Mesh Gateway for Google Workspace
This guide outlines how to install Mesh Gateway for organizations on Google Workspace.
Tip: If this is your first time setting up a customer in Mesh (or even if it’s not), it is worthwhile familiarizing yourself with this checklist ⟶ Before You Start Checklist
🕐 Installation Time: 10-15 minutes
Useful links
Step 1: Create an Inbound Gateway for Mesh in Google Workspace
In order to allow email filtered by Mesh to be delivered safely without any double filtering from Google, you need to create a mail flow rule for our IP ranges.
View our step by step guide on creating an inbound gateway.
Important: If you are moving from another Secure Email Gateway, you will likely have an existing connector in place to reject emails that aren't sent from a specific IP range.
You will need to remove this before changing MX records to prevent clean email filtered by Mesh from being rejected.
Step 2: Configure internal emails to remain within the tenant in Google Workspace
Unlike Microsoft 365 where internally sent emails are not seen by Mesh Gateway, Google routes internal email through the mx record. This means they are subject to filtering by Mesh Gateway and its impersonation detection, which will result in false positives. This can be avoided by configuring internal emails to remain within the Google Workspace tenant.
View our Routing Internal Emails in Google Workspace guide.
Step 3: Populating Users
In order to allow users to receive quarantine digests and to be able to create their own allow/block rules, users need to be populated in the users table.
Users can be populated manually or via our CSV import.
View more information on user population and role types.
Step 4: Import Allow & Block Rules (Optional)
You can import a list of safe senders or domains using our CSV template.
Step 5: Update your MX records
Update your MX records with the values applicable to your service region.
MX records are region specific and there should be no other records present.
If you use MTA-STS, ensure you also update the MX entries there.
Important: Please wait at least 15 minutes after creating your account in Mesh before updating your MX records to ensure there is no interruption to delivery while our system updates.
Step 6: Reject all mail not from gateway IPs
We recommend locking down your mail environment to only accept emails from Google and Mesh. To do this check the box "Reject all mail not from gateway IPs" within the Inbound Gateway section found in this guide: https://docs.emailsecurity.app/help-center/Create-an-Inbound-Gateway-for-Mesh-in-Google-Workspace.869236945.html
Please wait 24 hours before completing this step to allow for DNS propagation.
Step 7: Enable Outbound Email Scanning (Optional)
View our step-by-step guide on enabling our outbound email scanning.

You’re all set. Your email is now protected by Mesh Gateway.