It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda Email Gateway Defense
formerly Email Security

Step 2 - Configure Google Workspace for Inbound and Outbound Mail

  • Last updated on


To deploy Email Gateway Defense with Google Workspace, you must have a Google Workspace Basic, Business, or Enterprise account. The G Suite legacy free edition is no longer available and is missing key features required for this deployment. For details on upgrading your Google Workspace subscription, refer to the Google Support article Upgrade from G Suite legacy free edition.



Google IP addresses and user interfaces can change; refer to the Google Workspace Administrator Help Center for updates and configuration details.

You can specify Email Gateway Defense as an inbound mail gateway through which all incoming mail for your domain is filtered before reaching your Google account. Email Gateway Defense filters out spam and viruses, then passes the mail on to the Google mail servers. Use the Configure Inbound Mail Flow instructions below to configure.

You can also specify Email Gateway Defense as the outbound mail gateway through which all mail is sent from your domain via your Google account to the recipient. As the outbound gateway, Email Gateway Defense processes the mail by filtering out spam and viruses before final delivery. By configuring Google as described in Configure Outbound Mail Flow below, you instruct the Google mail servers to pass all outgoing mail from your domain to Email Gateway Defense (the gateway server).

Step 1. Launch the Email Gateway Defense Setup Wizard

Note that after verifying your domain, any mail sent to your domain from another Barracuda Email Gateway Defense customer will be processed normally by your Email Gateway Defense account and not delivered via MX records.

  1. Log into Barracuda Cloud Control. If this is your first time launching the Email Gateway Defense setup wizard, you will be redirected to the Barracuda Trials Hub page. Click Open under Email Security.

    ep_setupWizard.png

    Alternatively, if you have started the setup wizard but did not complete it, after logging into Barracuda Cloud Control, select  Email Gateway Defense on the left side. In the top yellow banner, click  Set Up Now to launch the setup wizard.

    The Email Gateway Defense wizard launches. 

  2. Click Next in the upper right corner to get started.

  3. Click Skip on the Connect to Microsoft screen. Select Okay to continue without Microsoft.

  4. Select the Region for your data center. Then click Next.

    egd_SetupWizard_selectDataRegion.png

    After you select your region, you cannot change it.

  5. Enter a valid email address from the email server domain you want to protect with Email Gateway Defense. Click Detect email server.

  6. The system automatically auto-fills your destination mail server. If this is not the correct server, click Edit, enter the correct details, and then click Update.

  7. After you have determined that the settings are correct, click Verify server

    egd_setupWizard_verifyDomain.png

    Note that mail servers can take up to 48 hours to be discoverable for new domains.

  8. Once your email server is verified, a green verified check markgreen-verified.pngwill appear next to your domain. Click Next.

  9. To set up your email flow, you will need to add the new MX records and remove the old MX records.

  10. To add the new MX records:

    1. Log into your DNS hosting account.

    2. Add the primary and backup MX records shown in the Add new MX records section. Instructions for your DNS hosting provider will vary; you can use search terms such as add, edit, manage, or MX records.

      EGD_setupWizard_addMXrecords.png


    3. Add the MX records with a low priority, for example, 99. Adding the new MX records to your existing list should look similar to this:

      egd_wizard_addMXrecords1.png

      After updating your MX records, allow at least 24-48 hours before completing the next step to allow time for your changes to propagate.

    4. Verify that the new Email Gateway Defense MX records have been added by clicking on the Verify records button. 

    5. Once your MX records are added, a green verified check markgreen-verified.png will appear next to the MX record.

  11. To remove the old MX Records:

    1. Log into your DNS hosting account.

    2. Remove the existing MX records shown in the Remove old MX records section. Instructions for your DNS hosting provider will vary; you can use search terms such as add, edit, manage, or MX records.

      EGD_newSetupWizardRemoveMXrecords.png


    3. Update the priority of your primary and backup Barracuda MX records to 1 and 10. 

    4. In the Email Gateway Defense wizard, verify that your non-Barracuda Networks MX records have been removed by clicking on the Verify update button.

    5. Once your MX records are removed, a green verified check markgreen-verified.png will appear. 

  12. After you have successfully completed all the steps in the Email Gateway Defense setup wizard, click the Complete setup button at the upper right corner. To exit the wizard and come back at a later time, click Exit

Step 2. Add Additional Email Domains (Optional)

You configured your primary email domain in Step 3 of the wizard, above.

Use the steps in the following section if you want to protect additional domains with Email Gateway Defense. If you are only protecting one domain, continue below with Step 3. Configure Inbound Mail Flow

  1. Log into the Barracuda Cloud Control as administrator. In the left panel, click Email Gateway Defense. Select the Domains tab, then click Add Domain.
  2. Enter the domain name and the Primary MX record for Google: (see Table 1 below).
    egd_setupWizard_addDomain.png
  3. Click Add Domain; the Domain Settings page displays, listing the new domain.
  4. Click Edit next to the domain you just added. Then add the remaining four mail servers from Table 1 below.

  5. Click Save Changes and then select Domains in the left-hand navigation menu.
  6. Click Verify Ownership and select one of the 3 methods to verify your domain.
    egd_verifyDomain.png
    egd_domainVerification.png
  7. Repeat these steps, as needed, for additional domains before continuing with Step 3 below.
  8. After the mail server is verified, the Verified verify_Icon.png icon displays in the Status column and a confirmation message displays at the top of the page.

Table 1. Google Workspace Destination Mail Servers

PriorityGoogle Workspace Destination Mail Server
10aspmx.l.google.com
20alt1.aspmx.l.google.com
20alt2.aspmx.l.google.com
30alt3.aspmx.l.google.com
30alt4.aspmx.l.google.com

Step 3. Configure Inbound Mail Flow

Before completing the steps in this section, verify your MX records display in the Email Gateway Defense MX records; otherwise mail delivery issues may be introduced.

  1. Log into the Google Workspace admin console at https://admin.google.com.
  2. From the Home page, go to Apps > Google Workspace > Gmail.
  3. Select Spam, Phishing and Malware from the list.
  4. Click Inbound gateway, and select the Enable check box.

    Note: If you have an inbound gateway configured, you need to add only the Barracuda Networks IP ranges.


  5. Click Add under Gateway IPs.
  6. Enter the IP address/range for your Barracuda Networks region.
    For example, if you are in the US region, type 209.222.80.0/21, click Save. For other regions, refer to the IP addresses listed in Email Gateway Defense IP Ranges Used for Configuration.
    To add another IP address/range, click Add and type in the IP address/range. Click Save again.
  7. Select the following options:
    1. Automatically detect external IP (recommended)
    2. Require TLS for connections from the email gateways listed above

      Note: if you are routing internal mail through Barracuda Networks (default), you must also select Reject all mail not from gateway IPs.


    addRoutingRule2b.png

  8. Click Save.

Step 4. Internal Mail

By default, your internal mail is sent out to your inbound MX record, which points to Email Gateway Defense. This is by design for Google mail systems. To ensure that your internal mail stays internal, you must create a routing rule.

To configure a routing rule, follow the instructions below:

Step 1. Create Local Host
  1. Log into the Google Workspace admin console at https://admin.google.com.
  2. From the Home page, go to Apps > Google Workspace > Gmail.
  3. Click Hosts.
  4. Click Add Route. Enter a route name. For example, "Internal Mail".
  5. Select Multiple hosts.
  6. Enter the following Primary host details, and then click Add Primary.
    1. Hostname – aspmx.l.google.com
    2. Port – 25
    3. Load– 100%
  7. Enter the following Secondary host details, and then click Add Secondary.
    1. Hostname – alt1.aspmx.l.google.com
    2. Port – 25
    3. Load– 100%
  8. Under Options, select Require secure transport(TLS) and Require CA signed certificate.
    addInternalMail1.png
  9. Click Save.
Step 2. Create Routing Rule
  1. Navigate to Apps > Google Workspace > Gmail.
  2. Click Routing at the bottom of the page.
  3. Under the Routing section, click Configure.
  4. Enter a name for the rule. For example, "Internal Mail".
  5. Under Email messages to affect, select Internal - Sending.
  6. Under For the above types of messages, do the following, click the Down arrow and then select Modify message.
    1. Select Change route.
    2. From the list of options, select the host you created above in Step 1. Create a Local Host.
    addRoutingRule1a.png
  7. Toward the bottom, click Show options. Under Account types to affect, select Users and Groups.
    addRoutingRule1b.png
  8. Click Save.

    The new rule displays in the Routing section.    
    newRule1.png

Step 5. Configure Sender Policy Framework for Outbound Mail

To ensure Barracuda Networks is the authorized sending mail service of outbound mail from Email Gateway Defense, add the Sender Policy Framework (SPF) record INCLUDE line of the SPF record for your sending mail server for each domain sending outbound mail. See Sender Policy Framework for Outbound Mail for INCLUDE entries based on your Barracuda Networks instance.

For example, your record will look similar to: v=spf1 include:_spf.google.com include:spf.ess.barracudanetworks.com -all

  • If you have an SPF record set up for your domain, edit the existing record, and add the following to the INCLUDE line for each domain sending outbound mail based on your Barracuda Networks instance. For example: include:spf.ess.barracudanetworks.com -all
  • If you do not have an SPF record set up for your domain, use the following value to create a TXT record that creates a HARD Fail SPF for your domain based on your Barracuda Networks instance. For example: v=spf1 include:spf.ess.barracudanetworks.com -all

For more information, see Sender Authentication.

Step 6. Configure Outbound Mail Flow (Optional)

To ensure outbound mail delivery, contact Barracuda Networks Technical Support to have Hosted Outbound Relay enabled on your account. Failure to do so will result in undeliverable messages.

The steps in this section are taken from Google Workspace Admin Help.

  1. Navigate to Apps > Google Workspace > Gmail.

  2. Click Routing toward the bottom of the page.

  3. Click Outbound gateway.

  4. Enter the Outbound smart hostname provided to you in the settings for your domain within the Email Gateway Defense interface:

    outboundGateway1a.png

  5. Click Save in the bottom right corner.