← All controls

49 Email gateway interception

Points the domain's MX records at a third-party mail security gateway so inbound mail is filtered before Google ever sees it, declares the gateway's IPs to Gmail as the trusted hop so Gmail reads the gateway's verdict rather than its IP reputation, rejects anything that arrives at Google without passing through the gateway, and optionally smart-hosts outbound mail through it too. The MX change is DNS, not console — and it is the step that can black-hole all of your mail.

Caveats

Setup steps

  1. MX → gateway vendor's hosts (lowest priority first); TTL lowered beforehand
  2. open ↗ Apps › Google Workspace › Gmail › Spam, Phishing and Malware › Inbound gateway
    Gateway IPs
    <vendor CIDRs>
    Automatically detect external IP
    ON

    Set up an inbound mail gateway ↗

  3. Apps › Google Workspace › Gmail › Spam, Phishing and Malware › Inbound gateway
    Reject all mail not from gateway IPs
    ON
    Require TLS for connections from the gateway
    ON

    Set up an inbound mail gateway ↗

  4. open ↗ Apps › Google Workspace › Gmail › Hosts

    Add route → gateway smarthost:port; Require TLS = ON; Require CA-signed certificate = ON

    Add mail servers for Gmail email routing ↗

  5. open ↗ Apps › Google Workspace › Gmail › Routing
    Affect
    Outbound
    Route
    the gateway host
    Change envelope recipient
    off

    Add Gmail routing settings ↗

Ongoing maintenance

How to verify

  1. The MX records are public — confirm they point at the gateway, then send a test message from outside and read its headers for the gateway hop.

    dig +short MX <domain>

v0.0.2Preventedition All (3rd-party) policy #6 · #19 ↗