How to configure Sophos Email for Google Workspace
This topic explains how to set up Google Workspace (formerly G Suite) to route email through Sophos Email.
Add your domain and verify ownership
- Your email domain name.
- The MX records for Google Apps.
- The port number used to listen for SMTP traffic on the mail delivery destination host.
To add your domain in Sophos Central, do as follows:
When the DNS update with the correct TXT value has propagated, you receive a message indicating successful domain verification.
If the DNS update hasn't propagated, or the value entered is incorrect, you receive a failure message. Confirm that the value entered is correct.
Configure routing-mx values to deliver to Google Workspace
To provide failover for the inbound connection between Sophos Email and Google Workspace, you need to setup new MX records on a new subdomain of your mail domain.
In this example, we recommend using routing-mx.<yourdomain.com>.
How to configure this varies with with different DNS providers. Typically you would enter the type as MX, the hostname as routing-mx, and the destination and priority as per the Google URLs in the screenshot below. You must have ASPMX.L.GOOGLE.COM as the highest priority record.

Add mailboxes to Email Gateway
You can add mailboxes in the following ways:
- Automatically, using a directory service. You can use either AD sync or Azure AD sync. For more information and instructions on how to set up a directory service, see Directory service.
- Manually, using the UI.
- Manually, importing a .csv file.
Add a mailbox manually
Sophos Email allows you to add single mailboxes manually via the user interface.
To add a mailbox manually, do as follows:
Add Mailboxes via Import
Sophos Email allows you to add mailboxes in bulk mailbox import.
To add import mailboxes, do as follows:
To verify mailbox creation, search for new users in People. For distribution lists and public folders, browse the list of mailboxes under Mailboxes.
Restrict delivery to Sophos IP addresses
You can configure the connection to your mail host to only use our delivery IPs.
Restricting delivery IPs adds additional security to the integration between Sophos Email and your mail host.
The specific delivery IP you need to use depends on the region where your Sophos Central account is hosted. When you created your Sophos Central account, you chose to store your data in the United States, Germany, or Ireland.
Region |
IPs |
---|---|
US (West) |
52.41.236.76 50.112.39.248 |
US (East) |
18.220.12.142 18.216.7.10 |
Germany |
52.58.166.242 52.29.100.147 |
Ireland |
52.208.126.243 52.31.106.198 |
Create an Inbound Gateway in Google Workspace
Because you're using Sophos Email to filter your mail and have your MX records pointed directly to us, you need to restrict delivery to Google Workspace to only Sophos Delivery IPs.
Set up an inbound mail gatewayhelp on February 12, 2021. We recommend you check the Google help page for updates before changing your email configuration.
To configure this setting, do as follows:
- Sign in to your Google Admin Console.
- Navigate to .
- In the Organizations section, select the top-level organization.
- Scroll to Inbound Gateway in the Spam section.
- Click Configure.
-
Enter a description for your inbound gateway, for example
Sophos Email Inbound Gateway
. - Under Gateway IPs, click Add and enter the gateway IPs that correspond to your region. You must save after each entry.
-
Turn on:
- Automatically detect external IP (recommended).
- Reject all mail not from gateway IPs.
- Require TLS connections from the email gateways listed above.
- Click Add Setting or Save.
- Click Save again at the bottom of the page.
Change your MX records to point to Sophos Email
Changing your domain's MX records to point to Sophos Email is crucial to successful deployment and ensures all email is filtered and delivered.
If you can't make these changes yourself, contact your IT department, hosting provider, ISP, or Domain Name Service provider and arrange for the MX records for your domains to be modified.
When you created your Sophos Central account, you selected a region where you wanted to store your data. Your MX records are dependent on this region.
Change your MX records to include the record names associated with the region where you chose to store your data.
Region |
MX Records |
---|---|
United States (West) |
10, mx-01-us-west-2.prod.hydra.sophos.com 20, mx-02-us-west-2.prod.hydra.sophos.com |
United States (East) |
10, mx-01-us-east-2.prod.hydra.sophos.com 20, mx-02-us-east-2.prod.hydra.sophos.com |
Germany |
10, mx-01-eu-central-1.prod.hydra.sophos.com 20, mx-02-eu-central-1.prod.hydra.sophos.com |
Ireland |
10, mx-01-eu-west-1.prod.hydra.sophos.com 20, mx-02-eu-west-1.prod.hydra.sophos.com |
Notes
Take care with all options to ensure that the spelling and numbers are correct.
Using MX record names other than those provided prevents mail from flowing correctly.
When changing DNS entries like MX records, we recommend lowering the TTL (to 600 ms or less) well in advance of updating the entries. This allows the change to propagate quickly and provides a quick way to revert changes, if any issues arise during testing.
Test and confirm email traffic
Once you've updated your MX records, send a test message to any of your mailboxes protected by Sophos Email. Send your test message from an address outside your email domain.
To confirm the message flowed through Sophos Email, you can view the Message History Report.
To access the report, do as follows:
- In Sophos Central, click Logs and Reports.
- Click Message History.
If messages are flowing through the system, you see entries in this report.
If mail isn't flowing, you aren't receiving email to your test inbox. Take the following steps:
- Verify that your MX records are correct for your region.
- Verify that you set up the Sophos Delivery IPs correctly in your gateway, firewall, or connector.
- Verify that the mailbox you're sending to exists in Sophos Email.
If you've taken all these steps and mail still isn't flowing for your domain, contact Sophos Email Support.