Enable Gmail BCC integration

To enable Gmail BCC integration:

1. Log in to Zero Trust ↗, select Email Security, then select Settings.
2. Go to Integrated domains and select View.
3. Select Connect a domain.
4. Select BCC/Journaling.
5. Choose Integrate with Google, and select Authorize.

Name your integration, then select Next.

1. Create a Service Account in your GCP Project

1. Once you have named your integration, select Next.
2. On the Google Cloud Console ↗, go to the sidebar, select APIs & Services, then select Credentials.
3. Select CREATE CREDENTIALS > Service account.
4. Fill in the details to create a service account:
   • Service account name: Enter Cloudflare Google Integration.
   • Service account ID: Enter cloudflare-google-integration.
   • Service account description: Enter Cloudflare Google Integration.
   • Select CREATE AND CONTINUE.

2. Create a JSON Key for your Service Account

On the Google Cloud Console ↗, select Service Accounts on the sidebar:

• Select the three dots, then:
  • Select Manage keys.
  • Select ADD KEY > Create new key.
  • Select JSON > Select CREATE. This downloads a .json file which you will use at a later stage.

3. Upload JSON Key

On the Zero Trust dashboard ↗, upload the .json file downloaded on step 3.

4. Enable Necessary Google Workspace APIs in GCP

Enable the following APIs on the Google Cloud Console:

• Enable Google Calendar API ↗
• Enable Google Drive API ↗
• Enable Google Admin SDK API ↗
• Enable Gmail API ↗
• Enable Google Service Usage API ↗

5. Log in to Google Workspace Admin Console

Log in to Google Workspace Admin Console: Enter your password and log in to the Google Workspace Admin Console.

6. Create a Domain-Wide Delegation API Client

1. Copy the Client ID and Scopes displayed on the Zero Trust dashboard.
2. On Google Admin, go to Security > Access and data control > API controls.
3. Select MANAGE DOMAIN WIDE DELEGATION > Add new.
4. Use the Client ID and copy the scopes to create a new API client. Refer to Delegate domain-wide authority to your service account ↗. Then, select Next.

7. Confirm Workspace Administrator Email

Enter the email associated with the Google Workspace Administrator account. Your email must match the email associated with your Google Workspace account, or else your integration will not work.

8. Create integration

1. Select Create integration.
2. Once you created your integration, you will be redirected to the Review details page, where you will be able to review Integration details.
3. Review your details, then select Complete Email Security set up > Continue to Email Security.

Verify integration

To verify that the integration has been successful:

1. Go to Settings (the gear icon) > SaaS integrations.
2. Go to your integration, and ensure that the integration displays CASB+EMAIL under Type.

Note

If you do not reach the step to complete Email Security set up:

1. Go to Settings (the gear icon) > SaaS Integrations.
2. Delete the integration, if present. Locate your integration, select Configure, then select Delete.
3. Follow the steps from the beginning to enable Gmail BCC integration.

Next steps

Now that you have created an integration:

• Connect your domains for Email Security to start scanning your inbox.
• Enable logs to send detection data to an endpoint of your choice.