Configure GMail using G Suite for EMS

Updated 5 months ago by admin

To successfully add GMail using G Suite and configure Email Security (EMS), you will need to perform three steps:

  1. Configure EMS for GMail using G Suite accounts.
  2. Configure Inbound mail on GMail using G Suite and reject non-EMS emails.
  3. Configure Outbound mail on GMail using G Suite to send email via the EMS servers
  4. Configure Gmail to bypass EMS for internal mail

Configure EMS for Gmail using G Suite accounts

Configuring Inbound Mail

  1. Navigate to ProductsE-mail SecurityProduct ConfigurationInbound Email.
  2. Click + to add a new Delivery Route.
  3. In the Domain field, select the domain you wish to configure.
  4. In the Route field, enter ASPMX.L.GOOGLE.COM with a cost of 5.
  5. Repeat steps 2 to 4 to add the remaining routes:
    ALT1.ASPMX.L.GOOGLE.COM
  6. The final routes should look similar to the screenshot below:
Configuring Outbound Mail
  1. Navigate to ProductsE-mail SecurityProduct ConfigurationOutbound Email.
  2. Click + to add a new Sending Host.
  3. Enter spf://_spf.google.com as the new Hostname

Configure Inbound mail on Gmail using G Suite to reject non-EMS emails

You should configure GMail using G Suite to block any inbound email that does not originate from the Email Security (EMS) product. However, you will need to do this via a two-step process. This section is split into two sections – prior MX record change and post MX record change.

Prior to changing MX records

Before changing MX records it is recommended that the Email Security IP addresses are added to the inbound gateway so that when MX records are changed all messages are not quarantined. 

The steps below explain this process. 

You may already have inbound gateway entries listed. If this is the case you need to append the entries below to the existing list and then remove the existing entries once the MX records have been changed.
  1. Login to the G Suite Admin Console with an administrators account.
  2. Click on Apps, then G Suite Core Services.
  3. Click on GMail to take you to Settings for Gmail.
  4. Click on Advanced Settings at the bottom of the page.
  5. Scroll down to Spam, phishing, and malware and configure/edit the Inbound Gateways
  6. Add a Name to the Inbound setting for example “Email Security if not already configured.
  7. Add the IP addresses for our service and click Save.
    For EU customers: https://help.clouduss.com/ems-knowledge-base/mx-records-and-ip-addresses-for-eu-customers
    For non-EU customers: https://help.clouduss.com/ems-knowledge-base/mx-records-and-ip-addresses-for-non-eu-customers
  8. The entries should look like this if using the EU servers (NOTE: ensure you DO NOT click Reject all mail not from gateway IPs)
  9. At the bottom of the Advanced Settings page, click Save to apply the changes.
  10. Ensure that this configuration is replicated to G Suite before changing any MX records.
It can take up to an hour for changes to propagate to user accounts for GMail using G Suite. You can track changes in the Admin console audit log
Post MX record change

Once MX records have been changed and replicated to the internet email should start flowing through the Email Security product. You can verify this via the Email Security Activity reports and charts.  You can also check this in the G Suite portal by following these steps:

  1. Login to the G Suite Admin Console with an administrators account.
  2. Click on Apps, then G Suite Core Services.
  3. Click on GMail to take you to Settings for Gmail.
  4. Click on Setup.
  5. Check that the MX records match the below:
    For EU customers: https://help.clouduss.com/ems-knowledge-base/mx-records-and-ip-addresses-for-eu-customers
    For non-EU customers: https://help.clouduss.com/ems-knowledge-base/mx-records-and-ip-addresses-for-non-eu-customers

Additional Options

By default, Gmail using G suite will still scan all emails for spam.  If you do not want G Suite to quarantine any of the messages, you can whitelist the Email Security service IP’s. To do this follow these steps:

  1. Login to the G Suite Admin Console with an administrators account.
  2. Click on Apps, then G Suite Core Services.
  3. Click on GMail to take you to Settings for Gmail.
  4. Click on Advanced Settings at the bottom of the page.
  5. Scroll down to Spam, phishing, and malware and under Email whitelist add the Email Security service IP addresses as shown below, for the EU region:
  6. At the bottom of the Advanced Settings page, click Save to apply the changes

Configure Outbound mail on Gmail using G Suite to send Email via the EMS servers

To configure outbound email for GMail using G Suite you will need to login to the GMail using G Suite Admin console.  As we use two smart hosts you will need to route the outbound email via a host and rule.  Here are the details required to configure outbound email to the Email Security product:

  1. Login to the G Suite Admin Console with an administrators account.
  2. Click on Apps, then G Suite Core Services.
  3. Click on GMail to take you to Settings for Gmail.
  4. Click on Hosts section.
  5. Click the Add Route button.
  6. Give the route a Name like “EMS Outbound”
  7. In the Specify Email server select Multiple hosts.
  8. Add a primary entry for each of the outbound servers, for example, for the EU region:
  9. Click Save
  10. Navigate to Advanced section from Settings for Gmail and scroll down to the Routing setting in the Routing section
  11. Click configure for Routing. This will open up a new Add setting option.
  12. Enter a name like “EMS Outbound Rule”
  13. Select the checkbox for Outbound in Messages to affect. (section 1)
  14. Select Change route in For the above types of messages, do the following. (Section 3)
  15. Change the Normal routing to "EMS Outbound Rule" created above. (Section 3)
  16. (Optional) Under Encryption (onward delivery only), check the Require Secure Transport (TLS) option
  17. Click Add Setting button or, if editing an existing configuration, click Save.
  18. At the bottom of the Advanced Settings page, click Save.
It can take up to an hour for changes to propagate to user accounts. You can track changes in the Admin console audit log.

Configure G Suite to bypass EMS for Internal mail

  1. Login to the G Suite Admin Console with an administrators account.
  2. Click on Apps, then G Suite Core Services.
  3. Click on GMail to take you to Settings for Gmail.
  4. Click on Hosts section.
  5. Click on the Add Route button
  6. Give the route a Name like “Google Internal”
  7. In the Specify Email server select Multiple hosts.
  8. Add a primary entry for each of the GMail Servers listed below:
aspmx.l.google.com
alt1.aspmx.l.google.com
alt2.aspmx.l.google.com
alt3.aspmx.l.google.com
alt4.aspmx.l.google.com
  1. Click Save
  2. Navigate back to General setting tab and scroll to the Routing setting in the Routing section
  3. Click on Add Another for Routing. This will open up a new Add setting option.
  4. Enter a name like “Internal Route”
  5. Select the checkbox for Internal – Sending  in Messages to affect.
  6. Select “only affect specific envelope recipients” and define a REGEX for your internal domain

NOTE: For multiple domains you can add them into the regex in the format of .*@firstdomain\.com|.*@seconddomain\.co\.uk, for example:

  1. Select Change route in For the above types of messages, to do the following.
  2. Change the Normal routing to "Google Internal" created above.
  1. Click on Show Options at the bottom of this page and Select “Users and Groups” in the Account types to affect
  1. 1.     Click Add Setting button, click Save.
  2. 2.     At the bottom of the Advanced Settings page, click Save.

 

Now all internal mail is routed directly to Google servers, and all other mail routes through the Email Security Outbound Gateway.


How did we do?