Configure GMail using G Suite for EMS

Updated 1 week ago by admin

To successfully add GMail using G Suite and configure Email Security (EMS), you will need to perform three steps:

  1. Configure EMS for GMail using G Suite accounts.
  2. Configure Inbound mail on GMail using G Suite and reject non-EMS emails.
  3. Configure Outbound mail on GMail using G Suite to send email via the EMS servers

Configure EMS for Gmail using G Suite accounts

Configuring Inbound Mail

  1. Navigate to ProductsE-mail SecurityProduct ConfigurationInbound Email.
  2. Click + to add a new Delivery Route.
  3. In the Domain field, select the domain you wish to configure.
  4. In the Route field, enter ASPMX.L.GOOGLE.COM with a cost of 5.
  5. Repeat steps 2 to 4 to add the remaining routes:
    ALT1.ASPMX.L.GOOGLE.COM
  6. The final routes should look similar to the screenshot below:
Configuring Outbound Mail
  1. Navigate to ProductsE-mail SecurityProduct ConfigurationOutbound Email.
  2. Click + to add a new Sending Host.
  3. Enter spf://_spf.google.com as the new Hostname

Configure Inbound mail on Gmail using G Suite to reject non-EMS emails

You should configure GMail using G Suite to block any inbound email that does not originate from the Email Security (EMS) product. However, you will need to do this via a two-step process. This section is split into two sections – prior MX record change and post MX record change.

Prior to changing MX records

Before changing MX records it is recommended that the Email Security IP addresses are added to the inbound gateway so that when MX records are changed all messages are not quarantined. 

The steps below explain this process. 

You may already have inbound gateway entries listed. If this is the case you need to append the entries below to the existing list and then remove the existing entries once the MX records have been changed.
  1. Login to the G Suite Admin Console with an administrators account.
  2. Click on Apps, then G Suite Core Services.
  3. Click on GMail to take you to Settings for Gmail.
  4. Click on Advanced Settings at the bottom of the page.
  5. Scroll down to Spam, phishing, and malware and configure/edit the Inbound Gateways
  6. Add a Name to the Inbound setting for example “Email Security if not already configured.
  7. Add the IP addresses for our service and click Save.
    For EU customers: https://help.clouduss.com/ems-knowledge-base/mx-records-and-ip-addresses-for-eu-customers
    For non-EU customers: https://help.clouduss.com/ems-knowledge-base/mx-records-and-ip-addresses-for-non-eu-customers
  8. The entries should look like this if using the EU servers (NOTE: ensure you DO NOT click Reject all mail not from gateway IPs)
  9. At the bottom of the Advanced Settings page, click Save to apply the changes.
  10. Ensure that this configuration is replicated to G Suite before changing any MX records.
It can take up to an hour for changes to propagate to user accounts for GMail using G Suite. You can track changes in the Admin console audit log
Post MX record change

Once MX records have been changed and replicated to the internet email should start flowing through the Email Security product. You can verify this via the Email Security Activity reports and charts.  You can also check this in the G Suite portal by following these steps:

  1. Login to the G Suite Admin Console with an administrators account.
  2. Click on Apps, then G Suite Core Services.
  3. Click on GMail to take you to Settings for Gmail.
  4. Click on Advanced Settings at the bottom of the page.
  5. Scroll down to MX records and validate they match the below:1.      
    For EU customers: https://help.clouduss.com/ems-knowledge-base/mx-records-and-ip-addresses-for-eu-customers
    For non-EU customers: https://help.clouduss.com/ems-knowledge-base/mx-records-and-ip-addresses-for-non-eu-customers
Once you have verified this you can restrict Gmail G Suite to reject all other traffic, to reduce spam.

To reject all other traffic:

  1. Login to the G Suite Admin Console with an administrators account.
  2. Click on Apps, then G Suite Core Services.
  3. Click on GMail to take you to Settings for Gmail.
  4. Click on Advanced Settings at the bottom of the page.
  5. Scroll down to Spam, phishing, and malware and edit the Inbound Gateways
  6. Select the check box for Reject all mail not from gateway IPs and click on Save.
  7. At the bottom of the Advanced Settings page, click Save to apply the changes.

Additional Options

By default, Gmail using G suite will still scan all emails for spam.  If you do not want G Suite to quarantine any of the messages, you can whitelist the Email Security service IP’s. To do this follow these steps:

  1. Login to the G Suite Admin Console with an administrators account.
  2. Click on Apps, then G Suite Core Services.
  3. Click on GMail to take you to Settings for Gmail.
  4. Click on Advanced Settings at the bottom of the page.
  5. Scroll down to Spam, phishing, and malware and under Email whitelist add the Email Security service IP addresses as shown below:
  6. At the bottom of the Advanced Settings page, click Save to apply the changes

Configure Outbound mail on Gmail using G Suite to send Email via the EMS servers

To configure outbound email for GMail using G Suite you will need to login to the GMail using G Suite Admin console.  As we use two smart hosts you will need to route the outbound email via a host and rule.  Here are the details required to configure outbound email to the Email Security product:

  1. Login to the G Suite Admin Console with an administrators account.
  2. Click on Apps, then G Suite Core Services.
  3. Click on GMail to take you to Settings for Gmail.
  4. Click on Advanced Settings at the bottom of the page.
  5. Click on Hosts Tab then Add Route button
  6. Give the route a Name like “EMS Outbound”
  7. In the Specify Email server select Multiple hosts.
  8. Add a primary entry for each of the outbound servers, for example, for the EU region:
  9. Click Save
  10. Navigate back to General setting tab and scroll to the Routing setting in the Routing section
  11. Click configure for Routing. This will open up a new Add setting option.
  12. Enter a name like “EMS Outbound Rule”
  13. Select the checkbox for Outbound in Messages to affect. (section 1)
  14. Select Change route in For the above types of messages, do the following. (Section 3)
  15. Change the Normal routing to "EMS Outbound Rule" created above. (Section 3)
  16. (Optional) Under Encryption (onward delivery only), check the Require Secure Transport (TLS) option
  17. Click Add Setting button or, if editing an existing configuration, click Save.
  18. At the bottom of the Advanced Settings page, click Save.
It can take up to an hour for changes to propagate to user accounts. You can track changes in the Admin console audit log.


How did we do?