Set up Phish Threat with Google Workspace

You can set up Phish Threat with Google Workspace to handle your campaigns.

You must add the Sophos Phish Threat IP addresses in the email allow list to make sure that your phishing campaigns are delivered successfully.

Add the IP addresses to the email allow list

To add the Phish Threat IP addresses to the email allow list, do as follows:

Sign in to Google Admin.
Go to Menu > Apps > Google Workspace > Gmail.
Click Spam, Phishing and Malware.
In Email allowlist, click the edit icon.
Enter the IP addresses to your email allow list.

For more information about the IP addresses that Phish Threat uses, see IP addresses and domains.
Click Save.

To add the IP addresses and other settings to the inbound gateway, do as follows:

Sign in to Google Admin.
Go to Menu > Apps > Google Workspace > Gmail.
Click Spam, Phishing and Malware.
In Inbound gateway, click the edit icon.
Turn on the inbound gateway settings.
In Gateway IPs, do as follows:
1. Click Add.
2. Enter the IP addresses to allow.
3. Select Automatically detect external IP (recommended).
4. Deselect Reject all mail not from gateway IPs.
5. Select Require TLS for connections from the email gateways listed above.
In Message Tagging, do as follows:
1. Select Message is considered spam if the following header regexp matches.
2. In Regexp, enter any text that won't match the email header content. For example, 344jedjs=-0sdfee3.
3. Select Message is spam if regexp matches.
4. Select Disable Gmail spam evaluation on mail from this gateway; only use header value.
Click Save.

To add domains and configure the spam settings, do as follows:

Sign in to Google Admin.
Go to Menu > Apps > Google Workspace > Gmail.
Click Spam, Phishing and Malware.
In Spam, click Configure.
Enter a name for the spam setting. For example, Phish Threat bypass.
Select Bypass spam filters for messages from senders or domains in selected lists and do as follows:
1. Click Create or edit list. This lets you create a new list for Sophos Phish Threat domains or modify an existing list.
2. In the Manage address lists, click Add address list.
3. Enter a name for the address list. For example, Sophos Phish Threat.
4. Enter the domain names.
  
  For more information about the IP addresses that Phish Threat uses, see IP addresses and domains.
5. Turn off the authentication requirement for all the domains, and click Save.
In Spam, click Use existing list.
Select Bypass spam filters and hide warnings for messages from senders or domains in selected lists and do as follows:
1. Click Use existing list.
2. Select the list you created for Sophos Phish Threat.
3. Click Save.

To add the relevant IPs and turn on whitelisting in Content compliance, do as follows:

Sign in to Google Admin.
Go to Menu > Apps > Google Workspace > Gmail.
Click Compliance.
In Content compliance, click Configure.
Enter a name for the content compliance setting. For example, Phish Threat content compliance.
In Email messages to affect, click Inbound.
In If any of the following match the message, click Add.
In Add settings, select the following details:
1. Select Metadata match.
2. In Attribute, select Source IP.
3. In Match type, select Source IP is within the following range.
4. In Source IP is within the following range, enter the Sophos Phish Threat IPs for whitelisting.
5. Click Save.
Repeat these steps when you add the other Phish Threat IPs.
In If any of the following match the message, click Add.
In Add settings, select the following details:
1. Select Advanced content match.
2. In Location, select Full headers.
3. In Match type, select Contains text.
4. In Content, enter X-PT-TOKEN.
5. Click Save.
In If the above expressions match, do as follows:
1. In Spam, select Bypass spam filter for this message.
2. In Encryption (onward delivery only), select Require secure transport (TLS).
3. Click Save.

You've successfully added the Phish Threat IPs and content compliance is now turned on.