CLOUD SOLUTIONS

Use cases

Configure GMail using Google Workspace for Email Security

Follow these procedure to integrate Email Security with Google Workspace Gmail, for inbound and outbound email delivery.:

To configure Email Security for use with Google Workspace follow the steps below:

Configuring Inbound Mail
  1. Go to Products > Email Security > Product Configuration.

  2. Go to Inbound Mail.

  3. Click the Add button emailsecadd.png to add a new delivery route.

  4. Select your Domain from the drop-down list.

  5. Under Cost set route priority to 5.

    The cost defines route priority for multiple routes.The lower the number, the higher the priority.

  6. Under Route enter the following: ASPMX.L.GOOGLE.COM

  7. Update to save changes.

  8. Repeat steps 3 to 7 to add the following routes and associated costs:

    ALT1.ASPMX.L.GOOGLE.COM with the cost of 10

    ALT2.ASPMX.L.GOOGLE.COM with the cost of 15

    ALT3.ASPMX.L.GOOGLE.COM with the cost of 20

    ALT4.ASPMX.L.GOOGLE.COM with the cost of 25

    The final routes should look similar to the ones in the screenshot below.

    gsuite_final_routes.png
Configuring Outbound Mail
  1. Go to Products > Email Security > Product Configuration.

  2. Go to Outbound Mail.

  3. Click the Add emailsecadd.png button.

  4. Under Hostname enter the following hostname:

    spf://_spf.google.com

  5. Update to save changes.

You should configure GMail using Google Workspace to block any inbound email that does not originate from the Email Security (EMS) product. However, you will need to do this via a two-step process. This section is split into two sections – prior MX record change and post MX record change.

Prior to changing MX records

Before changing MX records it is recommended that the Email Security IP addresses are added to the inbound gateway so that when MX records are changed all messages are not quarantined.

Note

You may already have inbound gateway entries listed. If this is the case you need to append the entries below to the existing list and then remove the existing entries once the MX records have been changed.

Follow the steps below:

  1. Login to the Google Workspace Admin Console with an administrators account.

  2. Click on the Menu button google_workspace_dots.PNG.

  3. Select Admin > Apps > Google Workspace.

  4. Click on GMail to take you to Settings for Gmail.

  5. Click on Advanced Settings at the bottom of the page.

  6. Scroll down to Spam, phishing, and malware and configure/edit the Inbound Gateways.

  7. Add a Name to the Inbound setting.

  8. Add the IP addresses for our service and click Save.

    The entries should look like this if using the EU servers:

    104340_1.png

    Note

    Ensure you do not check the Reject all mail not from gateway IPs box.

  9. At the bottom of the Advanced Settings page, click Save to apply the changes.

  10. Ensure that this configuration is replicated to Google Workspace before changing any MX records.

    Note

    It can take up to an hour for changes to propagate to user accounts for GMail using Google Workspace You can track changes in the Admin console audit log.

Post MX record change

Once MX records have been changed and replicated to the internet email should start flowing through the Email Security product. You can verify this via the Email Security Activity reports and charts.  You can also check this in the Google Workspace portal by following these steps:

  1. Login to the Google Workspace Admin Console with an administrators account.

  2. Click on the Menu button google_workspace_dots.PNG.

  3. Select Admin > Apps > Google Workpace.

  4. Click on GMail to take you to Settings for Gmail.

  5. Click on Setup.

  6. Check that the MX records match the below:

Additional Options

By default, Gmail using Google Workspace will still scan all emails for spam.  If you do not want Google Workspace to quarantine any of the messages, you can whitelist the Email Security service IP’s. To do this follow these steps:

  1. Login to the Google Workspace Admin Console with an administrators account.

  2. Click on the Menu button google_workspace_dots.PNG.

  3. Select Admin > Apps > Google Workpace.

  4. Click on GMail to take you to Settings for Gmail.

  5. Click on Advanced Settings at the bottom of the page.

  6. Scroll down to Spam, phishing, and malware and under Email whitelist add the Email Security service IP addresses:

    The entries should look like this if using the EU servers:

    104340_2.png
  7. At the bottom of the Advanced Settings page, click Save to apply the changes

Warning

If there are valid reasons for inbound messages to be delivered direct to Google Workspace the IP addresses of the sending servers should be added to the Inbound Gateways section prior to making this change. Failure to do so will block messages coming from those servers.

  1. Login to your Google Workspace Admin Console with an administrator account.

  2. Click on the Menu button google_workspace_dots.PNG.

  3. Select Admin > Apps > Google Workpace.

  4. Click on GMail to take you to Settings for Gmail.

  5. At the bottom of the page, click Advanced Settings.

  6. Go to Hosts > Add Route.

  7. Enter a Name for the route, such as Email Security Outbound.

  8. In the Specify email server select Multiple hosts.

  9. Add a primary entry for each of the outbound servers based on your region.

    • For US and ROW open ports 25 and 587 and add the following hosts:

      smtp1.us.scanscope.netsmtp2.us.scanscope.net
    • For EU open ports 25 and 587 and add the following hosts:

      smtp1.scanscope.netsmtp2.scanscope.net
      gsuite_ems_outbound.png
  10. Click Save.

  11. Navigate back to General settings > Routing > Routing section.

  12. Click Configure for routing.

    The Add settings option appears.

  13. Enter a Name for the rule, such as Email Security Outbound Rule.

  14. Under Messages to affect(section 1), select Outbound.

  15. Under For the above types of messages, do the following(section 3), select Change route.

  16. Change Normal routing to Email Security Outbound Rule, created above.

  17. (Optional)Under Encryption (onward delivery only), select Require Secure Transport (TLS).

  18. Click Add Settings or Save if you are editing an existing configuration.

  19. At the bottom of the Advanced Settings page, click Save to apply changes.

    Note

    It can take up to one hour for your settings to come into effect. You can track changes in the Admin console audit log.

  1. Login to the Google Workspace Admin Console with an administrators account.

  2. Click on the Menu button google_workspace_dots.PNG.

  3. Select Admin > Apps > Google Workpace.

  4. Click on GMail to take you to Settings for Gmail.

  5. Click on Hosts section.

  6. Click on the Add Route button.

  7. Give the route a Name like “Google Internal”.

  8. In the Specify Email server select Multiple hosts.

  9. Add a primary entry for each of the GMail Servers listed below:

    aspmx.l.google.com
    alt1.aspmx.l.google.com
    alt2.aspmx.l.google.com
    alt3.aspmx.l.google.com
    alt4.aspmx.l.google.com
    104340_3.png
  10. Click Save.

  11. Go to the General setting tab and scroll to the Routing setting in the Routing section.

  12. Click on Add Another for Routing. This will open up a new Add setting option.

  13. Enter a name like Internal Route.

  14. Select the checkbox for Internal – Sending  in Messages to affect.

  15. Select only affect specific envelope recipients and define a REGEX for your internal domain.

    104340_4.png

    Note

    For multiple domains you can add them into the regex in this format:

    .*@firstdomain\.com|.*@seconddomain\.co\.uk
  16. Select Change route in For the above types of messages, to do the following.

  17. Change the Normal routing to the one created above.

    104340_5.png
  18. Click on Show Options at the bottom of this page and Select Users and Groups” under Account types to affect:

    104340_6.png
  19. Click the Add Setting button, then click Save.

  20. At the bottom of the Advanced Settings page, click Save.

Note

Now all internal mail is routed directly to Google servers, and all other mail routes through the Email Security Outbound Gateway.

Configure Inbound mail on Office 365 to reject non-EMS emails

You should configure Office 365 to block any inbound email that does not originate from Email Security product. There are two options available discussed below. The option best suited to you depends on your environment and requirements.

This method will allow the Email Security server IP addresses to deliver emails even if spam filtering is enabled in Office 365. This will ensure emails processed by the Email Security product are delivered without delay and do not land in the junk mailbox folder for Office 365 users.

Note

Your EMS account must have an inbound TLS rule for this option to complete successfully.

  1. Login to Office 365 Exchange Admin Center and go to Admin Centers > Classic Exchange Admin Center.

  2. Go to Protection > Connection Filter.

  3. Edit the Default entry and navigate to the Connection Filtering tab.

  4. In the Allowed IP Address section, add all of the IP addresses for the Email Security region you are using - see Europe, United States, or United Arab Emirates.

  5. Click Enable Safe List and then Save.

Note

Office 365 is now configured to block any email that does not originate from EMS.

Using a rule provides more flexibility than just using IP address, for example you could control based on email address or attachment  Depending on your requirements or environment this may be the best option, if you have other means to restrict direct connection to your Office 365 tenant other than just IP address.

  1. Log in to the Office 365 Admin Center, and go to Admin Centers > Exchange.

  2. In the left-hand pane, click Mail Flow and then Rules.

  3. Click + and then click Create a new rule.

  4. In the New Rule page, enter a Name to represent the rule. For example, Email Security IP restriction.

  5. Scroll down and click More options.

  6. From the Apply this rule if drop-down menu, select The Sender, Is External/Internal and Outside the organization.

  7. From the Do the following drop-down menu, select Block the message and Reject the message with the Explanation.

  8. Click Enter text and enter the message that you want to include in the non-delivery report (NDR) that will be sent to the email's sender. For example:

    IP restricted, not using MX record. Please ensure your DNS is up-to-date and try sending this message again.
  9. Click Add exception.

  10. Select Sender and then Sender's IP address is in the range or exactly matches, and enter the Email Security IP for your cluster - see Europe, United States, or United Arab Emirates.

  11. Click + to add each of the IP addresses for your region.

  12. Once all the IP addresses have been added, click OK.

  13. Scroll to the Properties of the rule section. Under Match sender address in message, select Header or Envelope.

  14. Click Stop processing more rules.

  15. Click Save.

  16. Verify that the new rule displays at the top of the list of mail flow rules. If it's not at the top, select the rule and use the Up arrow to move it.

Note

Office 365 is now configured to block any email that does not originate from EMS.

Configure Office 365 for Email Security

Follow these procedures to integrate Email Security with Office 365, for inbound and outbound email delivery.

To configure Email Security for use with an Office 365 account follow the steps below:

1. Configure Email Security Inbound Mail
  1. Go to Products > Email Security > Product Configuration.

  2. Go to Inbound Mail.

  3. Click Add to add a new delivery route.

  4. Select your Domain from the drop-down list.

  5. Under Cost set route priority.

    The cost defines route priority for multiple routes.The lower the number, the higher the priority.

  6. Under Route enter the 0365 domain name (e.g. domain-com.mail.protection.outlook.com)

    Note

    This can be found under O365 > Settings > Domains > Domain Details > MX Value

  7. Update to save changes.

2. Configure Email Security Outbound Mail
  1. Go to Products > Email Security > Product Configuration.

  2. Go to Outbound Mail.

  3. Click Add.

  4. Under Hostname enter the following hostname:

    spf://spf.protection.outlook.com

  5. Update to save changes.

Please follow the steps in this article to restrict Office 365 and then return to this article to continue configuration.

Follow the steps below to configure Office 365 to always send messages using the EMS server:

  1. Log in to your Office 365 Admin Center, and go to Admin Centers > Exchange.

  2. In the left-hand pane, click Mail Flow > Connectors.

  3. Click + to add a new connector.

  4. In the From: field, select Office 365.

  5. In the To: field, select Partner Organization.

  6. Give the new connector a sensible name.

  7. Click Next.

  8. Under When do you want to use this connector? select Only when email messages are sent to these domains, then click the + icon and enter *.

  9. Click Next.

  10. Under How do you want to route email messages, select Route email through these smart hosts.

  11. Add hosts according to the correct addresses for your cluster - see Europe, United States, or United Arab Emirates.

  12. Click Next and then click Confirm to create the connector.

Note

If you wish to verify the connector, be sure not to use an internal address. For example, use a personal email address which is not a domain configured for your customer.

If the validation fails check the settings below before contacting technical support:

  • The connector is enabled.

  • The default domain is the domain configured in EMS domain settings (MailFlow > Accepted Domains).

Configure outbound DKIM

DomainKeys Identified Mail (DKIM) adds a digital signature to safeguard the email content of your outbound source. Configuring DKIM increases your domain reputation with different providers.

Each domain covered by Email Security will have its own key, so each domain will need to be configured before it can be DKIM-enabled.

Note

Email Security comes with a default system Message Rule called Apply DKIM which is enabled by default; however, outbound messages won't be signed unless you have configured outbound DKIM, by following the steps below.

Enabling DKIM for all domains
  1. Go to Products > Product Configuration > Domains.

  2. To view the DKIM public key, click on the view email_sec_dkim.png button. Click the icon next to the domain you wish to configure to display the DKIM.

    93678_1.png
  3. Write a DNS txt entry for the domain.

    Note

    You need to create a txt record for ussems._domainkey.xxxxxx, where xxxxxx is your domain name.

    Here is an example of what should be seen on a nslookup. This entry should match the entry found in step 2.

    93678_2.png
  4. Repeat steps 1 to 3 for all of your domains and then wait for the domain TTL to expire.

  5. Return to the Domains section and click the Verify and Enable DKIM button. The DKIM status will be updated to Success if the DKIM key can be verified against the domain DNS. At least one domain must have DKIM verified in order to enable DKIM on your account.

    Note

    If you remove all DKIM verified domains, or wish to disable DKIM on your account please remember to verify DKIM again. If no domains can be verified then DKIM will be fully disabled.

Enabling DKIM for specific domains

If you want outbound mail to be DKIM-signed for some, but not all, of the domains on your account, follow the steps below.

  1. Go to Products > Custom Rule Data.

  2. Click the New button at the bottom of the screen and select Rule Data

    emailsecruledata.png
  3. Enter a name, and Click Update.

  4. Add the domain(s) for which you would like to enable DKIM under Value.

    Note

    Keep each domain as a separate line.

    93678_3.png
  5. Click Save.

    A window appears with your domain’s DKIM key (public key).

  6. Go to Products > Message Rules.

  7. Click the Add Rule button.

    75100_13.png
  8. Enter a name click the Add button.

    75100_14.png
  9. Configure the new rule:

    1. Add the following conditions:

      • Direction: Matches Outbound

      • DKIM Enabled: Matches True

      • Sender: Matches DKIM Signing

    2. Add the DKIM Signing: Value 1024-bit key ac

    93678_4.png
  10. Click Save.

  11. Move the rule to top of the Message Rules list (drag and drop) to give it the highest priority.

  12. Search for the Apply DKIM signing system message rule in the Message Rule list and click the On button to turn the rule off.

    93678_5.png

Safelist Email Security IP addresses in Office 365

If you are using Email Security and delivering clean emails to Office 365, it is essential to bypass Exchange Online Protection (EOP) to ensure smooth delivery of emails. Failure to add the bypass rules will allow Office 365 to interfere with email delivery, causing unexpected results and behavior for end users.

Note

Even with the EOP bypass rules in place Office 365 will still provide anti-malware scanning

  1. Log in to Office 365 and go to Admin > Exchange Admin Center.

  2. Select Rules under the Mailflow section. Click the + icon and select Create a new rule...

  3. Enter a name for the new rule (for example, Spam exclusion for Email Security).

  4. Select More Options.

  5. From the Apply this rule if... drop down menu, expand The sender... menu option and select IP address is in any of these ranges or exactly matches. In the dialog that opens, enter in each of the IP addresses based on the Email Security region in use.

    174459_1.png

    You can find a list of our IP addresses here:

  6. From the Do the following... drop down menu, expand the Modify the message properties... menu option and select set the spam confidence level (SCL) option to Bypass spam filtering.

    174459_2.png

    Note

    The final rule should look similar to the example below:

    174459_3.png
  7. Click Save to save the rule

Clutter is a feature that moves low-priority emails out of user's inbox to a folder called Clutter. Clutter analyzes user's email habits, and based on past behavior, it determines the messages that the user most likely to ignore. To make sure that emails are always delivered to the user's inbox, you must bypass the Clutter.  To do this amend the above rule and add the following entries.

  1. Select Add Action and then expand Modify the message properties... and select set a message header.

  2. Click the first Enter text link and paste the following exactly as it appears (case sensitive):

    X-MS-Exchange-Organization-BypassClutter
  3. Click the second Enter text link and paste the following exactly as it appears (case sensitive):

    true

    The rule should now look similar to the example below:

    174459_4.png
  4. Click Save to save the changes.

Focused Inbox is a feature that automatically evaluates incoming emails and direct them to two views: Focused and Others. To make sure the email messages are always delivered to the user's Focused inbox, you must bypass the evaluation.  To do this, create a new rule:

  1. Click the + icon and then select Create a new rule....

  2. Give the rule a name (for example Bypass Focused Inbox evaluation).

  3. Click on More Options.

  4. From the Apply this rule if... drop down menu, expand The sender... menu option and select IP address is in any of these ranges or exactly matches. In the dialog that opens, enter in each of the IP addresses based on the Email Security region in use.

    You can find a list of our IP addresses here:

  5. From the Do the following... drop down menu, expand the Modify the message properties... menu and select set a message header.

  6. Click the first Enter text link and paste the following exactly as it appears (case sensitive):

    X-MS-Exchange-Organization-BypassFocusedInbox
  7. Click the second Enter text link and paste the following exactly as it appears (case sensitive):

    true

    The rule should now look similar to the example below:

    174459_5.png

Warning

Ensure that the Focused Inbox rule has a higher priority than the rule to bypass Office 365 spam protection

Configure outbound DMARC

Email Security provides the ability to participate in DMARC (Domain Message Authentication Reporting and Conformance) for email authentication.

Below configuring any DMARC DNS entry, you must ensure that the following are true:

Create a DNS Resource Record of type TEXT with a record name like _dmarc.domain.TLD. For example, the Resource Record name for domain testdomain.co.uk is _dmarc.testdomain.co.uk.

Note

The record name must start with _dmarc (including the underscore).

The text content of a simple starter record should be similar to:

v=DMARC1; p=none; ruf=mailto:DMARCReports@tonyfrankum.co.uk; aspf=s
  • aspf=s specifies "strict" checking of SPF (the default is "relaxed").

  • ruf= provides the email address to which DMARC failure reports should be sent.

  • p=none specifies a policy of "none" - the recipient should not reject or quarantine any messages simply because they do not align with this DMARC policy. The recipient could of course reject or quarantine the messages for other reasons.

You should start to receive reports to the email address you specified every 24 hours. After reviewing the reports and confirming that valid messages from your domains do pass evaluation, you may then request that recipients act on messages that do not align with the policy, by changing the policy to quarantine or reject.

Receive notifications for add on licensing expiration

Configure outbound email for Exchange 2016

It is important that you configure your Exchange connectors to send outbound email out through the MailSafe service. This ensures that both your outbound traffic is scanned and your traffic is profiled to help improve spam filtering. This article explains how to configure your connectors correctly.

  1. Login to the Microsoft Exchange Server as an administrator.

  2. Open Exchange Admin Center by visiting https://your-exchange-servers-hostname/ecp.

  3. In the left Pane, select mail flowConnectors.

  4. Select the + icon to create a new send connector.

  5. Enter an identifiable name for your connector such as Email Security Mail Relay.

  6. Ensure the type is set to Custom.

  7. Select Next.

  8. Specify the mail to be relayed by the option Route mail through smart hosts.

  9. Select the +” icon to create a new smart host.

  10. Create connectors for each sending hosts in the appropriate cluster - either US or EU.

  11. Select Next.

  12. Ensure Smart Host Authentication is set to None.

  13. Select Next.

  14. For the Address space, select the + button to add a domain.

  15. Enter the FQDN as * and change the cost to 10.

  16. Click Save.

  17. On the Source Server page, add any other Exchange Servers that should be able to send email to this connector by hitting the + button. In most cases where there is only one server, the server will already be added. Click Next.

  18. Click Finish.

Configure outbound email for Exchange 2007/2010

It is important that you configure your Exchange connectors to send outbound email out through the MailSafe service. This ensures that both your outbound traffic is scanned and your traffic is profiled to help improve spam filtering. This article explains how to configure your connectors correctly.

  1. Login to the Microsoft Exchange Server as an administrator.

  2. Go to Start > All Programs > Microsoft Exchange 2010 > Exchange Management Console to open the Exchange Management Console.

  3. In the left Pane, go to Microsoft Exchange > Organization Configuration.

  4. Select Hub Transport.

  5. In the middle pane, select the Send Connectors tab. A list of send connectors will be displayed.

  6. Delete any Send Connectors that are destined for the internet. This will normally be all of them.

  7. Create connectors for each sending hosts in the appropriate cluster - either US or EU.

  8. In the right pane, select the New Send Connector link.

  9. Enter the Name as per the cluster list, and select the Intended use as Internet.

  10. Select Next.

  11. On the Address Space page, select the Add button to add an SMTP Address Space.

  12. Enter the Address Space as * and the Cost as 10. Click OK to create the connector, and then click Next to continue.

  13. On the Network Settings page, select Route Mail Through the following Smart Hosts.

  14. Click the Add button to add a smart host.

  15. When prompted, select Fully Qualified Domain Name and the first hostname from the appropriate cluster - either US or EU.

  16. Click Next.

  17. On the Configure Smart Host Authentication settings page, select None and then click Next.

  18. On the Source Server page, add any other Exchange Servers that should be able to send email to this connector. In most cases, where there is only one server, the server will already be added. Click Next.

  19. On the final page, click New to create the connector.

  20. Click Finish.

Troubleshooting AD Connect

  1. The Refresh and Test buttons in the AD Connect Setup Tool are the first step in troubleshooting any issues you might be experiencing:

    129792_1.png

    Refresh

    AD Connect will automatically check for new or updated domain settings every 30 minutes. Click this button to force an immediate refresh.

    Test

    This button will verify the connection to Email Security and validate all credentials entered in the Setup Tool.

  2. If this does not solve the problem, check that the AD Connect service is running:

    1. Go to Task Manager by right clicking on your Windows taskbar and clicking on Task Manager.

      129792_2.png
    2. Look for The AD Connect under the Services tab.

      129792_4.png
  3. Right click on the Service and restart it.

    129792_5.png