Outbound Mail Routes

Description

Configuring outbound mail routes in Google Workspace (formerly G Suite) domains is required to relay messages from Gmail to Mailprotector's servers. The outbound mail routes are necessary to implement some of Mailprotector's solutions such as SecureStore archiving and Bracket email encryption.

Configuration steps for the inbound mail route are in the G Suite - Inbound Mail Route article.

Applies to:

Google Workspace, G Suite, Basic, Business, Enterprise

Prerequisites

Before beginning the configuration of the G Suite mail routes, the Mailprotector Console should have the domain, inbound SMTP host address and users configured to ensure the Mailprotector solution is ready to scan and protect the domain.

If the domain and users are not configured in the Mailprotector Console, please start with Step 2: Add Users.

You should also have access to the domain's public DNS zone. Changing the MX record is a required step to provisioning Mailprotector. The MX record should be modified before configuring the inbound mail route on G Suite. View Step 3: Change the DNS MX Records for more information.

Configuration Steps

Internal Messaging Consideration

By default, Google Workspace will route messages in the same domain directly to a user without leaving the Gmail servers. If you or your client intends to use SecureStore archiving or would like the option to encrypt emails between internal users, then you will need to add the optional Internal Sending route to the Google Workspace domain.

Adding the Internal Sending mail route will introduce two log entries in the Mailprotector Console for every internal message that is sent. One log entry for the outbound message from the sender and a second log entry for the inbound message to the recipient. The logging does not alter the email or message flow in any other way. The logging shows merely two entries because Mailprotector's systems will see the message for both the sender and recipient.

Outbound Mail Route Configuration

  1. Go to the Google Admin Console and click on Apps as shown in Figure 1 in the left-hand navigation bar.

    Fig. 1
    mceclip0.png

  2. Under the "Apps" section of the navigation bar, select "Gmail"
  3. Select the "Hosts" option in the Gmail settings to begin setting up Mailprotector as an email host as shown in Figure 2.

    Fig. 2
    mceclip1.png

  4. Once you are under the "Hosts" section of the Gmail settings, select the "Add Route" button as shown in Figure 3. This will allow you to add Mailprotector as an outbound host
    mceclip1.png

  5. The Edit mail route window will open. Add a description such as Mailprotector Outbound Host.

    The email server is a Single Host, the address will be yourdomain-com.outbound.emailservice.io and the port will be 25.

    You should un-select the "Validate certificate hotstname" option that is on by default. The window should look similar to Figure 5 below. DO NOT use mp-gsuite.com.outbound.emailservice.io for the host address. That is a Mailprotector testing domain. Click the SAVE link to complete this route host configuration.

    Fig. 5
    mceclip2.png

  6. The mail route host has been configured, and you will need to return to the General Settings tab to continue. Click on the Settings for Gmail tab as shown in Figure 6.

    Fig. 6
    mceclip3.png

  7. Scroll down and select Routing at the bottom of the Gmail Settings page as shown in Figure 7.

    Fig. 7
    mceclip2.png
  8. Select the option to "Configure" in the "Routing" section in Gmail.

    Fig. 8
    mceclip3.png

  9. The Add setting window will open. Enter a description such as Outbound Route to Mailprotector.
  10. Select Outbound for the messages to affect.
  11. Next, select the Change route in the Modify message section and select the host you created in Step 5.
  12. Once these options are selected go to "Show Options" at the bottom of the Add Setting window
  13. Under "Account types to affect" select "Users"
  14. Under "Envelope Filter" check the Only affect specific envelope senders. Choose the Pattern match, and enter your domain as the Regexp. 

    Once complete, the window should look similar to the images under Figure 9. Click the Save link in the lower right of the window to save the configuration.

    Fig. 9
    mceclip5.pngmceclip1.png
    mceclip8.png

  15. (Optional for Internal Sending) If you intend to implement SecureStore archiving or would like the option to encrypt internal messages with Bracket, you will add a second mail route for internal messages. Move your mouse over the new route displayed in the General Settings tab > Routing section and click on the Add Another Rule button as shown in Figure 10.

    Fig. 10
    mceclip0.png

  16. The Add setting window will open. Enter a description such as Internal Sending through Mailprotector.
  17. Select Internal - sending for the messages to affect.
  18. Select Change route in the Modify message section and select the host you created in Step 5.
  19. Once these options are selected go to "Show Options" at the bottom of the Add Setting window
  20. Under "Account types to affect" select "Users"
  21. Under "Envelope Filter" check the Only affect specific envelope senders. Choose the Pattern match, and enter your domain as the Regexp. 

    Once complete, the window should look similar to Figure 11. Click the Save link in the lower right of the window to save the configuration.

    Fig. 11
    mceclip3.pngmceclip2.pngmceclip8.png
  22. The mail route(s) are now added to the Google Workspace domain. 

    IMPORTANT: These changes may take up to 1 hour to propagate to all users in the Google Workspace domain.
Have more questions? Submit a request

Comments

  • Avatar
    Aaron Lindsey

    This info is out of date. There is no longer a "Hosts" tab of "Advanced Settings" in the G Suite admin console.  It is under the standard Gmail settings, before going to Advanced Settings.

    Edited by Aaron Lindsey
  • Avatar
    Cody Ekle

    Hey Araron,

    We'll work on updating the information in the article. We appreciate you letting us know that the information is out of date.