How to configure Sophos Email for Google Workspace

This topic explains how to set up Google Workspace (formerly G Suite) to route email through Sophos Email.

Add your domain and verify ownership

Note You must provide the following information when configuring Sophos Email to process and deliver email for your domain:
  • Your email domain name.
  • The MX records for Google Apps. See Google Workspace MX record values.
  • The port number used to listen for SMTP traffic on the mail delivery destination host.

To add your domain in Sophos Central, do as follows:

  1. Click Email Gateway > Settings.
  2. Click Domain Settings/Status.
  3. Click Add Domain.
  4. Enter your email domain details.
  5. Configure your delivery destination.
    1. For delivery destination and port, enter MX, and the value routing-mx.<yourdomain.com> on Port 25. You configure your routing MX values after you verify domain ownership.
  6. Next, click Verify Domain Ownership.
  7. Copy the TXT value presented in the Verify Domain Ownership dialog.

    This value is specific to your email domain.

  8. Create a TXT DNS record in the root level of the domain name (entered in step 5) and paste the TXT value copied in the last step. You can give it the same TXT name as shown or use @.
  9. Once the new TXT DNS record entry is saved, click Verify.

When the DNS update with the correct TXT value has propagated, you receive a message indicating successful domain verification.

If the DNS update hasn't propagated, or the value entered is incorrect, you receive a failure message. Confirm that the value entered is correct.

Note The domain verification process may take some time to complete.

Configure routing-mx values to deliver to Google Workspace

To provide failover for the inbound connection between Sophos Email and Google Workspace, you need to setup new MX records on a new subdomain of your mail domain.

In this example, we recommend using routing-mx.<yourdomain.com>.

Note This is different to configuring the MX records for mail delivery on your domain itself. Adding these records has no impact on mail traffic yet, these records are just used for the delivery destination configured within Sophos Email.

How to configure this varies with with different DNS providers. Typically you would enter the type as MX, the hostname as routing-mx, and the destination and priority as per the Google URLs in the screenshot below. You must have ASPMX.L.GOOGLE.COM as the highest priority record.


"Example MX records"
Note You can miss out this step and configure the delivery destination to point directly to ASPMX.L.GOOGLE.COM. But if there's an issue contacting ASPMX.L.GOOGLE.COM, mail won't be delivered to Google's alternate MX server.

Add mailboxes to Email Gateway

You can add mailboxes in the following ways:

  1. Automatically, using a directory service. You can use either AD sync or Azure AD sync. For more information and instructions on how to set up a directory service, see Directory service.
  2. Manually, using the UI.
  3. Manually, importing a .csv file.

Add a mailbox manually

Sophos Email allows you to add single mailboxes manually via the user interface.

To add a mailbox manually, do as follows:

  1. Go to Email Gateway > Mailboxes to view and manage your mailboxes.
  2. On the Mailboxes screen, click Add.
  3. Select Add Mailbox.

    There are three types of mailbox:

    • User Email: a mailbox for a person. Example: firstname.lastname@companyname.com.
      Tip For a User Email mailbox, you can click the mailbox name to view the user's details.
    • Distribution List: a mailbox for a group of people. Example: support@companyname.com.
    • Public Folder: a mailbox for collecting information such as surveys or feedback. Example: survey@companyname.com.
  4. Select a mailbox type.
  5. Enter a name for the mailbox.
  6. Enter the SMTP address for the mailbox.
  7. Click Save to create a single mailbox and exit, or Save and Add Another to create additional mailboxes.

Add Mailboxes via Import

Sophos Email allows you to add mailboxes in bulk mailbox import.

To add import mailboxes, do as follows:

  1. Create your import .csv file using the following format:

    Name

    Email Address

    Type

    Robert Alamar

    robert.alamar@test.com

    User

    Support DL

    support@test.com

    DL

    Vacation Calendar

    vacation@test.com

    PF
  2. Click Add Mailbox and select Import mailboxes.
  3. Click Browse and go to your import file.
  4. Click Add to start the import process.

    The import runs and displays the results when complete.

To verify mailbox creation, search for new users in People. For distribution lists and public folders, browse the list of mailboxes under Mailboxes.

Restrict delivery to Sophos IP addresses

You can configure the connection to your mail host to only use our delivery IPs.

Restricting delivery IPs adds additional security to the integration between Sophos Email and your mail host.

Warning Before you proceed, we strongly recommend testing email traffic and domain configuration in a non-production or test environment before making any changes to your organization's email configuration.

The specific delivery IP you need to use depends on the region where your Sophos Central account is hosted. When you created your Sophos Central account, you chose to store your data in the United States, Germany, or Ireland.

Warning You must also add the Sophos IPs to the IP allow list for your mail server. If you don't, your users won't receive their emails.

Region

IPs

US (West)

52.41.236.76

50.112.39.248

US (East)

18.220.12.142

18.216.7.10

Germany

52.58.166.242

52.29.100.147

Ireland

52.208.126.243

52.31.106.198
Warning Using an IP other than the one specified for your region prevents mail from flowing correctly.

Create an Inbound Gateway in Google Workspace

Because you're using Sophos Email to filter your mail and have your MX records pointed directly to us, you need to restrict delivery to Google Workspace to only Sophos Delivery IPs.

Note The following instructions are taken from Google's Set up an inbound mail gateway help page. We recommend you check Google's help for updates before changing your email configuration.

To configure this setting, do as follows:

  1. Sign in to your Google Admin Console.
  2. Navigate to Apps > Google Workspace > Gmail > Advanced settings.
  3. In the Organizations section, select the top-level organization.
  4. Scroll to Inbound Gateway in the Spam section.
  5. Click Configure.
  6. Enter a description for your inbound gateway, for example Sophos Email Inbound Gateway.
  7. Under Gateway IPs, click Add and enter the gateway IPs that correspond to your region. You must save after each entry.
  8. Turn on:
    • Automatically detect external IP (recommended).
    • Reject all mail not from gateway IPs.
    • Require TLS connections from the email gateways listed above.
  9. Click Add Setting or Save.
  10. Click Save again at the bottom of the page.

Change your MX records to point to Sophos Email

Changing your domain's MX records to point to Sophos Email is crucial to successful deployment and ensures all email is filtered and delivered.

If you can't make these changes yourself, contact your IT department, hosting provider, ISP, or Domain Name Service provider and arrange for the MX records for your domains to be modified.

When you created your Sophos Central account, you selected a region where you wanted to store your data. Your MX records are dependent on this region.

Change your MX records to include the record names associated with the region where you chose to store your data.

Region

MX Records

United States (West)

10, mx-01-us-west-2.prod.hydra.sophos.com

20, mx-02-us-west-2.prod.hydra.sophos.com

United States (East)

10, mx-01-us-east-2.prod.hydra.sophos.com

20, mx-02-us-east-2.prod.hydra.sophos.com

Germany

10, mx-01-eu-central-1.prod.hydra.sophos.com

20, mx-02-eu-central-1.prod.hydra.sophos.com

Ireland

10, mx-01-eu-west-1.prod.hydra.sophos.com

20, mx-02-eu-west-1.prod.hydra.sophos.com

Notes

Take care with all options to ensure that the spelling and numbers are correct.

Using MX record names other than those provided prevents mail from flowing correctly.

When changing DNS entries like MX records, we recommend lowering the TTL (to 600 ms or less) well in advance of updating the entries. This allows the change to propagate quickly and provides a quick way to revert changes, if any issues arise during testing.

Create Google Workspace rule for internal messages

By default, all your messages are sent to Sophos Email, using the destinations set in your inbound MX records. You must create a routing rule in Google Workspace to direct internal messages to Google servers instead.

Note The following instructions were taken from Google's Add mail routes for advanced Gmail delivery help page. We recommend you check Google help for updates before changing your email configuration.

To create the rule, do as follows:

  1. Sign in to Google Admin with your administrator account.
  2. Go to Apps > Google Workspace > Gmail > Hosts.
  3. Click Add Route.
  4. Enter a route name that helps you remember the route, for example Internal Messages.
  5. Select Multiple hosts.
  6. Enter the Primary host details as follows:
    OptionDescription

    Hostname

    aspmx.l.google.com

    Port

    25

    Load

    100%
  7. Click Add Primary.
  8. Enter the Secondary host details as follows:
    OptionDescription

    Hostname

    alt1.aspmx.l.google.com

    Port

    25

    Load

    100%
  9. Click Add Secondary.
  10. Select Require mail to be transmitted over a secure transport (TLS) connection (Recommended).
  11. Select Require CA signed certificate (Recommended).
  12. Click Save.

    Changes can take up to 24 hours to take effect. You can track changes in your Google Workspace Admin audit log.

Test and confirm email traffic

Once you've updated your MX records, send a test message to any of your mailboxes protected by Sophos Email. Send your test message from an address outside your email domain.

To confirm the message flowed through Sophos Email, you can view the Message History Report.

To access the report, do as follows:

  1. In Sophos Central, click Logs and Reports.
  2. Click Message History.

    If messages are flowing through the system, you see entries in this report.

If mail isn't flowing, you aren't receiving email to your test inbox. Take the following steps:

  1. Verify that your MX records are correct for your region.
  2. Verify that you set up the Sophos Delivery IPs correctly in your gateway, firewall, or connector.
  3. Verify that the mailbox you're sending to exists in Sophos Email.

If you've taken all these steps and mail still isn't flowing for your domain, contact Sophos Email Support.