Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=sophos-email-monitoring-system-google-configuration

Configure journaling for Google

Find out how to configure journaling in Google to send copies of emails to Sophos EMS (Email Monitoring System).

Journaling lets you send a copy of every email sent or received in Google Workspace. Google attaches the copied message to a journal report and stores it in a designated mailbox. In Google Workspace, you can enable journaling by creating a journal rule that sends a copy of each email to EMS for monitoring.

To learn more about journaling in Google Workspace, see Route journal messages to Google Vault.

If you're already using another email security solution and want to connect it with EMS, you must configure an inbound gateway between them.

The key steps to set up Sophos EMS with Google Workspace are as follows:

Before you start

Make sure you have a Google Workspace admin account.

Configure external dependencies

To configure external dependencies, do as follows:

  1. Sign in to Sophos Central.
  2. Go to My Products > Email Protection > Settings > EMS Domain Settings/Status.
  3. Select your domain and click Configure External Dependencies.
  4. Click the Google tab.

  5. In Step 1, copy the provided email address and save it for later use.

    This email address is the journal destination address.

    Continue to Create journal rules in Google Workspace.

  6. Complete Step 2 if you have a third-party email security solution. Otherwise, skip this step.

    Continue to Configure the inbound gateway.

Create journal rules in Google Workspace

You must create journal rules in Google Workspace to route inbound and outbound emails through EMS.

Click the tab for the email traffic you want to apply the rule to.

To create a journal rule for both inbound and outbound emails for all domains, do as follows:

  1. Sign in to your Google Admin Console.
  2. In the Admin Console, go to Menu > Apps > Google Workspace > Gmail.
  3. Click Routing.
  4. Select the organizational unit for which you want to set up the journal rule.

  5. Scroll to the Routing setting, then take one of the following actions:

    • If you haven't configured a rule yet, click Configure.
    • If you've already configured a rule, click Add Another Rule.

  6. On the Add setting dialog, enter a description for the journal rule.

    For example, Journal rule for Sophos (external).

  7. In Email messages to affect, select Inbound and Outbound.

  8. In For the above types of messages, do the following, make sure Modify message is selected.
  9. In Headers, select Add X-Gm-Original-To header.

  10. In Also deliver to, select Add more recipients, click Add, then select Advanced.

    This is where you must provide the email address of the envelope recipient where all copies of mail will be delivered.

  11. In Envelope recipient, select Change envelope recipient, then enter the email address of the envelope recipient from Sophos Central.

  12. In Spam and delivery options, deselect Do not deliver spam to this recipient and make sure Suppress bounces from the recipient is selected.

  13. In Headers, make sure the following headers are selected:

    • Add X-Gm-Original-To header
    • Add X-Gm-Spam and X-Gm-Phishy headers

  14. Click Save.

  15. In Encryption (onward delivery only), select Require secure transport (TLS).

  16. Click Show options and make sure the following account types are selected:

    • Users
    • Groups

  17. Click Save.

    Changes can take up to 24 hours to take effect. You can track changes in your Google Workspace Admin audit log.

To create a journal rule for inbound emails for specific domains, do as follows:

  1. Sign in to your Google Admin Console.
  2. In the Admin Console, go to Menu > Apps > Google Workspace > Gmail.
  3. Click Routing.
  4. Select the organizational unit for which you want to set up the journal rule.

  5. Scroll to the Routing setting, then take one of the following actions:

    • If you haven't configured a rule yet, click Configure.
    • If you've already configured a rule, click Add Another Rule.

  6. On the Add setting dialog, enter a description for the journal rule.

    For example, EMS scan inbound.

  7. In Email messages to affect, select Inbound.

  8. In For the above types of messages, do the following, make sure Modify message is selected.
  9. In Headers, select Add X-Gm-Original-To header.

  10. In Also deliver to, select Add more recipients, click Add, then select Advanced.

    This is where you must provide the email address of the envelope recipient where all copies of mail will be delivered.

  11. In Envelope recipient, select Change envelope recipient, then enter the email address of the envelope recipient from Sophos Central.

  12. In Spam and delivery options, deselect Do not deliver spam to this recipient and make sure Suppress bounces from the recipient is selected.

  13. In Headers, make sure the following headers are selected:

    • Add X-Gm-Original-To header
    • Add X-Gm-Spam and X-Gm-Phishy headers

  14. Click Save.

  15. In Encryption (onward delivery only), select Require secure transport (TLS).

  16. Click Show options and make sure the following account types are selected:

    • Users
    • Groups

  17. In Envelope filter, select Only affect specific envelope recipients, select Pattern match, and enter the domain in the Regexp field.

    For example, example.com.

  18. Click Save.

    Changes can take up to 24 hours to take effect. You can track changes in your Google Workspace Admin audit log.

To create a journal rule for outbound emails for specific domains, do as follows:

  1. Sign in to your Google Admin Console.
  2. In the Admin Console, go to Menu > Apps > Google Workspace > Gmail.
  3. Click Routing.
  4. Select the organizational unit for which you want to set up the journal rule.

  5. Scroll to the Routing setting, then take one of the following actions:

    • If you haven't configured a rule yet, click Configure.
    • If you've already configured a rule, click Add Another Rule.

  6. On the Add setting dialog, enter a description for the journal rule.

    For example, EMS scan outbound.

  7. In Email messages to affect, select Outbound.

  8. In For the above types of messages, do the following, make sure Modify message is selected.
  9. In Headers, select Add X-Gm-Original-To header.

  10. In Also deliver to, select Add more recipients, click Add, then select Advanced.

    This is where you must provide the email address of the envelope recipient where all copies of mail will be delivered.

  11. In Envelope recipient, select Change envelope recipient, then enter the email address of the envelope recipient from Sophos Central.

  12. In Spam and delivery options, deselect Do not deliver spam to this recipient and make sure Suppress bounces from the recipient is selected.

  13. In Headers, make sure the following headers are selected:

    • Add X-Gm-Original-To header
    • Add X-Gm-Spam and X-Gm-Phishy headers

  14. Click Save.

  15. In Encryption (onward delivery only), select Require secure transport (TLS).

  16. Click Show options and make sure the following account types are selected:

    • Users
    • Groups

  17. In Envelope filter, select Only affect specific envelope senders, select Pattern match, and enter the domain in the Regexp field.

    For example, example.com.

  18. Click Save.

    Changes can take up to 24 hours to take effect. You can track changes in your Google Workspace Admin audit log.

You've created the journal rule for Google Workspace.

After you've completed the journaling configuration in Google Workspace, go back to Sophos Central to finish your onboarding process. See Add a domain.

Configure the inbound gateway

This procedure applies only if you have an third-party email security solution.

You can integrate your third-party email security solution with Sophos EMS by configuring the inbound gateway in Google Workspace.

To do this, do as follows:

  1. Sign in to your Google Admin Console.
  2. In the Admin Console, go to Menu > Apps > Google Workspace > Gmail.
  3. Click Spam, Phishing and Malware.
  4. Select the organizational unit for which you want to configure the inbound gateway.
  5. In Inbound gateway, click the Edit icon.
  6. Turn on the inbound gateway setting.
  7. Enter the inbound delivery IP addresses where mail is delivered to Google.
  8. Click Save.

You've configured the inbound gateway.