Internal emails (emails to users within your organization or to users with the same email domain) are not typically routed to the ETP/Zix Encryption service. The Zix Encryption service is intended to encrypt emails to recipients outside of your company and to decrypt emails sent to your company.
Google assumes that you will keep the domain's MX records pointed directly to it at all times, so by default it sends ALL traffic, including internal traffic (ex. userA@domain.com to userB@domain.com), to the MX record (which normally would point directly to Google's Inbound Gateway) so that it can be scanned by the internal Google spam tests. We do not want this behavior with ETP/Zix Encryption, so you must explicitly set it to send internal traffic directly to Google's Inbound Gateway so that the original behavior is maintained. Please follow the instructions below to do this:
- Sign-In to the Google Admin Console.
- From the dashboard go to Apps > Google Workspace > Gmail > Hosts.
- Select Add Route.
- For Name, put "Internal Mail", for single host, enter ASPMX.L.GOOGLE.COM and then enter 25 in the following field (SMTP port number).
- Make sure that Perform MX lookup on host is NOT Checked, and that Require mail to be transmitted via a secure connection, Require CA signed certificate, and Validate certificate hostname are Checked then press Save.
- Click Settings for Gmail in the upper left again, then click Routing, Routing page opens.
- Scroll to Routing and then press Configure.
- For the description at the top, enter Internal Routing.
- Under Email Messages to affect, check the box that says Internal Sending.
- Scroll down a little, and under Route, check Change route, and then change the dropdown to Internal Mail (or whatever you may have named the route you created in step 4).
- Scroll all the way down and Click on Show Options.
- Under B. Account types to affect, check the boxes for Users and Groups.
- Under C. Envelope Filter, check Only affect specific envelope senders, then change the dropdown to Pattern match.
- Enter this customer's domain there (domain.com).
- Make sure to press SAVE in the lower right.
- Done! After following these steps, internal Google Mail traffic will stay internal to Google and not come through the ETP/Zix Encryption service.
Carlos Rios
Comments