Mesh Gateway for Google Workspace
This guide outlines how to install Mesh Gateway for organizations on Google Workspace.
Tip: If this is your first time setting up a customer in Mesh (or even if it’s not), it is worthwhile familiarizing yourself with this checklist ⟶ Before You Start Checklist
🕐 Installation Time: 10-15 minutes
Useful links:
Step 1: Create an inbound Gateway for Mesh in Google Workspace
In order to allow email filtered by Mesh to be delivered safely without any double filtering from Google, you need to create a mail flow rule for our IP ranges.
View our step by step guide on creating an inbound gateway.
If you are moving from another Secure Email Gateway, you will likely have an existing connector in place to reject emails that aren't sent from a specific IP range.
You will need to remove this before changing MX records to prevent clean email filtered by Mesh from being rejected
Step 2: Configure internal emails to remain within the tenant in Google Workspace
Unlike Microsoft 365 where internally sent emails are not seen by Mesh Gateway, Google routes internal email through the mx record. This means they are subject to filtering by Mesh Gateway and its impersonation detection, which will result in false positives. This can be avoided by configuring internal emails to remain within the Google Workspace tenant.
View our Routing Internal Emails in Google Workspace guide.
Step 3: Populating users
In order to allow users to receive quarantine digests and to be able to create their own allow/block rules, users need to be populated in the users table.
Users can be populated manually or via our CSV import.
View more information on user population and role types.
Step 4: Import Allow & Block Rules (optional)
You can import a list of safe senders or domains using our CSV template.
Step 5: Update your MX records
Update your MX records with the values applicable to your service region.
MX records are region specific and there should be no other records present.
Important: Please wait at least 15 minutes after creating your account in Mesh before updating your MX records to ensure there is no interruption to delivery while our system updates.
Step 6: Reject all email not from Gateway IPs
In order to prevent threats from bypassing Mesh filtering and ensuring emails from our MTAs can deliver to your mail environment, you should lock down Google Workspace to only accept email from Mesh’s IP ranges.
We recommend waiting 24 hours before completing this step to allow for DNS propagation.
To prevent threats from bypassing Mesh filtering, check the box "Reject all mail not from gateway IPs"
Step 7: Enable Outbound Email Scanning (optional)
Navigate to Settings ⟶ Outbound Smarthost ⟶ Outbound Status (enable slider + save).
2 - Set up an outbound mail gateway in Google ⟶ Create an Outbound Gateway in Google Workspace
You’re all set. Your email is now protected by Mesh Gateway.