Configure Google Workspace
This topic explains how to set up Google Workspace (formerly G Suite) to route email through Sophos Gateway.
Add your domain and verify ownership
You must provide the following information when configuring Sophos Gateway to process and deliver email for your domain:
- Your email domain name.
- The MX records for Google Apps. See Google Workspace MX record values.
- The port number used to listen for SMTP traffic on the mail delivery destination host.
To add your domain in Sophos Central, do as follows:
- Click Email Security > Settings.
- Click Domain Settings/Status.
- Click Add Domain.
- Enter your email domain details.
Configure your delivery destination.
For delivery destination and port, enter MX, and the value
routing-mx.<yourdomain.com>on Port 25. You configure your routing MX values after you verify domain ownership.
Next, click Verify Domain Ownership.
Copy the TXT value presented in the Verify Domain Ownership dialog.
This value is specific to your email domain.
Create a TXT DNS record in the root level of the domain name (entered in step 5) and paste the TXT value copied in the last step. You can give it the same TXT name as shown or use
- Once the new TXT DNS record entry is saved, click Verify.
When the DNS update with the correct TXT value has propagated, you receive a message indicating successful domain verification.
If the DNS update hasn't propagated, or the value entered is incorrect, you receive a failure message. Confirm that the value entered is correct.
The domain verification process may take some time to complete.
Configure routing-mx values to deliver to Google Workspace
To provide failover for the inbound connection between Sophos Gateway and Google Workspace, you need to set up new MX records on a new subdomain of your mail domain.
In this example, we recommend using
This is different to configuring the MX records for mail delivery on your domain itself. Adding these records has no impact on mail traffic yet, these records are just used for the delivery destination configured within Sophos Email.
How to configure this varies with different DNS providers. Typically you would enter the type as
MX, the hostname as
routing-mx, and the destination and priority as per the Google URLs in the screenshot below. You must have
ASPMX.L.GOOGLE.COM as the highest priority record.
You can miss out this step and configure the delivery destination to point directly to
ASPMX.L.GOOGLE.COM. But if there's an issue contacting
ASPMX.L.GOOGLE.COM, mail won't be delivered to Google's alternate MX server.
You can now add mailboxes to Sophos Email Security. See Add mailboxes.
When you have added your mailboxes, continue with configuring your Google Workspace environment.
Restrict delivery to Sophos IP addresses
You can configure the connection to your mail host to only use our delivery IPs.
Restricting delivery IP addresses adds additional security to the integration between Sophos Email and your mail host.
Before you proceed, we strongly recommend testing email traffic and domain configuration in a non-production or test environment before making any changes to your organization's email configuration.
The specific delivery IP address you need to use depends on the region where your Sophos Central account is hosted. When you created your Sophos Central account, you chose which country to store your data in.
You must also add the Sophos IP addresses to the IP allow list for your mail server. If you don't, your users won't receive their emails.
To find out which IP addresses to use, see Sophos email gateway IP addresses.
Using an IP address other than the one specified for your region prevents mail from flowing correctly.
DMARC failures from Google email servers
If you have turned on Time of Click URL Protection or Smart banners in your email policies, you may see DMARC failures reported for inbound messages.
This is because Google doesn't consistently process emails from IP addresses in its Gateway IPs list.
Google's documentation says: "Gmail doesn't do SPF authentication for messages sent from IP addresses in the Gateway IPs list. The inbound gateway should do DMARC checks. DMARC authentication is bypassed for incoming messages from listed hosts." See Set up an inbound mail gateway.
Our tests show that this doesn't always happen, and Google marks some emails as DMARC failures when it shouldn't be doing DMARC checks. We have raised this with Google.
Create an Inbound Gateway in Google Workspace
Because you're using Sophos Gateway to filter your mail and have your MX records pointed directly to us, you need to restrict delivery to Google Workspace to only Sophos Delivery IPs.
The following instructions are taken from Google's Set up an inbound mail gateway help page. We recommend you check Google's help for updates before changing your email configuration.
To configure this setting, do as follows:
- Sign in to your Google Admin Console.
- Navigate to Apps > Google Workspace > Gmail > Advanced settings.
- In the Organizations section, select the top-level organization.
- Scroll to Inbound Gateway in the Spam section.
- Click Configure.
- Enter a description for your inbound gateway, for example "Sophos Email Inbound Gateway".
- Under Gateway IPs, click Add and enter the Sophos gateway IPs that correspond to your region. You must save after each entry.
- Optional: You can also add IP addresses for Google's servers. There are reports that Google sometimes blocks its own IP addresses. To find Google's current list of IP addresses, see Obtain Google IP address ranges.
- Turn on:
- Automatically detect external IP (recommended).
- Reject all mail not from gateway IPs.
- Require TLS connections from the email gateways listed above.
- Click Add Setting or Save.
- Click Save again at the bottom of the page.
If you purchased your domain from Google, you must set up custom records as you can't edit the default DNS records that Google provides. See Set up Google Workspace with a third-party DNS host.
If you added a Google IP address in the optional step, Google might still block its own IP addresses. If this happens, you see the following message:
Google tried to deliver your message, but it was rejected by the relay xxxx.yyyy.google.com. We recommend contacting the other email provider at firstname.lastname@example.org for further information about the cause of this error. The error that the other server returned was: xxx.xxx.xxx.xxx IP not in whitelist for RCPT domain, closing connection.
Google's suggested solution is to turn off Reject all mail not from gateway IPs. We recommend you do this temporarily, until the issue is resolved. While this setting is turned off, email senders can route email directly to your email gateway if they don't use MX lookup.
Change your MX records to point to Sophos Gateway
Changing your domain's MX records to point to Sophos Gateway is crucial to successful deployment and ensures all email is filtered and delivered.
If you can't make these changes yourself, contact your IT department, hosting provider, ISP, or Domain Name Service provider and arrange for the MX records for your domains to be modified.
When you created your Sophos Central account, you selected a region where you wanted to store your data. Your MX records are dependent on this region.
Change your MX records to include the record names associated with the region where you chose to store your data.
To find out which MX records to use, see Sophos MX records.
Take care with all options to ensure that the spelling and numbers are correct.
Using MX record names other than those provided prevents mail from flowing correctly.
When changing DNS entries like MX records, we recommend lowering the TTL (to 600 ms or less) well in advance of updating the entries. This allows the change to propagate quickly and provides a quick way to revert changes, if any issues arise during testing.
Create Google Workspace rule for internal messages
By default, all your messages are sent to Sophos Gateway, using the destinations set in your inbound MX records. You must create a routing rule in Google Workspace to direct internal messages to Google servers instead.
The following instructions were taken from Google's Add mail routes for advanced Gmail delivery help page. We recommend you check Google help for updates before changing your email configuration.
To create the rule, do as follows:
- Sign in to Google Admin with your administrator account.
- Go to Apps > Google Workspace > Gmail > Hosts.
- Click Add Route.
- Enter a route name that helps you remember the route, for example
- Select Multiple hosts.
Enter the Primary host details as follows:
Option Value Hostname
Click Add Primary.
Enter the Secondary host details as follows:
Option Value Hostname
Click Add Secondary.
- Select Require mail to be transmitted over a secure transport (TLS) connection (Recommended).
- Select Require CA signed certificate (Recommended).
Changes can take up to 24 hours to take effect. You can track changes in your Google Workspace Admin audit log.
Test and confirm email traffic
Once you've updated your MX records, send a test message to any of your mailboxes protected by Sophos Gateway. Send your test message from an address outside your email domain.
To confirm the message flowed through Sophos Gateway, you can view the Message History Report.
To access the report, do as follows:
- In Sophos Central, click Logs and Reports.
Click Message History.
If messages are flowing through the system, you see entries in this report.
If mail isn't flowing, you aren't receiving email to your test inbox. Take the following steps:
- Verify that your MX records are correct for your region.
- Verify that you set up the Sophos Delivery IPs correctly in your gateway, firewall, or connector.
- Verify that the mailbox you're sending to exists in Sophos Email Security.
If you've taken all these steps and mail still isn't flowing for your domain, contact Sophos Support.