It seems like your browser didn't download the required fonts. Please revise your security settings and try again.

Step 2 - Deploy Compliance Edition for G Suite

  • Last updated on

Use this article to deploy Barracuda Email Security Service and Advanced Threat Protection for G Suite in your environment.

To deploy Barracuda Essentials with G Suite, you must have a G Suite Basic, Business, or Enterprise account. The legacy free edition of G Suite is missing key features required for this deployment. For details on upgrading your G Suite subscription, refer to the Google Support article G Suite legacy free edition.

Google IP addresses and user interfaces can change; refer to the G Suite Administrator Help Center for updates and configuration details.

You can specify the Barracuda Email Security Service as an inbound mail gateway through which all incoming mail for your domain is filtered before reaching your Google account. The Barracuda Email Security Service filters out spam and viruses, then passes the mail on to the Google mail servers. Use the Configure Inbound Mail Flow instructions below to configure.

You can also specify the Barracuda Email Security Service as the outbound mail gateway through which all mail is sent from your domain via your Google account to the recipient. As the outbound gateway, the Barracuda Email Security Service processes the mail by filtering out spam and viruses before final delivery. By configuring Google as described in Configure Outbound Mail Flow below, you instruct the Google mail servers to pass all outgoing mail from your domain to the Barracuda Email Security Service (the gateway server).

Step 1. Launch the Barracuda Email Security Service Setup Wizard

  1. Log into your Barracuda Cloud Control account. On the left side, select Email Security
    The Email Security wizard launches. Click Next.
  2. Select the Region for your Data Center. Then click Get Started.

    After you select your Region, you cannot change it.



  3. Enter the primary email domain you want to protect with Barracuda Email Security Service. Then click Next

  4. The system automatically retrieves your current MX records and auto-fills that information as your Destination Server. If this is not the correct Destination Server, click Remove and add the Destination Server with the correct data. 
    If you want to add additional servers, enter data for those servers now.
    After you properly configure the Destination Server, enter a valid User Name to test the mail server connection. 
    After you have determined that the settings are correct, click Next

  5. Select your settings, accepting the default values or making changes if needed, then click Next.

  6. Barracuda recommends verifying your domain via MX records with Priority 99. If you do not want to update MX records now, check the box and select a different method. 
    In the first case, click Verify MX Records. Otherwise, click Confirm Validation.

    Note that after verifying your domain, any mail sent to your domain from another Barracuda ESS customer will be processed normally by your ESS account and not delivered via MX records.


  7. When the verification is successful, click Next.

    If the verification is not successful, a message appears, letting you know that the domain could not be verified. 
    If you are having DNS issues that you want to address, click Skip to exit the wizard. Behind the wizard, click the Domains tab to retry the validation. 
  8. Click Finish to finalize the setup and close the wizard.

Step 2. Add Additional Email Domains (Optional)

You configured your primary email domain in Step 3 of the wizard, above.

Use the steps in the following section if you want to protect additional domains with Barracuda Email Security Service. If you are only protecting one domain, continue below with Step 3. Configure Inbound Mail Flow

  1. Log into the Barracuda Cloud Control as administrator. In the left panel, click Email Security. Select the Domains tab, then click Add Domain.
  2. Enter the domain name and the Primary MX record for Google: ASPMX.L.GOOGLE.COM.

  3. Click Add Domain; the Domain Settings page displays, listing the new domain.
  4. Click Add Mail Server and add the remaining four mail servers from the table.

    Priority G Suite Destination Mail Server
  5. Click Save Changes.
  6. Click the Domains tab at the top. Click Verify Ownership.

  7. Select one of the 3 methods to verify your domain.

  8. Repeat these steps, as needed, for additional domains before continuing with Step 3 below.
  9. After the mail server is verified, the Verified verifyIcon.png icon displays in the Status column and a confirmation message displays at the top of the page.

Step 3. Configure Inbound Mail Flow

Before completing the steps in this section, verify your MX records display in the Barracuda Email Security Service MX records; otherwise mail delivery issues may be introduced.

  1. Log into the G Suite admin console at
  2. From the Home page, go to Apps > G Suite > Gmail.
  3. Scroll to the bottom of the page, and click Advanced settings.
  4. Scroll to the Inbound gateway section. Click Enable, and click Edit.
  5. In the specify IP address ranges page, enter the IP address/range for the Sender (Barracuda Email Security Service). For example, if you are in the US region, type
    For other regions, refer to the IP addresses listed in Barracuda Email Security Service IP Ranges. If your region has only one IP address range, you can skip ahead to Step 7 below. 
  6. If there is more than one IP address or range, click ADD, then type the next IP address or range. For example, for the US region, type, and click ADD.
  7. Select the following options:
    1. Automatically detect external IP (recommended)
    2. Require TLS for connections from the email gateways listed above

  8. Click Add Setting.

Step 4. Internal Mail

By default, your internal mail is sent out to your inbound MX record, which points to the Barracuda Email Security Service. This is by design for Google mail systems. To ensure that your internal mail stays internal, you must create a routing rule.

To configure a routing rule, follow the instructions below:

Step 1. Create Local Host
  1. Log into the G Suite admin console at
  2. From the Home page, go to Apps > G Suite > Gmail > Hosts.
  3. Click Add Route. Enter a route name. For example, Internal Mail.
  4. Select Multiple hosts.
  5. Enter the Primary host details, and then click Add Primary.
    1. Hostname –
    2. Port – 25
    3. Load– 100%
  6. Enter the Secondary host details, and then click Add Secondary.
    1. Hostname –
    2. Port – 25
    3. Load– 100%
  7. Under Options, select Require secure transport(TLS) and Require CA signed certificate.
  8. Click Save.


Step 2. Create Routing Rule
  1. From the Admin console Home page, go to Apps > G Suite > Gmail.
  2. Scroll to the bottom of the page, and click Advanced settings.
  3. In the Routing section, point to Routing and click Configure.
  4. Enter a name for the rule. For example, Internal Mail.
  5. Under Messages to affect, select Internal - sending.
  6. Under For the above types of messages, do the following, click the Down arrow and then select Modify message.
    1. Select Change route.
    2. From the list of options, select the host you created above in Step 1. Create a Local Host.

  7. Towards the bottom, click Show options. Under Account types to affect, select Users and Groups.

  8. Click Add Setting.
    The new rule displays in the Routing section.

  9. At the bottom right of the screen, click Save to ensure the new rule is applied.

Step 5. Configure Sender Policy Framework for Outbound Mail

To ensure Barracuda Networks is the authorized sending mail service of outbound mail from your Barracuda Email Security Service, add the following to the Sender Policy Framework (SPF) record INCLUDE line of the SPF record for your sending mail server for each domain sending outbound mail. Select the relevant SPF INCLUDE based on the region you selected for your Barracuda Email Security Service:

AU (Australia) -all
CA (Canada) -all
DE (Germany) -all
UK (United Kingdom) -all
US (United States) -all

For more information, see Sender Authentication.

  • If you have an SPF record set up for your domain, edit the existing record, and add the following to the INCLUDE line for each domain sending outbound mail based on your Barracuda Email Security Service instance. For example: -all
  • If you do not have an SPF record set up for your domain, use the following value to create a TXT record that creates a HARD Fail SPF for your domain based on your Barracuda Email Security Service instance. For example: v=spf1 -all

Step 6. Configure Outbound Mail Flow (Optional)

To ensure outbound mail delivery, contact Barracuda Technical Support to have Hosted Outbound Relay enabled on your account. Failure to do so will result in undeliverable messages.

The steps in this section are taken from G Suite Admin Help.

  1. Scroll to the Routing section, and locate Outbound gateway.

  2. Enter the Outbound smart hostname provided to you in the settings for your domain within the Barracuda Email Security Service interface:

  3. Click Save in the bottom right corner.

Continue with Step 3 - Deploy Compliance Edition for G Suite to deploy the Barracuda Cloud Archiving Service component.

Last updated on