Situation | You want to set-up Proofpoint Essentials with Google Workspace (Gsuite) service. |
---|---|
Solution | Outline to setting up Google Workspace (Gsuite) in conjunction with Proofpoint Essentials. See below for how to setup both Inbound and Outbound mail flow. |
This article explains how to configure Google Workspace (Gsuite) to use Proofpoint Essentials as your mail gateway.
What Is Google Workspace?
Google Workspace (also known as Gsuite) is a cloud-based solution from Google which offers email, messaging, security, archiving and other capabilities delivered from Google’s worldwide network of cloud data centers.
NOTE: G-Suite Legacy Free Editions will not have access to the Advance Settings,
to setup G-suite you will need to upgrade to a pay account.
https://workspace.google.com/pricing.html
For more information please see: https://workspace.google.com/
Before You Start
Before continuing with the provisioning and configuration of the Proofpoint Essentials service, it is recommended that you have the information listed below.
INFORMATION NEEDED FOR CONFIGURING PROOFPOINT ESSENTIALS
- MX record(s) for domain(s) you are configuring
INFORMATION NEEDED FOR CONFIGURING G SUITE
- Proofpoint Essentials IPs, Smart Host and SPF
- Google admin account
STEP 1 - Populate proofpoint
Before you even think of setting up mail flow through proofpoint, assuming you already created a tenant for the client on the proofpoint essentials platform, you need to populate the users first. You can export all the users in google workspace and then use the data to do a CSV import into proofpoint essentials. You can find the steps here:
Since the export doesn't take into consideration any aliases or distribution groups, you probably want to use SMTP Discovery to discovery any missing items when mail flow is turned on. Learn more about SMTP Discovery here:
https://vircomhelp.freshdesk.com/support/solutions/articles/48001147308-how-to-enable-smtp-discovery
IMPORTANT SAFETY TIP When you populate users in proofpoint, it can take up to one hour for them to be "live" - the way the proofpoint architecture works is that the master control server (the place where you setup proofpoint) pushes settings down to the mail clusters and the data propagates down to the clusters at the top and bottom of every hour. To be on the safe side, we always recommend to wait an hour before changing MX records because of this. |
STEP 2 - Setup Inbound Mail Flow
Proofpoint Essentials is deployed between the customer’s Google Workspace environment and the Internet. Inbound mail is routed to Proofpoint Essentials by changing the customer’s MX records. After email is processed by Proofpoint Essentials it is routed to Google Workspace.
STEP 2a - Configure Proofpoint Essentials
LOCATE YOUR MX RECORD FOR THE DOMAIN IN G SUITE
- Sign-In to the Google Admin console.
- From the dashboard go to Apps > Google Workspace > Gmail > Setup.
- Under Setup, scroll down to MX records and make note of all the Priority values (you can also enter MX records in the search field). Here's an example:
If your domain was onboarded on google before 2023, you would have several MX records pointing to Workspace:
If your domain was onboarded in 2023 (or after), a single mx record would normally be required:
These values will be necessary when you add your domains to Proofpoint Essentials. |
---|
ADDING DOMAIN(S) TO PROOFPOINT ESSENTIALS
- Sign-in to the Proofpoint Essentials user interface.
- Navigate to Administration > Account Management > Domains > New Domain.
- Enter the domain name you wish to configure.
- Ensure Relay is selected for domain purpose.
- For Delivery Destination, put the MX record from Google that you copied earlier (Generally is ASPMX.L.GOOGLE.COM).
- For the subsequent Failovers, put the additional MX Records there (i.e. SMTP Failover 1: ALT1.ASPMX.L.GOOGLE.COM).
Example:
You can verify your domain at this stage or you can verify at a later time. However, the domain must be verified before it can be enabled. |
---|
- Under Verification Method, select Verify by TXT Record, and then press Verify Later.
- Repeat if you are adding more than 1 domain.
The delivery and failover destinations refers to the points to values captured in the previous section. |
---|
STEP 2b - CONFIGURE INBOUND MAIL GATEWAY IN WORKSPACE
Skipping Inbound Mail Gateway Configuration
Skipping this step has been verified to cause bounce errors if the original sender side has a valid SPF or DMARC configuration in place. Please ensure to set this in order to ensure mail delivery.
- Sign-In to the Google Admin console.
- From the dashboard go to Apps > Google Workspace > Settings for Gmail
- On the General Settings tab, scroll down to the Spam, phishing, and malware > Inbound Gateway
- Hover the cursor to the right of Inbound gateway. To create a new inbound gateway setting, click the EDIT button (pencil).
- Under Gateway IPs, enter the IP addresses below for clients on US stack. If your client is located on EU stack please go to step 6 blow:
35.190.247.0/24
64.233.160.0/19
66.102.0.0/20
66.249.80.0/20
72.14.192.0/18
74.125.0.0/16
108.177.8.0/21
173.194.0.0/16
209.85.128.0/17
216.58.192.0/19
216.239.32.0/19
172.217.0.0/19
172.217.32.0/20
172.217.128.0/19
172.217.160.0/20
172.217.192.0/19
172.253.56.0/21
172.253.112.0/20
108.177.96.0/19
35.191.0.0/16
130.211.0.0/22
67.231.152.0/24
67.231.153.0/24
67.231.154.0/24
67.231.155.0/24
67.231.156.0/24
67.231.144.0/24
67.231.145.0/24
67.231.146.0/24
67.231.147.0/24
67.231.148.0/24
67.231.149.0/24
148.163.128.0/19
2001:4860:4000::/36
2404:6800:4000::/36
2607:f8b0:4000::/36
2800:3f0:4000::/36
2a00:1450:4000::/36
2c0f:fb50:4000::/36
- If your clients are located on EU stack, please add the following IP addresses below:
35.190.247.0/24 | 216.239.32.0/19 | 130.211.0.0/22 |
64.233.160.0/19 | 172.217.0.0/19 | 2001:4860:4000::/36 |
66.102.0.0/20 | 172.217.32.0/20 | 2404:6800:4000::/36 |
66.249.80.0/20 | 172.217.128.0/19 | 2607:f8b0:4000::/36 |
72.14.192.0/18 | 172.217.160.0/20 | 2800:3f0:4000::/36 |
74.125.0.0/16 | 172.217.192.0/19 | 2a00:1450:4000::/36 |
108.177.8.0/21 | 172.253.56.0/21 | 2c0f:fb50:4000::/36 |
173.194.0.0/16 | 172.253.112.0/20 | 69.172.217.0/24 |
209.85.128.0/17 | 108.177.96.0/19 | 185.183.31.0/24 |
216.58.192.0/19 | 35.191.0.0/16 | 185.183.30.0/24 |
185.183.29.0/24 | 185.132.182.0/24 | 62.209.51.0/24 |
185.183.28.0/24 | 185.132.181.0/24 | 62.209.50.0/24 |
185.132.183.0/24 | 185.132.180.0/24 | 91.207.213.0/24 |
91.207.212.0/24 | 91.209.104.0/24 | 148.163.128.0/19 |
- Check Automatically detect external IP.
When this setting is enabled, Gmail scans the message header to locate the first occurrence of an IP address that is not listed in the Gateway IPs. This is referred to as the “external IP.” Gmail considers the “external IP” as the sending IP and uses this IP for SPF checks and spam evaluation. |
---|
- Check Require TLS for connection from the email gateways listed above.
- Click Message is considered spam if the following header regexp matches under Message Tagging.
- Then enter any characters to the Regexp line entry.
- Under Test Expression Make sure the options Message is spam if regexp matches and Disable Gmail spam evaluation on mail from this gateway, only use header value are checked.
- Click Save and then Enable the Inbound Gateway.
IMPORTANT NOTE - We did not check the box that says "Reject all mail not from gateway IPs". If you enable it now and change the MX records right away, google workspace will reject tons of Emails until the MX changes propagate. You _should_ enable the option only 24/48 hours after changing the mx record.
STEP 2c - UPDATE SAFETY SETTINGS
G Suite's safety settings allow organizations to enable or disable policies related to viewing and accessing email. If you have enabled some or all of these settings you may experience some delivery issues. Please review the following steps to ensure your settings are supported.
- While signed into the Google Admin console, go to Apps > Google Workspace > Settings for Gmail.
Note that you'll need to scroll all the way down the Settings page to get to the safety section - Click Safety to expand options.
No changes to Attachments settings or Links and external images are required. You can leave these settings as they are. |
---|
- If you have Spoofing and authentication settings enabled (either all or customized) consider the following setting:
- Protect against any unauthenticated emails
- Proofpoint Essentials has already scanned incoming emails for SPF and/or DKIM issues. Emails with issues are scored accordingly and quarantined if they exceed your spam threshold.
- This setting needs to be disabled. If it is enabled it may cause unexpected delivery issues for incoming email.
- Uncheck "Apply future recommended settings automatically" as this may cause the "Protect against any unauthenticated emails" to be checked again causing the error
- Protect against any unauthenticated emails
DMARC Errors
Not disabling this feature has also been known to cause bounce back errors indicating a DMARC issue. Please ensure you disable this as instructed.
The error message would be: Unauthenticated email from proofpoint.com is not accepted due to domain's DMARC policy
Disable spoofing and Authentication settings:
If you scroll down further down the page ...
Set all the options highlighted to the OFF position. This is to prevent Google from using SPF/DKIM/DMARC checking on inbound mail traffic since we're already doing it up front with proofpoint, and google will erroneously classify emails as failing authentication since all mail traffic will come from proofpoint.
IMPORTANT NOTE At this stage, we could theoretically tell you to change the mx records for the domain to point to proofpoint. However there's a slight difficulty.... When users on a google workspace domain send email to another google workspace domain, those emails will actually follow the MX record so if julie@yourdomain.com emails billybob@yourdomain.com, it actually will go through proofpoint when in fact, they should stay local to google workspace. So it's best to setup the outbound mail flow and the special mail routing required to keep local mail local. Then, we can tell you to change MX records at the end of the process. |
STEP 3 - SETUP OUTBOUND MAIL FLOW
Proofpoint Essentials is deployed between the customer’s Google Workspace environment and the Internet. Outbound mail is routed to Proofpoint Essentials by configuring an outbound mail gateway. This will route all outbound mail to Proofpoint Essentials.
STEP 3a - update your SPF record
You need to add proofpoint essentials to your SPF. Usually someone with a domain on Google workspace will have an SPF record that looks like like this:
"v=spf1 a mx include:_spf.modusstuff.com include:_spf.google.com ~all"
the include:_spf.google.com entry tells the universe that email for yourdomain.com originating from google's IP space is okay to receive.
Since you will soon be routing mail outbound from workspace through proofpoint to the internet, we need to tell the universe that it's okay if the emails that yourdomain.com sends originates from proofpoint. To do this, just modify your SPF record.
If you're using proofpoint US:
"v=spf1 a mx include:_spf.modusstuff.com include:_spf.google.com include:_spf-us.ppe-hosted.com ~all"
If you're using proofpoint EU:
"v=spf1 a mx include:_spf.modusstuff.com include:_spf.google.com include:_spf-eu.ppe-hosted.com ~all"
STEP 3b - Configure Proofpoint Essentials for outbound
ENABLE OUTBOUND RELAYING
- Sign-in to the Proofpoint Essentials user interface.
- Navigate to Administration > Features.
- Check Enable Outbound Relaying.
- Click Save.
ADD SERVICE IP ADDRESSES TO YOUR INBOUND GATEWAY
- While logged into the Proofpoint Essentials user interface, navigate to Administration > Domains.
- Click Managed Hosted Services.
- Choose Google Apps.
- Click Save.
Configure Google Workspace
CONFIGURE OUTBOUND MAIL GATEWAY
- Sign-In to the Google Admin console.
- From the dashboard go to Apps > Google Workspace > Gmail > Advanced Settings.
- While on the General Settings tab, scroll down to the Routing > Outbound Gateway (you can also enter Outbound Gateway in the search field).
- In the Outbound Gateway text field, enter the Proofpoint Essentials Smart host value. Remember that before you add the Outbound host name the Outbound Relay needs to be enable in Proofpoint, the Hosting service has to be select in this case for Workspace and you need to wait at least one hour before adding the host name to give time to the replication to finish.
- After adding the Smarthost name scroll to the bottom of the page and Click Save.
- Click Settings for Gmail in the upper left, then click on Hosts (or go to https://admin.google.com/ac/apps/gmail/hosts)
- Select Add Route.
- For Name, put Internal Google Workspace, for single host, put aspmx.l.google.com and then put 25.
- Make sure that Perform MX lookup on host is NOT checked, and that Require mail to be transmitted via a secure connection, Require CA signed certificate, and Validate certificate hostname are checked, then press Save.
- Click Settings for Gmail in the upper left again, then click Advanced settings.
- Scroll down to Routing, and then press Configure.
- For the description at the top, put Internal Routing.
- Under Messages to affect, check the box that says Internal Sending.
- Under Envelope Filter, check Only affect specific envelope senders, then change the dropdown to Pattern match.
- Put your @domain.com name there
- Scroll down, and under Route, check Change route, and then change the dropdown to Internal Google Workspace.
- Click on Show more Options
- Scroll down to Accounts type to be affect
- Select Users and Groups
- Click Add Setting, and then make sure to press SAVE in the lower right.
Please Note: When configured as per the instructions above, internal to internal email stays within Google Workspace and is NOT scanned for Spam by Proofpoint Essentials.
IMPORTANT SAFETY TIP ABOUT GOOGLE DOCUMENT SHARING If you are doing outbound thru Proofpoint is especially important to follow this document below, so you don't have any issues with Google Shared Documents been rejected by Proofpoint. |