checked, then press Save.

  1. Click Settings for Gmail in the upper left again, then click Routing.
  2. Scroll down to Routing, and then click Configure or if there is a rule already, click Add Another Rule
  3. Enter a description at the top, e.g. Internal Routing.
  4. Under Messages to affect, check the box that says Internal Sending.
  5. Scroll down, and under Route, check Change route, and then change the default dropdown from Normal Routing to Internal Google Workspace.
  6. Scroll down and select Show options. The screen expands.
  7. Under B. Account types to affect, check both Users and Groups
  8. Under C. Envelope Filter, check Only affect specific envelope senders and then change the dropdown from “Single email address” to Pattern Match

Configuring Google Workspace (Gsuite)

Under Regexp, enter your domain e.g. domain.com

Click Save.

Please Note: When configured as per the instructions above, mail exchanged internally remains within Google Workspace and is NOT scanned for spam by Spambrella.

 These changes can take up to 24 hours in Google Workspace to be applied.

 


SENDING TO GROUPS/DISTRIBUTION LISTS WITH EXTERNAL RECIPIENTS

With Google Workspace, messages may be sent to groups/distribution lists that have external recipients (outside of your domain). No changes are needed.

UPDATE YOUR MX RECORDS

You will need to add Spambrella MX records to your DNS record.

You may want to add the MX records with a low priority ahead of your cutover. Once ready, you can then increase the priority of the Spambrella MX records while decreasing the priority of your existing MX record.

UPDATE SENDER POLICY FRAMEWORK (SPF)

When sending outbound email through the Spambrella gateway, external recipients will receive mail sent from Spambrella rather than G Suite mail servers. If the recipient’s mail service attempts to verify that the message came from your domain, it must confirm that the gateway server is an authorized mail server for your domain. To enable this, you need to add the Spambrella SPF record to your domain(s).


Further reading:

GSuite Email Data Loss Prevention

Bounce Error When Mailing Internally within Google Workspace