Google Workspace as MX Record

A schematic showing where Email Security is in the life cycle of an email received

In this tutorial, you will learn how to configure Google Workspace with Email Security as MX record.

Prerequisites

To ensure changes made in this tutorial take effect quickly, update the Time to Live (TTL) value of the existing MX records on your domains to five minutes. Do this on all the domains you will be deploying.

Changing the TTL value instructs DNS servers on how long to cache this value before requesting an update from the responsible nameserver. You need to change the TTL value before changing your MX records to Email Security. This will ensure that changes take effect quickly and can also be reverted quickly if needed. If your DNS manager does not allow for a TTL of five minutes, set it to the lowest possible setting.

To check your existing TTL, open a terminal window and run the following command against your domain:

dig mx <YOUR_DOMAIN>

; <<>> DiG 9.10.6 <<>> mx <YOUR_DOMAIN>
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39938
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;domain.    IN  MX

;; ANSWER SECTION:
<YOUR_DOMAIN>.  300  IN  MX  5 mailstream-central.mxrecord.mx.
<YOUR_DOMAIN>.  300  IN  MX  10 mailstream-east.mxrecord.io.
<YOUR_DOMAIN>.  300  IN  MX  10 mailstream-west.mxrecord.io.

In the above example, TTL is shown in seconds as 300 (or five minutes).

If you are using Cloudflare for DNS, you can leave the TTL setting as Auto.

Below is a list with instructions on how to edit MX records for some popular services:

Cloudflare: Set up email records
GoDaddy: Edit an MX Record ↗
AWS: Creating records by using the Amazon Route 53 console ↗
Azure: Create DNS records in a custom domain for a web app ↗

Requirements

Provisioned Email Security account.
Access to the Google administrator console (Google administrator console ↗ > Apps > Google Workspace > Gmail).
Access to the domain nameserver hosting the MX records for the domains that will be processed by Email Security.

1. Set up Inbound Email Configuration

Set up Inbound Email Configuration ↗ with the following details:

In Gateway IPs, select the Add link, and add the IPs mentioned in Egress IPs.
Select Automatically detect external IP (recommended).
Select Require TLS for connections from the email gateways listed above.
Select SAVE.

2. (Optional) Set up an email quarantine

Set up an email quarantine ↗ with the following details:

Name: Email Security Malicious.
Description: Email Security Malicious.
For the Inbound denial consequence, select Drop message.
For the Outbound denial consequence, select Drop message.
Select SAVE.

To access the newly created quarantine, select GO TO ADMIN QUARANTINE or access the quarantine directly by pointing your browser to https://email-quarantine.google.com/adminreview ↗.

3. (Optional) Create a content compliance filter

Go to Compliance, and create a content compliance filter ↗ to send malicious messages to quarantine. Enter the following details:

Content compliance: Add Quarantine Email Security Malicious.
Email messages to affect: Select Inbound.
Add expressions that describe the content you want to search for in each message:
- Select Add to add the condition.
- In Simple content match, select Advanced content match.
- In Location, select Full headers.
- In Match type, select Contains text.
- In Content, enter X-EmailSecurity-Disposition: MALICIOUS.
- Select SAVE to save the condition.
If the above expression match, do the following, select Quarantine message and the Email Security Malicious quarantine that was created in the previous step.
- Select SAVE.

If you would like to quarantine the other dispositions, repeat the above steps and use the following strings for the other dispositions:

X-EmailSecurity-Disposition: BULK
X-EmailSecurity-Disposition: SUSPICIOUS
X-EmailSecurity-Disposition: SPOOF
X-EmailSecurity-Disposition: UCE (UCE is the equivalent of SPAM)

If desired, you can create a separate quarantine for each of the dispositions.

Next steps

Now that you have completed the prerequisite steps, you can set up MX/Inline on the Cloudflare dashboard.

Was this helpful?

Community
X
Discord
YouTube
GitHub