|Situation||You want to set-up Proofpoint Essentials with the Google Workspace (Gsuite) service.|
What is Google Workspace?
Google Workspace (also known as Gsuite) is a cloud-based solution from Google. It offers email, security, archiving and other capabilities delivered on Google’s worldwide network of cloud data centers.
For more information please see: https://workspace.google.com/
Before you Start
Gather the information listed below. You will need this information later.
- the MX record(s) for the domain(s) you are configuring for Gsuite
- your environment's Proofpoint Essentials IPs, Smart Host and SPF
- login details for your Google admin account
Seting up Inbound Mail flow
Proofpoint Essentials is deployed between your Google Workspace environment and the internet. Inbound mail is routed to Proofpoint Essentials (by changing your MX records), processed by Proofpoint Essentials, and then routed to Google Workspace.
Configure Proofpoint Essentials
In G suite, locate your mx record for the domain as follows:
- Sign-In to the Google Admin console.
- From the console go to Apps > Google Workspace > Gmail > Setup.
- Under Setup, scroll down to MX records and make note of all the Points to values (Instead of scrolling, you can navigate to this information by entering MX records in the search field).
|Take note of these values: you will need them in the following step.|
Adding domains to Proofpoint Essentials
- Sign-in to the Proofpoint Essentials user interface.
- Navigate to Administration > Account Management > Domains > New Domain.
- Enter the name of the domain you are configuring.
- Ensure the domain purpose is set to Relay.
- For Delivery Destination, enter the MX record you gathered earlier (Generally this is aspmx.l.google.com).
- For the Failovers, enter the additional MX Records (e.g. SMTP Failover 1: alt1.aspmx.l.google.com).
|You can verify your domain at this stage or can verify it later. However, the domain must be verified before it can be enabled.|
- Under Verification Method, select Verify by TXT Record, and then click Verify Later.
- Repeat for each subsequent domain.
|The delivery and failovers refers to the "points to" values captured in the previous section.|
Configuring Google Workspace
Configure Inbound Mail Gateway
Warning: Skipping this step will cause bounce errors if the original sender has a valid SPF or DMARC configuration. You must complete this procedure in order to ensure mail delivery.
- Sign in to the Google Admin console.
- From the console, navigate to Apps > Google Workspace > Gmail > Spam, phishing, and malware.
- Hover the cursor to the right of Inbound gateway and, when the pencil icon is shown, click on it.
- Under Gateway IPs, do the following:
Add ALL Proofpoint IP's for the appropriate US or EU stack you are using.
Proofpoint IP's are listed here: Connection Details
Add these additional Google IP addresses:
- Check Reject all mail not coming from gateway IPs.
- Check Require TLS for connection from the email gateways listed above.
- Click Save and then Enable the Inbound Gateway.
Note that, there have been instances where Google has prevented delivery from it's own IP addresses. In this case, the only solution that they have provided is to clear the "Reject all mail not from gateway IPs" checkbox.
If you do this, however, your mail server is not locked down so as to only accept external mail from Proofpoint IP's. As a result, it is possible for senders to route directly to your mail system instead of following normal MX lookups to route through Proofpoint. This approach should only be used if Google is preventing delivery from its own IPs.
If you experience delivery issues, check the bounce to confirm if this scenario is applicable to your organization.
The error received is similar to this:
Google tried to deliver your message, but it was rejected by the relay <a href="http://aspmx.l.google.com" target="_blank">aspmx.l.google.com</a> [Google IP]. We recommend contacting the other email provider at <a href="mailto:firstname.lastname@example.org" target="_blank">email@example.com</a> for further information about the cause of this error. The error that the other server returned was: 421 4.7.0 IP not in whitelist for RCPT domain, closing connection.
Update Safety Settings
G Suite's safety settings allow organizations to enable or disable policies related to viewing and accessing email. If you currently have enabled some or all of these settings enabled, you may experience delivery issues. Please review the following steps to ensure your settings align with the Essentials best practice.
- On the Google Admin console, go to Apps > Google Workspace > Gmail.
- Click Safety to expand options.
|It is not necessary to change the Attachments or Links and external images settings.|
- If you have any Spoofing and authentication settings enabled, these all need to be disabled to ensure proper mail flow, including turning off the "Apply future recommended settings automatically" Enabling this option may automatically enable these settings and cause issues with mailflow
DMARC and Trusted Source Errors
Leaving these features enabled has been known to cause bounce back errors indicating a DMARC issue.
Please ensure you disable this as instructed.
The error message would be: Unauthenticated email from proofpoint.com is not accepted due to domain's DMARC policy
Leaving these setting enabled can also cause errors indicating emails are not coming from a trusted source
Setting Up Inbound and Outbound Mail flow
- Sign-in to the Proofpoint Essentials user interface.
- Navigate to Administration > Features.
- Check Enable Outbound Relaying .
- Click Save.
Add Service IP addresses to your Inbound Gateway
- In the Proofpoint Essentials user interface, navigate to Administration > Domains.
- Click Managed Hosted Services .
- From the two options on the pop up, click on Google Apps.
- Click Save.
Configure Google Workspace
configure outbound mail routing
- Sign In to the Google Admin console.
- From the console go to Apps > Google Workspace > Gmail > Hosts.
- Click Add Route
- Give the entry an appropriate name like "Outbound" and in the Outbound Gateway text field, enter the Proofpoint Essentials Smart host value.
- Click Save.
- Navigate to Apps > Google Workspace > Gmail > Routing, and under routing, click "Configure" or if a rule is there, then "Add another Rule"
- Enter an appropriate Routing name, e.g.,"Outbound Through Proofpoint"
- For "Emails messages to affect", select "Outbound".
- For "For the types of messages above do the following", check "Change the route" and "Also reroute spam".
- Under this section there is a dropdown box. Select the Outbound route.
- Click "Show Options" to show additional fields (as shown in the screenshot above).
- Under "B. Account types to affect", select all the choices (users, groups and unrecognized/catch-all).
- Under "C. Envelope Filter", select Only affect specific envelope senders and then change the dropdown from "Single email address" to Pattern match
- In the Regexp field, enter your domain name.
Please note that if you have more than one sending domain, you have two options:
- Set up multiple Outbound Routing rules using the same host and with different sender domains in your pattern match
- Use a more advanced Regexp as described here: https://support.google.com/a/answer/1346938?hl=en-GB
Configure Internal Routing
- Navigate to Apps > Google Workspace > Gmail > Hosts.
- Select Add Route.
- For Name, enter Internal Google Workspace, for single host, enter aspmx.l.google.com and then, in the second field, enter 25.
- Make sure that the option Perform MX lookup on host is NOT checked, and that the following options are checked:
- Require mail to be transmitted via a secure connection,
- Require CA signed certificate
- Validate certificate hostname are checked, then press Save.
- Click Settings for Gmail in the upper left again, then click Routing.
- Scroll down to Routing, and then click Configure or if there is a rule already, click Add Another Rule
- Enter a description at the top, e.g. Internal Routing.
- Under Messages to affect, check the box that says Internal Sending.
- Scroll down, and under Route, check Change route, and then change the default dropdown from Normal Routing to Internal Google Workspace.
- Scroll down and select Show options. The screen expands.
- Under B. Account types to affect, check both Users and Groups
- Under C. Envelope Filter, check Only affect specific envelope senders and then change the dropdown from "Single email address" to Pattern Match
- Under Regexp, enter your domain e.g. domain.com
- Click SAVE.
Please Note: When configured as per the instructions above, mail exchanged internally remains within Google Workspace and is NOT scanned for spam by Proofpoint Essentials.
These changes can take up to 24 hours in Google Workspace to be applied
Sending to Groups/Distribution Lists with external recipients
With Google Workspace, messages may be sent to groups/distribution lists that have external recipients (outside of your domain). No changes are needed.
Update your MX Records
You will need to add Proofpoint Essentials MX records to your DNS record
You may want to add the MX records with a low priority ahead of your cutover. Once ready, you can then increase the priority of the Proofpoint Essentials MX records while decreasing the priority of your existing MX record.
Update Sender Policy Framework (SPF)
When sending outbound email through the Proofpoint Essentials gateway, external recipients will receive mail sent from Proofpoint Essentials rather than G Suite mail servers. If the recipient's mail service attempts to verify that the message came from your domain, it must confirm that the gateway server is an authorized mail server for your domain. To enable this, you need to add the Proofpoint Essentials SPF record to your domain(s).