Mesh Gateway for Google Workspace

This guide outlines how to install Mesh Gateway for organizations on Google Workspace.

Tip: If this is your first time setting up a customer in Mesh (or even if it’s not), it is worthwhile familiarizing yourself with this checklist ⟶ Before You Start Checklist

🕐 Installation Time: 10-15 minutes

Useful links

• Managing your MX records for Google Workspace

• Disable Gmail Spam Evaluation

Step 1: Create an inbound Gateway for Mesh in Google Workspace

In order to allow email filtered by Mesh to be delivered safely without any double filtering from Google, you need to create a mail flow rule for our IP ranges.

• View our step by step guide on creating an inbound gateway.

If you are moving from another Secure Email Gateway, you will likely have an existing connector in place to reject emails that aren't sent from a specific IP range.

You will need to remove this before changing MX records to prevent clean email filtered by Mesh from being rejected

Step 2: Configure internal emails to remain within the tenant in Google Workspace

Unlike Microsoft 365 where internally sent emails are not seen by Mesh Gateway, Google routes internal email through the mx record. This means they are subject to filtering by Mesh Gateway and its impersonation detection, which will result in false positives. This can be avoided by configuring internal emails to remain within the Google Workspace tenant.

• View our Routing Internal Emails in Google Workspace guide.

Step 3: Populating users

In order to allow users to receive quarantine digests and to be able to create their own allow/block rules, users need to be populated in the users table.

• Users can be populated manually or via our CSV import.

• View more information on user population and role types.

Step 4: Import Allow & Block Rules (optional)

You can import a list of safe senders or domains using our CSV template.

Step 5: Update your MX records

Update your MX records with the values applicable to your service region.

MX records are region specific and there should be no other records present.

Important: Please wait at least 15 minutes after creating your account in Mesh before updating your MX records to ensure there is no interruption to delivery while our system updates.

Step 6: Reject all email not from Gateway IPs

In order to prevent threats from bypassing Mesh filtering and ensuring emails from our MTAs can deliver to your mail environment, you should lock down Google Workspace to only accept email from Mesh’s IP ranges.

We recommend waiting 24 hours before completing this step to allow for DNS propagation.

To prevent threats from bypassing Mesh filtering, check the box "Reject all mail not from gateway IPs"

Step 7: Enable Outbound Email Scanning (optional)

First navigate to Settings ⟶ Outbound Smarthost ⟶ Outbound Status (enable slider + save).

Then follow our outbound gateway setup guide here:

Create an Outbound Gateway in Google Workspace

You’re all set. Your email is now protected by Mesh Gateway.

Related articles