Use this article to deploy Barracuda Email Security Service and Advanced Threat Protection (ATP) for G Suite in your environment.
Step 1. Launch the Barracuda Email Security Service Setup Wizard
- In the Barracuda Email Security Service web interface, click the link at the top of the page to start the wizard.
Click Get Started; the Specify Primary Email Domain page displays. Enter the primary email domain to be filtered. You can add additional domains later.
Click Next. The Specify Email Servers page displays. Enter the hostname/IP address of the mail server for the entered domain. Emails will be sent to this server after being scanned by the Barracuda Email Security Service. If the servers do not pre-populate, enter the primary G Suite destination mail servers as follows:
Priority G Suite Destination Mail Server
Enter an email address to test the server configuration, and click Test All Mail Servers.
- Once the mail server is verified, the Verified () icon displays in the Status column and a confirmation message displays at the top of the page.
- Click Next. The Configure Settings page displays. Select from the following options:
- Virus Protection – Set to On to direct the Barracuda Email Security Service to detect and block viruses on inbound email.
- Spam Protection – Set to On to direct the Barracuda Email Security Service to evaluate inbound mail for spam based on a score assigned to each processed message. When set to Off inbound mail is not scanned for spam.
Spam Scoring – Set Spam Protection to On to enable Spam Scoring. Scoring ranges from 1 (definitely not spam) to 10 (definitely spam). Setting a score of '1' will likely block legitimate messages while setting a score of '10' will allow more messages through the system. Based on this score the Barracuda Email Security Service blocks messages that appear to be spam and logs these messages in the user's Message Log with Score as the reason for the block.
Click Next. The Route Email Through Barracuda page displays.
To verify your domain, replace your current MX records with the Barracuda Email Security Service Primary and Backup MX records displayed on the page.
If you do not want to route your email through Barracuda Email Security, select I do not want to route my e-mail through Barracuda at this time, and select the verification option:
CNAME Records – To use the CNAME records method to verify the domain ownership:
Log in to your DNS Server and, under this domain, create a subdomain whose name is created by concatenating 'barracuda' and the CNAME token shown in the Route Email Through Barracuda page. For example:
Point the CNAME record of that subdomain to ess.barracuda.com
Click Confirm Validation in the Route Email Through Barracuda page.
Email to Technical Contact – This method sends a verification email to the technical contact email address, if it exists, listed on your domain's WHOIS entry.
Email to the postmaster – This method sends a verification email to the postmaster email address for your domain. The confirmation email includes a link that the recipient must click to verify the domain.
- CNAME Records – To use the CNAME records method to verify the domain ownership:
Click Next, and click Next once again.
On the Select Data Center Region page, select the data center for your locale, and click Get Started.
Complete the wizard pages.
The Confirmation page displays. Confirm domain ownership, and then click Done.
- Go to the Domains page and verify your settings.
Step 2. Configure Inbound Mail Flow
- Log in to the G Suite admin console at https://admin.google.com.
- From the Home page, go to Apps > G Suite > Gmail.
- Scroll to the bottom of the page, and click Advanced settings.
- Scroll to the Inbound gateway section. Click Enable, and click Edit.
- In the IP addresses / ranges section, type
184.108.40.206/20, and click ADD.
- Click in the IP addresses / ranges section again, type
220.127.116.11/21, and click ADD.
- Select the following options:
- Automatically detect eternal IP (recommended)
- Reject all mail not from gateway IPs
- Require TLS for connections from the email gateways listed above
- In the Message Tagging section, clear the option Message is considered spam if the following header regexp matches:
- Click ADD SETTING.
Step 3. Configure Sender Policy Framework for Outbound Mail
To assure Barracuda Networks is the authorized sending mail service of outbound mail from your Barracuda Email Security Service, add the following to the Sender Policy Framework (SPF) record INCLUDE line of the SPF record for your sending mail server for each domain sending outbound mail. Select the relevant SPF INCLUDE based on the region you selected for your Barracuda Email Security Service.
See Sender Authentication for more information.
For example, your record would look similar to:
v=spf1 include:_spf.google.com include:spf.ess.barracudanetworks.com -all
- If you have an SPF record set up for your domain, edit the existing record, and add the following to the INCLUDE line for each domain sending outbound mail based on your Barracuda Email Security Service instance. For example:
- If you do not have an SPF record set up for your domain, use the following value to create a TXT record that creates a HARDFail SPF for your domain based on your Barracuda Email Security Service instance. For example:
v=spf1 include:spf.ess.barracudanetworks.com -all
See Sender Policy Framework for Outbound Mail for INCLUDE entries based on your Barracuda Email Security Service instance.
Step 4. Configure Outbound Mail Flow (Optional)
Scroll to the Routing section, and locate Outbound gateway.
Enter the Outbound smart hostname provided to you in the settings for your domain within the Email Security Service interface:
Click Save in the bottom right corner.
Restrict Local Email (Optional)
If you do not want to send internal email to Barracuda Email Security Service, complete the following steps:
- Sign in to the G Suite domain console. In the left pane, click Apps. In the Apps Settings page, click G Suite, and then click Gmail > Advanced settings.
- Click the Hosts tab, and click Add Route. In the Name field type a name to represent the new host, for example, type:
- In the Host name or IP address, type Google's primary destination hostname:
- In the Port field, type:
- Click the General Settings tab. In the Routing section, scroll down to Routing, and click Configure.
- In the Messages to affect section, select Internal - sending
- Scroll down to Route, and select Change route. From the drop-down menu, select the new host created above in step 6, in this example, Local Email, and click Add Setting.
Step 5. Enable Advanced Threat Protection
- Go to the ATP Settings tab, and select the desired option in the Enable Advanced Threat Protection section:
- Deliver First, then Scan – Attachments are delivered with the message to the recipient and then scanned by the ATP service; if a virus is detected, an email notification is sent to the email recipient. Additionally, if Notify Admin is set to Yes, and a virus is detected in the scanned attachment, an email is sent to the administrator.
- Scan First, then Deliver – Attachments are scanned by the ATP service before delivery. If a virus is detected in the attachment the message is blocked, otherwise it is delivered to the recipient.
- Select whether to Notify Admin if a virus is detected in a scanned attachment. When set to Yes, enter the ATP Notification Email address in the associated field.
For more information on ATP, refer to the following articles: