Skip to main content

Prerequisites for activation of email protection – Google Worskpace

Google Worskpace has a peculiarity with regard to the routing of emails, all internal email traffic sends it abroad and enters Google again as if they were external emails. This feature not present in other mail services has to be reconfigured in Workspace before activating email protection.

To do this, you access the Google Workspace configuration panel (admin center), once inside we click on the top left in “Apps -> Google Workspace -> Gmail”, you will see a page like the following:

Google Workspace EN 1

From the options shown, we enter “Host”. Click on “Add Route” and a new window will open where we will configure the MX of Google:

  1. Name: We put “Internal Workspace Routing”
  2. We select “Multiple Host” in the drop-down.
  3. A field is enabled to add the first Google MX: “aspmx.l.google.com”, port 25 and 100% load.
  4. We enable the second field to add a secondary MX of Google: “alt1.asmpx.l.google.com”, port 25 and 100% load

More Google children could be added (alt2.asmpx.l.google.com, alt3.asmpx.l.google.com), if we do the load of 100% should be distributed among the secondary ones, that is to say for each secondary that is added divide 100 by the number of secondary MX added:

Ex: If we put 2 secondary, we will put the load at 50% for each of them, if we put 3 secondary, we will put the load at 34% to the first and 33% for the remaining 2.

We default the indicated TLS configuration, and it should be something like this:

Google Workspace EN 2

Save and return to the previous window, (“Apps -> Google Workspace -> Gmail”). Back in this window, we go down to the end and access “Routing”:

Google Workspace EN 3

Once inside, we click on “Add another rule” (if there is no existing route, it will say “configure” instead of “Add another rule”). A new window opens and we proceed to configure:

  1. Name: We indicate “internal routing”
  2. Email messages to affect: We select “internal sending”
  3. Route: We select the box that puts “change the route” and in the drop-down that comes out we select the host that we created in the previous stage (internal workspace routing).
  4. We go down to the end and display more options “Show options”.
  5. We keep going down to Account types to affect: We select Users and Groups
  6. We go down to Envelope filter: We select “Only affect specific envelope senders”, now we choose from the “Pattern Match” drop-down and in the field that appears we enter our mail domain (eg: pepito.com).

It should look like the following image:

Google Workspace EN 4

We give it to save, and the changes are applied in a few minutes.

Now we will proceed to allow the IPs of the mail protection datacenter. We go back to the previous window (“Apps -> Google Workspace -> Gmail”) and enter “Spam, Phishing and Malware”, identify the icon of a pen near “Email allowlist” and click it.

In the box that appears we enter the list of IPS separated by comma:

RegionIPs
Europa194.104.108.0/24,194.104.109.0/24,194.104.110.0/24,194.104.111.0/24,147.28.34.0/24,147.28.35.0/24,51.163.158.0/24,51.163.159.0/24,62.140.7.0/24,62.140.10.0/24
America170.10.132.0/24,170.10.133.0/24,170.10.128.0/24,170.10.129.0/24,170.10.130.0/24,170.10.131.0/24,207.211.31.0/25,207.211.30.0/24,205.139.110.0/24,205.139.111.0/24,216.205.24.0/24,63.128.21.0/24

Save it. It should look like the following image:

Google Workspace EN 5

Now we go down to the option “Inbound Gateway” and we give the button to configure (it may appear as it is disabled, if so we give it to enable).

  1. In the name we indicate “CG Inbound Gateway”

  2. Click on the “Add” button to add the following IPS one by one:

RegionIPs
Europe194.104.108.0/24
194.104.109.0/24
194.104.110.0/24
194.104.111.0/24
147.28.34.0/24
147.28.35.0/24
51.163.158.0/24
51.163.159.0/24
62.140.7.0/24
62.140.10.0/24
America170.10.132.0/24
170.10.133.0/24
170.10.128.0/24
170.10.129.0/24
170.10.130.0/24
170.10.131.0/24
207.211.31.0/25
207.211.30.0/24
205.139.110.0/24
205.139.111.0/24
216.205.24.0/24
63.128.21.0/24
  1. Make sure that it activates the option “Require TLS for Connections From the Email Gateways Listed Above”, and we disable the other 2 options that come out.

It should look like the following image:

Google Workspace EN 6

After saving it, we have finalized the prerequisites to activate Cyber Guardian email protection.

Please continue here.