Cloudflare Docs
Area 1 Email Security
Visit Area 1 Email Security on GitHub
Set theme to dark (⇧+D)

Deploy and configure Gmail with Area 1 as MX Record

A schematic showing where Area 1 security is in the life cycle of an email received

In this tutorial, you will learn how to configure Gmail with Area 1 as MX record. This tutorial is broken down into several steps.

​​ Requirements

​​ 1. Add Area 1 IP addresses to the Inbound gateway configuration

When Area 1 is deployed as MX records upstream of Gmail, the Inbound gateways need to be configured such that Gmail is aware that they are no longer the MX record for the domain. This is a critical step as it will allow Gmail to accept messages from Area 1.

  1. Go to the Gmail Administrative Console.

  2. Navigate to Apps > Google Workspace > Gmail.

    Access Gmail

  3. Select Spam, Phishing, and Malware and scroll to Inbound Gateway configuration.

    Access the spam, phishing and malware setting

  4. Enable Inbound Gateway, and configure it with the following details:

    Enable inbound gateway

    • In Gateway IPs, select the Add link, and add the IPs mentioned in Egress IPs.
    • Select Automatically detect external IP (recommended).
    • Select Require TLS for connections from the email gateways listed above.

    Inbound gateway settings

  1. Select the Save button at the bottom of the dialog box to save the configuration once the details have been entered. Once saved, the administrator console will show the Inbound Gateway as enabled.

    Inbound gateway on

​​ 2. Quarantine malicious detections

This optional step is highly recommended to prevent users from being exposed to malicious messages.

When messages are identified as malicious, Area 1 will insert the X-header X-Area1Security-Disposition into the message with the corresponding disposition. Based on the value of the X-Area1Security-Disposition, a content compliance filter can be configured to send malicious detections to an administrative quarantine. This section will outline the steps required to:

  • Create an Area 1 Malicious quarantine.
  • Create the content compliance filter to send malicious messages to quarantine.

​​ Create Area 1 Malicious Quarantine

If you would like to send Area 1 malicious detection to a separate quarantine other than the default quarantine, you will need to create a new quarantine.

  1. In the Gmail administrative console, select the Manage quarantines panel.

    Select the manage quarantines panel

  2. Select ADD QUARANTINE to configure the new quarantine. This will bring up a pop-up for the configuration details.

    Select the add quarantine button

  3. In the quarantine configuration pop-up, enter the following:

    • Name: Area 1 Malicious.
    • Description: Area 1 Malicious.
    • For the Inbound denial consequence, select Drop Message.
    • For the Outbound denial consequence, select Drop Message.

    Configure the quarantine settings

When you are finished entering these details, select SAVE.

  1. To access the newly create quarantine, select GO TO ADMIN QUARANTINE or access the quarantine directly by pointing your browser to https://email-quarantine.google.com/adminreview.

    Access the quarantine created

    Once in the Admin quarantine console, you can access the Area 1 Malicious quarantine by selecting the corresponding quarantine on the left navigation section. Quarantined messages can be released as needed by an administrator.

    Access Area 1

​​ Create a content compliance filter to send malicious messages to quarantine

  1. In the Gmail administrative console, select Compliance to configure the content compliance filter.

    Access the compliance configuration

  2. Navigate to the Content compliance area and select CONFIGURE to open the configuration dialog pop-up.

    Select the configure button

  3. In the Content compliance filter configuration, enter the following:

    • Name: Quarantine Area 1 Malicious.
    • In the Email message to affect section, select Inbound.
    • In the Add expression that describe the content you want to search for in each message section, configure the following:
      • Select Add to add the condition.
        • In the Match dropdown, select Advanced content match.
        • In Location, select Full headers.
        • In Match type, select Contains text.
        • In Content, enter X-Area1Security-Disposition: MALICIOUS.
      • Select SAVE to save the condition.
    • In the If the above expression match, do the following section, select the Action dropdown. Then choose Quarantine message and the Area 1 Malicious quarantine that was created in the previous step.

    Configure the compliance filter

    After you enter this information, select SAVE.

  4. Once saved, the console will update with the newly configured content compliance filter.

    After configuration, the console shows the content compliance filter

    If you would like to quarantine the other dispositions, repeat the above steps and use the following strings for the other dispositions:

    • X-Area1Security-Disposition: MALICIOUS
    • X-Area1Security-Disposition: SUSPICIOUS
    • X-Area1Security-Disposition: SPOOF
    • X-Area1Security-Disposition: UCE

    If desired, you can create a separate quarantine for each of the dispositions.

​​ 3. Update your domain MX records

Instructions to update your MX records will depend on the DNS provider you are using. You need to replace the existing Google MX records with the Area 1 hosts.

These are the typical default MX records when using Gmail:

MX PriorityHost
1aspmx.l.google.com
5alt1.aspmx.l.google.com
5alt2.aspmx.l.google.com
10alt3.aspmx.l.google.com
10alt4.aspmx.l.google.com

To update your MX records with Area 1, use the following:

MX PriorityHost
10mailstream-east.mxrecord.io
10mailstream-west.mxrecord.io
50mailstream-central.mxrecord.mx

When configuring the Area 1 MX records, it is important to configure both hosts with the same MX priority. This will allow mail flows to load balance between the hosts.

European customers should update MX records with Area 1 European hosts:

MX PriorityHost
10mailstream-eu1.mxrecord.io
20mailstream-east.mxrecord.io
20mailstream-west.mxrecord.io
50mailstream-central.mxrecord.mx

The European region will be the primary MX, with a fail-over to the US regions. If you wish to exclusively use the European region, update with only the European host.

Once the MX records updates complete, the DNS updates may take up to 36 hours to fully propagate around the Internet. Some of the faster DNS providers will start to update records within minutes. The DNS update will typically reach the major DNS servers in about an hour.

​​ 4. Secure your email flow

After 36 hours, the MX record DNS update will have sufficiently propagated across the Internet. It is now safe to secure your email flow. This will ensure that Gmail only accepts messages that are first received by Area 1. This step is highly recommended to prevent threat actors from using cached MX entries to bypass Area 1 by injecting messages directly into Gmail.

  1. Access the Gmail Administrative Console, then select Apps > Google Workspace > Gmail.

  2. Select Spam, Phishing, and Malware.

  3. Navigate to Inbound Gateway configuration and select Configure.

  4. Enable Reject all mail not from gateway IPs and select Save.

  5. Select Save once more to commit and activate the configuration change in the Gmail advanced configuration console.

​​ 5. Send Area 1 spam to user spam folder (optional)

Unlike the configuration in step 2 where the message can be sent to an administrative quarantine, this optional step can be configured to send messages that are identified as spam by Area 1 to the user’s spam folder.

  1. Access the Gmail Administrative Console, then select Apps > Google Workspace > Gmail.

  2. Select Spam, Phishing, and Malware.

  3. Navigate to Inbound Gateway configuration and select Configure.

  4. In the Message Tagging section, select Message is considered spam if the following header regexp matches.

  5. In the Regexp section, enter the string X-Area1Security-Disposition: UCE.

  6. Select SAVE to save the updated configuration.