Situation | You want to set-up Proofpoint Essentials with Google Workspace (Gsuite) service. |
---|---|
Solution | Outline to setting up Google Workspace (Gsuite) in conjunction with Proofpoint Essentials. See below for how to setup both Inbound and Outbound mail flow. |
This article explains how to configure Google Workspace (Gsuite) to use Proofpoint Essentials as your mail gateway.
What Is Google Workspace?
Google Workspace (also known as Gsuite) is a cloud-based solution from Google which offers email, messaging, security, archiving and other capabilities delivered from Google’s worldwide network of cloud data centers.
For more information please see: https://workspace.google.com/
Before You Start
Before continuing with the provisioning and configuration of the Proofpoint Essentials service, it is recommended that you have the information listed below.
INFORMATION NEEDED FOR CONFIGURING PROOFPOINT ESSENTIALS
- MX record(s) for domain(s) you are configuring
INFORMATION NEEDED FOR CONFIGURING G SUITE
- Proofpoint Essentials IPs, Smart Host and SPF
- Google admin account
Setup Inbound Mail Flow
Proofpoint Essentials is deployed between the customer’s Google Workspace environment and the Internet. Inbound mail is routed to Proofpoint Essentials by changing the customer’s MX records. After email is processed by Proofpoint Essentials it is routed to Google Workspace.
Configure Proofpoint Essentials
LOCATE YOUR MX RECORD FOR THE DOMAIN IN G SUITE
- Sign-In to the Google Admin console.
- From the dashboard go to Apps > Google Workspace > Gmail > Setup.
- Under Setup, scroll down to MX records and make note of all the Points to values (you can also enter MX records in the search field).
These values will be necessary when you add your domains to Proofpoint Essentials. |
---|
ADDING DOMAIN(S) TO PROOFPOINT ESSENTIALS
- Sign-in to the Proofpoint Essentials user interface.
- Navigate to Administration > Account Management > Domains > New Domain.
- Enter the domain name you wish to configure.
- Ensure Relay is selected for domain purpose.
- For Delivery Destination, put the MX record from Google that you copied earlier (Generally is ASPMX.L.GOOGLE.COM).
- For the subsequent Failovers, put the additional MX Records there (i.e. SMTP Failover 1: ALT1.ASPMX.L.GOOGLE.COM).
You can verify your domain at this stage or you can verify at a later time. However, the domain must be verified before it can be enabled. |
---|
- Under Verification Method, select Verify by TXT Record, and then press Verify Later.
- Repeat if you are adding more than 1 domain.
The delivery and failover destinations refers to the points to values captured in the previous section. |
---|
Configure Google Workspace
CONFIGURE INBOUND MAIL GATEWAY
Skipping Inbound Mail Gateway Configuration
Skipping this step has been verified to cause bounce errors if the original sender side has a valid SPF or DMARC configuration in place. Please ensure to set this in order to ensure mail delivery.
- Sign-In to the Google Admin console.
- From the dashboard go to Apps > Google Workspace > Gmail > Advanced Settings.
If you do not see Advanced Settings, Please Scroll Down to "New Google Workspace Configuration" as you have Googles new layout
- On the General Settings tab, scroll down to the Spam, phishing, and malware > Inbound Gateway
- Hover the cursor to the right of Inbound gateway. To create a new inbound gateway setting, click Configure.
- Under Gateway IPs, enter the IP addresses, as well as these Google IP addresses:
· 35.190.247.0/24
· 64.233.160.0/19
· 66.102.0.0/20
· 66.249.80.0/20
· 72.14.192.0/18
· 74.125.0.0/16
· 108.177.8.0/21
· 173.194.0.0/16
· 209.85.128.0/17
· 216.58.192.0/19
· 216.239.32.0/19
· 172.217.0.0/19
· 172.217.32.0/20
· 172.217.128.0/19
· 172.217.160.0/20
· 172.217.192.0/19
· 172.253.56.0/21
· 172.253.112.0/20
· 108.177.96.0/19
· 35.191.0.0/16
· 130.211.0.0/22
· 2001:4860:4000::/36
· 2404:6800:4000::/36
· 2607:f8b0:4000::/36
· 2800:3f0:4000::/36
· 2a00:1450:4000::/36
· 2c0f:fb50:4000::/36
- Check Automatically detect external IP.
When this setting is enabled, Gmail scans the message header to locate the first occurrence of an IP address that is not listed in the Gateway IPs. This is referred to as the “external IP.” Gmail considers the “external IP” as the sending IP and uses this IP for SPF checks and spam evaluation. |
---|
- Check Reject all mail not coming from gateway IPs.
- Check Require TLS for connection from the email gateways listed above.
- Click Save and then Enable the Inbound Gateway.
UPDATE SAFETY SETTINGS
G Suite's safety settings allow organizations to enable or disable policies related to viewing and accessing email. If you have enabled some or all of these settings you may experience some delivery issues. Please review the following steps to ensure your settings are supported.
- While signed into the Google Admin console, go to Apps > Google Workspace > Gmail.
- Click Safety to expand options.
No changes to Attachments settings or Links and external images are required. You can leave these settings as they are. |
---|
- If you have Spoofing and authentication settings enabled (either all or customized) consider the following setting:
-
Protect against any unauthenticated emails
- Proofpoint Essentials has already scanned incoming emails for SPF and/or DKIM issues. Emails with issues are scored accordingly and quarantined if they exceed your spam threshold.
- This setting needs to be disabled. If it is enabled it may cause unexpected delivery issues for incoming email.
- Uncheck "Apply future recommended settings automatically" as this may cause the "Protect against any unauthenticated emails" to be checked again causing the error
-
Protect against any unauthenticated emails
DMARC Errors
Not disabling this feature has also been known to cause bounce back errors indicating a DMARC issue. Please ensure you disable this as instructed.
The error message would be: Unauthenticated email from proofpoint.com is not accepted due to domain's DMARC policy
Setup Inbound And Outbound Mail Flow
Proofpoint Essentials is deployed between the customer’s Google Workspace environment and the Internet. Outbound mail is routed to Proofpoint Essentials by configuring an outbound mail gateway. This will route all outbound mail to Proofpoint Essentials.
Configure Proofpoint Essentials
ENABLE OUTBOUND RELAYING
- Sign-in to the Proofpoint Essentials user interface.
- Navigate to Administration > Features.
- Check Enable Outbound Relaying.
- Click Save.
ADD SERVICE IP ADDRESSES TO YOUR INBOUND GATEWAY
- While logged into the Proofpoint Essentials user interface, navigate to Administration > Domains.
- Click Managed Hosted Services.
- Choose Google Apps.
- Click Save.
Configure Google Workspace
CONFIGURE OUTBOUND MAIL GATEWAY
- Sign-In to the Google Admin console.
- From the dashboard go to Apps > Google Workspace > Gmail > Advanced Settings.
- While on the General Settings tab, scroll down to the Routing > Outbound Gateway (you can also enter Outbound Gateway in the search field).
- In the Outbound Gateway text field, enter the Proofpoint Essentials Smart host value.
- Click Save.
- Click Settings for Gmail in the upper left, then click on Hosts (or go to https://admin.google.com/ac/apps/gmail/hosts)
- Select Add Route.
- For Name, put Internal Google Workspace, for single host, put ASPMX.L.GOOGLE.COM and then put 25.
- Make sure that Perform MX lookup on host is NOT checked, and that Require mail to be transmitted via a secure connection, Require CA signed certificate, and Validate certificate hostname are checked, then press Save.
- Click Settings for Gmail in the upper left again, then click Advanced settings.
- Scroll down to Routing, and then press Configure.
- For the description at the top, put Internal Routing.
- Under Messages to affect, check the box that says Internal Sending.
- Under Envelope Filter, check Only affect specific envelope senders, then change the dropdown to Pattern match.
- Put your @domain.com name there
- Scroll down, and under Route, check Change route, and then change the dropdown to Internal Google Workspace.
- Click Add Setting, and then make sure to press SAVE in the lower right.
Please Note: When configured as per the instructions above, internal to internal email stays within Google Workspace and is NOT scanned for Spam by Proofpoint Essentials.
New Google Workspace Configuration
Configure Inbound Mail Gateway
Skipping Inbound Mail Gateway Configuration
Skipping this step has been verified to cause bounce errors if the original sender side has a valid SPF or DMARC configuration in place. Please ensure to set this in order to ensure mail delivery.
- Sign-In to the Google Admin console.
- From the dashboard go to Apps > Google Workspace > Gmail > Spam, phishing, and malware
- Hover the cursor to the right of Inbound gateway and click on the pencil icon.
- Under Gateway IPs, enter these IP addresses, as well as these Google IP addresses:
· 35.190.247.0/24
· 64.233.160.0/19
· 66.102.0.0/20
· 66.249.80.0/20
· 72.14.192.0/18
· 74.125.0.0/16
· 108.177.8.0/21
· 173.194.0.0/16
· 209.85.128.0/17
· 216.58.192.0/19
· 216.239.32.0/19
· 172.217.0.0/19
· 172.217.32.0/20
· 172.217.128.0/19
· 172.217.160.0/20
· 172.217.192.0/19
· 172.253.56.0/21
· 172.253.112.0/20
· 108.177.96.0/19
· 35.191.0.0/16
· 130.211.0.0/22
· 2001:4860:4000::/36
· 2404:6800:4000::/36
· 2607:f8b0:4000::/36
· 2800:3f0:4000::/36
· 2a00:1450:4000::/36
· 2c0f:fb50:4000::/36
- Check Automatically detect external IP.
When this setting is enabled, Gmail scans the message header to locate the first occurrence of an IP address that is not listed in the Gateway IPs. This is referred to as the “external IP.” Gmail considers the “external IP” as the sending IP and uses this IP for SPF checks and spam evaluation. |
---|
- Check Reject all mail not coming from gateway IPs.
- Check Require TLS for connection from the email gateways listed above.
- Click Save and then Enable the Inbound Gateway.
UPDATE SAFETY SETTINGS
G Suite's safety settings allow organizations to enable or disable policies related to viewing and accessing email. If you have enabled some or all of these settings you may experience some delivery issues. Please review the following steps to ensure your settings are supported.
- While signed into the Google Admin console, go to Apps > Google Workspace > Gmail.
- Click Safety to expand options.
No changes to Attachments settings or Links and external images are required. You can leave these settings as they are. |
---|
- If you have Spoofing and authentication settings enabled (either all or customized) consider the following setting:
-
Protect against any unauthenticated emails
- Proofpoint Essentials has already scanned incoming emails for SPF and/or DKIM issues. Emails with issues are scored accordingly and quarantined if they exceed your spam threshold.
- These settings need to be disabled. If they are enabled, it may cause unexpected delivery issues for incoming email.
- Make sure to turn off "Apply future recommended settings automatically" as well, as this may cause the "Protect against any unauthenticated emails" to be turned back on again causing an error
-
Protect against any unauthenticated emails
DMARC Errors
Not disabling this feature has also been known to cause bounce back errors indicating a DMARC issue. Please ensure you disable this as instructed.
The error message would be: Unauthenticated email from proofpoint.com is not accepted due to domain's DMARC policy
Setup Inbound And Outbound Mail Flow
Proofpoint Essentials is deployed between the customer’s Google Workspace environment and the Internet. Outbound mail is routed to Proofpoint Essentials by configuring an outbound mail gateway. This will route all outbound mail to Proofpoint Essentials.
Configure Proofpoint Essentials
ENABLE OUTBOUND RELAYING
- Sign-in to the Proofpoint Essentials user interface.
- Navigate to Administration > Features.
- Check Enable Outbound Relaying.
- Click Save.
ADD SERVICE IP ADDRESSES TO YOUR INBOUND GATEWAY
- While logged into the Proofpoint Essentials user interface, navigate to Administration > Domains.
- Click Managed Hosted Services.
- Choose Google Apps.
- Click Save.
Configure Google Workspace
CONFIGURE OUTBOUND MAIL GATEWAY
- Sign-In to the Google Admin console.
- From the dashboard go to Apps > Google Workspace > Gmail > Routing.
- Highlight Outbound Gateway and click on the pencil icon on the right side
- In the Outbound Gateway text field, enter the Proofpoint Essentials Smart host value.
- Click Save.
- Click Settings for Gmail in the upper left, then click on
Carlos Rios
Comments