Configuring Google Workspace (GSuite) for Proofpoint Essentials

About Google Workspace

Google Workspace (formerly known as G Suite) is a cloud-based solution from Google. It offers email, security, archiving and other capabilities delivered on Google’s worldwide network of cloud data centers. For more information about Google Workspace see: https://workspace.google.com/.

Before You Start

Before continuing, it is recommended that you ensure the following information is readily available:

• the MX records for the domains you are configuring (needed for configuring Proofpoint Essentials)
• your  Proofpoint Essentials IPs, Smart Host and SPF (needed for configuring Google Workspace)
• the Google Workspace administrator account (needed for configuring Google Workspace)

In addition, be sure the following steps have been completed:

• all email relays have been added to the organization and have been verified
• Spam and Digest settings have been configured
• all users have been added to the organization
• filter policies and/or sender lists have been set up

Use the  Configuration Guide to ensure all the necessary steps have been completed before you make changes to the Google Workspace account.

Set up Inbound Mail flow

Proofpoint Essentials is deployed between your Google Workspace environment and the internet. Inbound mail is routed to Proofpoint Essentials (by changing your MX records), processed by Proofpoint Essentials, and then routed to Google Workspace.

You may have already completed the following step. If so, please proceed to the next step, Update the domain(s) associated With your Proofpoint Essentials account.

Configure Proofpoint Essentials for Inbound Mail Flow

Locate your MX record for the domain 

1. Sign In to the Google Admin console.
2. Click Apps, then Google Workspace followed by Gmail.
3. Click Setup.
4. Under Setup, scroll down to MX records to view all the Points to values (alternatively, navigate to this information by entering MX records in the search field).
5. Record these values: you will need them in the following step.

You may have already completed the following step. If so, please proceed to the next step, Configure Google Workspace.

Update the domain(s) associated With your Proofpoint Essentials account

1. While logged into Proofpoint Essentials, under Account Management, click Domains.
2. Click the  (menu) next to the domain you wish to edit and select Edit Domain.
3. Ensure the Domain Type is set to Relay. (If it is set to Management, change it.)
4. Enter the name of the domain you want to add.
5. In the Primary Delivery Destination field, paste the primary delivery destination that was copied from Google Workspace earlier (e.g. alt1.aspmx.l.google.com).
6. Click Save.
7. If editing more than one domain, repeat the procedure.

You can verify your domain at this stage or can verify it later. However, the domain must be verified before it can be enabled.

Configure Google Workspace

By-Pass Filtering in Google Workspace

Warning: Skipping this step may result in bounce errors if the original sender has a valid SPF or DMARC configuration. You must complete this procedure in order to ensure mail delivery.

1. Sign in to the Google Admin console and click Apps, then Google Workspace followed by Gmail.
2. Click on Spam, Phishing, and Malware.
3. Hover the cursor to the right of Inbound gateway and, when the  (edit) icon is shown, click on it.
4. Check Enable.
   • This will enable the inbound gateway control for this Google Workspace account and will expose additional options.
5. Under Gateway IPs, add ALL Proofpoint IP's for the appropriate US or EU stack. IP addresses are found in the IP Addresses column of the  Connection Details page.
6. In addition, add the Google IP addresses listed below.

35.190.247.0/24	216.58.192.0/19	108.177.96.0/19
64.233.160.0/19	216.239.32.0/19	35.191.0.0/16
66.102.0.0/20	172.217.0.0/19	130.211.0.0/22
66.249.80.0/20	172.217.32.0/20	2001:4860:4000::/36
72.14.192.0/18	172.217.128.0/19	2404:6800:4000::/36
74.125.0.0/16	172.217.160.0/20	2607:f8b0:4000::/36
108.177.8.0/21	172.217.192.0/19	2800:3f0:4000::/36
173.194.0.0/16	172.253.56.0/21	2a00:1450:4000::/36
209.85.128.0/17	172.253.112.0/20	2c0f:fb50:4000::/36

 

1. Check Automatically detect external IP.
   • This causes Gmail to scan the message header in order to locate the first occurrence of an IP address that is not listed in the Gateway IPs. Such an IP address is referred to as the “external IP", which Gmail considers the sending IP and uses for SPF checks and spam evaluation.
2. Check Reject all mail not coming from gateway IPs.
3. Check Require TLS for connection from the email gateways listed above.                                                              
4. Click Save.                                                                   

There have been instances where Google has prevented delivery from its own IP addresses. The only solution Google has provided for this is to clear the "Reject all mail not from gateway IPs" checkbox. If you do this, however, your mail server is not locked down, that is, is not set to only accept external mail from Proofpoint IP's. As a result, it is possible for senders to route directly to your mail system instead of following normal MX lookups to route through Proofpoint. This option should only be used if Google is preventing delivery from its own IPs.

If you experience delivery issues, confirm if this scenario is applicable to your organization. The error you would have received is similar to this:
Google tried to deliver your message, but it was rejected by the relay <a href="http://aspmx.l.google.com" target="_blank">aspmx.l.google.com</a> [Google IP]. We recommend contacting the other email provider at <a href="mailto:postmaster@aspmx.l.google.com" target="_blank">postmaster@aspmx.l.google.com</a> for further information about the cause of this error. The error that the other server returned was 421 4.7.0 IP not in whitelist for RCPT domain, closing connection.

Update Safety Settings

Google Workspace's safety settings allow organizations to enable or disable policies related to viewing and accessing email. If you currently have enabled some or all of these settings, you may experience delivery issues. Please review the following steps to ensure your settings align with the best practices for Proofpoint Essentials.

1. In the Google Admin console, click Apps, then Google Workspace followed by Gmail.
2. Click Safety to expand the options.
3. Click Attachments and make any changes you wish, then click Save.
4. Click Links and external images and make any changes you wish, then click Save.
5. Click Spoofing and authentication.
6. Uncheck all settings.
   • Proofpoint Essentials recommends that all options be disabled to avoid issues with mail flow. This includes  "Apply future recommended settings automatically", which, if enabled, may cause future mail flow issues.

Be sure to disable these features: leaving them enabled has been known to cause bounceback errors, indicating a DMARC issue via the error message Unauthenticated email from proofpoint.com is not accepted due to domain's DMARC policy. In addition, leaving these setting enabled can also erroneously result in error messages indicating emails are not coming from a trusted source.

1. Click Save.

Configure Internal Routing

These steps ensure that email exchanged internally remains within Google Workspace and is not processed by Proofpoint Essentials.

1. In the Google Admin console, click Apps, then Google Workspace followed by Gmail.
2. Click Hosts to expand the options.
3. Click Add Route.
   • The Edit main route screen opens.
4. In the Name field, enter a value (e.g. "Internal Mail handling for Google Workspace").
5. In the Single host field, enter "aspmx.l.google.com" and then, in the second field, enter 25.
6. Make sure that the Perform MX lookup on host option is not checked, and that the following options are checked:
   • Require mail to be transmitted via a secure (TLS) connection
   • Require CA signed certificate
   • Validate certificate hostname
7. Click Save.           
8. In the top navigation menu, click Settings for Gmail again, then Routing.
9. Under the Routing section, click Configure.
   • If a rule already exists, click Add Another Rule
10. In the description field, enter a value (e.g. "Internal routing for Google Workspace").
11. Under Email messages to affect, check Internal Sending.
12. Scroll down and under Route, check Change route, then change the default dropdown from Normal Routing to Internal Google Workspace.
    • This is the route created in Step 4
13. Scroll down and select Show options.
    • The screen expands.
14. Under B. Account types to affect, check both Users and Groups.
15. Under C. Envelope Filter, check Only affect specific envelope senders and then change the dropdown from "Single email address" to Pattern Match.
16. Under Regexp, enter your domain (e.g. domain.com).
17. Click Save.

Google Workspace will enable the new route automatically once you save it. If you are not ready to cutover your mail flow, then you should disable the new route.

On the Routing page, click the Disable action listed next to the newly created route ("Internal routing for Google Workspace") followed by Proceed.

Set Up Outbound Mail flow

Proofpoint Essentials is deployed between the Google Workspace environment and the internet. Outbound mail is routed to Proofpoint Essentials by configuring an outbound mail gateway. If you do not want to route outbound email through Proofpoint Essentials, you can skip this step. However, this step is required if the  Email Encryption or  Email Warning Tag features are being used.

Configure Proofpoint Essentials for Outbound Mail Flow

1. Under Account Management, click Features.
2. Check Enable Outbound Relaying.
3. Click Save.
4. Under Account Management, click Domains.
5. Under Sending Servers, click Manage Hosted Services.
6. Click the (enable) control next to Google Apps, then click Save.

configure outbound mail routing

1. In the Google Admin console, click Apps, then Google Workspace, followed by Gmail.
2. Click Hosts to expand the options.
3. Click Add Route.
   • The Add mail route panel opens.
4. Enter a name for the route (e.g. Proofpoint Essentials Outbound Connector).
5. In the Single host field, enter smarthost value (e.g. outbound-us1.ppe-hosted.com) located on the  Connection Details page and then, in the second field, enter 25.
6. Click Save.
7. In the top navigation menu, click Settings for Gmail again, then Routing.
8. Under the Routing section, click Configure.
   • If a rule already exists, click Add Another Rule.
9. Enter a description (e.g. "Outbound through Proofpoint Essentials").
10. For Emails messages to affect, select Outbound.
11. Scroll down and under Route, check Change route, then check Also reroute spam. 
12. Change the default dropdown from Normal Routing to Proofpoint Essentials Outbound Connector.
    • This is the route created in Step 4
13. Scroll down and select Show options.
    • The screen expands.
14. Under B. Account types to affect, check both Users, Groups, and Unrecognized / Catch-all
15. Under C. Envelope Filter, check Only affect specific envelope senders and then change the dropdown from "Single email address" to Pattern Match
16. Under Regexp, enter your domain (e.g. domain.com).
17. Click Save.

Google Workspace will enable the new route automatically once you save it. If you are not ready to cutover your mail flow, then you should disable the new route.

On the Routing page, click the Disable action listed next to the newly created route ("Outbound through Proofpoint Essentials") followed by Proceed.

For environments with more than one sending domain, there are two options:

• set up multiple Outbound Routing rules using the same host and with different sender domains in your pattern match
• use a more advanced Regexp as described here: https://support.google.com/a/answer/1346938?hl=en-GB

Changes can take up to 24 hours to be applied in Google Workspace.

Prepare for Cutover Mailflow