We use cookies on our website to ensure we provide you with the best experience on our website. By using our website, you agree to the use of cookies for analytics and personalized content.This website uses cookies. More Information
It seems like your browser didn't download the required fonts. Please revise your security settings and try again.

Barracuda Email Security Service

How to Configure G Suite for Inbound and Outbound Mail

  • Last updated on

This article addresses configuring G Suite with the Barracuda Email Security Service as your inbound and/or outbound mail gateway.

If you make setting changes, allow a few minutes for the changes to take effect.

You can specify the Barracuda Email Security Service as an inbound mail gateway through which all incoming mail for your domain passes before reaching your G Suite account. The Barracuda Email Security Service filters out spam and viruses, and then passes the mail on to the G Suite mail servers. Use the Inbound Configuration instructions below to configure.

You can likewise specify the Barracuda Email Security Service as the outbound mail gateway through which all mail is sent from your domain via your G Suite account to the recipient. As the outbound gateway, the  Barracuda Email Security Service processes the mail by filtering out spam and viruses before final delivery. By using the configuration described in Outbound Configuration below, you instruct the G Suite mail servers to pass all outgoing mail from your domain to the Barracuda Email Security Service (the gateway server).

Google IP addresses and user interfaces can change; refer to the G Suite Administrator Help Center for updates and configuration details.

You can optionally whitelist the Barracuda Email Security Service IP ranges through G Suite Advanced settings. See Barracuda Email Security Service IP Ranges for a list of IP ranges based on your Barracuda Email Security Service instance.

Step 1. Launch the Barracuda Email Security Service Setup Wizard 

Alternatively, you can manually set up the Barracuda Email Security Service using the web interface.

Configure Domain

  1. Log in to Barracuda Email Security Service, and go to the Domains page.
  2. Under Domain Name, enter the primary email domain to be filtered.
  3. Enter the primary G Suite destination mail server: ASPMX.L.GOOGLE.COM

  4. Click Add.

  5. Click Add Mail Server to continue adding the remaining G Suite destination servers and their respective priority:

    PriorityG Suite Destination Mail Server
    5ALT1.ASPMX.L.GOOGLE.COM
    5ALT2.ASPMX.L.GOOGLE.COM
    10ASPMX2.GOOGLEMAIL.COM
    10ASPMX3.GOOGLEMAIL.COM
    1ASPMX.L.GOOGLE.COM
  6. Click Save Changes.
  1. In the Barracuda Email Security Service web interface, click the link at the top of the page to start the wizard.
  2. Click Get Started; the Specify Primary Email Domain page displays. Enter the primary email domain to be filtered. You can add additional domains later.

  3. Click Next. The Specify Email Servers page displays. Enter the hostname/IP address of the mail server for the entered domain. Emails will be sent to this server after being scanned by the Barracuda Email Security Service. If the servers do not pre-populate, enter the primary G Suite destination mail servers as follows:

    PriorityG Suite Destination Mail Server
    5ALT1.ASPMX.L.GOOGLE.COM
    5ALT2.ASPMX.L.GOOGLE.COM
    10ASPMX2.GOOGLEMAIL.COM
    10ASPMX3.GOOGLEMAIL.COM
    1ASPMX.L.GOOGLE.COM

    After completing the setup, you must manually edit the priorities for each server from the Domains > Domain Settings page.

  4. Enter an email address to test the server configuration, and click Test All Mail Servers .

  5. Once the mail server is verified, the Verified (verified_icon.png) icon displays in the Status column and a confirmation message displays at the top of the page.
  6. Click Next. The Configure Settings page displays. Select from the following options:
    1. Virus Protection – Set to On to direct the Barracuda Email Security Service to detect and block viruses on inbound email.
    2. Spam Protection – Set to On to direct the Barracuda Email Security Service to evaluate inbound mail for spam based on a score assigned to each processed message. When set to Off inbound mail is not scanned for spam.
    3. Spam Scoring – Set Spam Protection to On to enable Spam Scoring. Scoring ranges from 1 (definitely not spam) to 10 (definitely spam). Setting a score of '1' will likely block legitimate messages while setting a score of '10' will allow more messages through the system. Based on this score the Barracuda Email Security Service blocks messages that appear to be spam and logs these messages in the user's Message Log with Score as the reason for the block.

      The following features, configured on the Inbound settings > Anti-Spam/Antivirus page, are enabled when Spam Protection is set to On:
      • Barracuda Reputation Block List (BRBL) – Database of IP addresses manually verified to be a noted source of spam.
      Barracuda Real-Time System (BRTS) – Advanced service to detect zero-hour spam and virus outbreaks even where traditional heuristics and signatures to detect such messages do not yet exist. Each quarantined message has a reason of BRTS in the Message Log.
      Sender Policy Framework (SPF) – Block Fail is disabled.
      Barracuda Anti-Fraud Intelligence – Barracuda Networks anti-phishing detection which uses a special Bayesian database for detecting Phishing scams.
      Intent Analysis – Blocking based on intent analysis.
      CloudScan Scoring – A cloud-based spam scanning engine which assigns a score to each message processed ranging from 0 (definitely not spam) to 10 (definitely spam).

  7. Click Next. The Route Email Through Barracuda page displays.

  8. To verify your domain, replace your current MX records with the Barracuda Email Security Service Primary and Backup MX records displayed on the page.

    During the evaluation period, to complete the verification process but allow your legitimate mail to continue using your current mail server, you can add the MX records with a low priority, for example, 99.

    Some mail may appear in the Message Log after making this MX record change as spammers routinely send mail to all MX records for a domain.

    Once you have made the change to your MX records, return to the Route Email Through Barracuda page and click Verify MX Records. The Barracuda Email Security Service should see the changes made and verify your domain. If the domain does not verify correctly, verify that your MX changes are live. You can do this by using the following sites that return your MX information:

    http://mxtoolbox.com/
    https://toolbox.googleapps.com/apps/dig/ (select the MX option)

    If your domain's MX records do not display in the Barracuda Email Security Service MX records, you must wait until they display before your domain can be verified.

  9. If you do not want to route your email through Barracuda Email Security, select I do not want to route my e-mail through Barracuda at this time, and select the verification option:

    1. CNAME Records – To use the CNAME records method to verify the domain ownership:
      1. Log in to your DNS Server and, under this domain, create a subdomain whose name is created by concatenating 'barracuda' and the CNAME token shown in the Route Email Through Barracuda page. For example:
        barracuda30929916985.corpdomain.com

      2. Point the CNAME record of that subdomain to ess.barracuda.com

        Allow the DNS propagation to take effect before proceeding.

      3. Click Confirm Validation in the Route Email Through Barracuda page.

    2. Email to Technical Contact – This method sends a verification email to the technical contact email address, if it exists, listed on your domain's WHOIS entry.

      This verification option is not available if the Barracuda Email Security Service cannot find your domain's WHOIS entry. If there is not a technical contact, then only the MX Records, CNAME, and Email to the Postmaster options displays on this page.

    3. Email to the postmaster – This method sends a verification email to the postmaster email address for your domain. The confirmation email includes a link that the recipient must click to verify the domain.

      This option is available if the Barracuda Email Security Service can find your postmaster in your domain’s WHOIS records. This method sends a verification email to the postmaster email address for your domain. The confirmation email includes a link that the recipient must click to verify the domain.

  10. Click Next, and click Next once again.

  11. On the Select Data Center Region page, select the data center for your locale, and click Get Started.

  12. Complete the wizard pages.

  13. The Confirmation page displays. Confirm domain ownership, and then click Done.

  14. Go to the Domains page and verify your settings.

Step 2. (Optional) Configure Outbound Mail Flow

To ensure outbound mail delivery, contact Barracuda Technical Support to have Hosted Outbound Relay enabled on your account. Failure to do so will result in undeliverable messages.

  1. In the Routing section, locate Outbound gateway.

  2. Enter the Outbound Hostname provided to you in the settings for your domain within the Email Security Service interface:
    OutboundGateway.PNG

  3. Click Save in the bottom right corner.

    Restrict Local Email

    If you do not want to send internal email to Barracuda Email Security Service, complete the following steps:

    1. Sign in to the G Suite domain console. In the left pane, click Apps. In the Apps Settings page, click G Suite, and then click Gmail > Advanced settings.
    2. Click the Hosts tab, and click Add Route. In the Name field type a name to represent the new host, for example, type: Local Email
    3. In the Host name or IP address, type Google's primary destination hostname: ASPMX.L.GOOGLE.COM
    4. In the Port field, type the port number:
      1. For SMTP, type 25
      2. For SMTP over TLS type 587
    5. Click the General Settings tab. In the Routing section, scroll down to Routing, and click Configure.
    6. In the Messages to affect section, select Internal - sending
    7. Scroll down to Route, and select Change route. From the drop-down menu, select the new host created above in step 6, in this example, Local Email, and click Add Setting.

Step 3. Configure Sender Policy Framework for Outbound Mail

To assure Barracuda Networks is the authorized sending mail service for outbound mail recipients, review your domain's SPF record. See Sender Authentication for more information.

  • If you have an SPF record set up for your domain, edit the existing record, and add the following to the INCLUDE line for each domain sending outbound mail based on your Barracuda Email Security Service instance. For example: include:spf.ess.barracudanetworks.com -all
  • If you do not have an SPF record set up for your domain, use the following value to create a TXT record that creates a SOFTFAIL SPF for your domain based on your Barracuda Email Security Service instance. For example: v=spf1 include:spf.ess.barracudanetworks.com -all

See Sender Policy Framework for Outbound Mail for INCLUDE entries based on your Barracuda Email Security Service instance.

Last updated on