It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda Campus Barracuda Campus

Barracuda Campus is getting an upgrade!

We are excited to announce that Barracuda Campus will migrate to a new platform around mid-January 2026. Please see the announcement on the Campus Dashboard to find out more.

Set up Google Workspace for Impersonation Protection

  • Last updated on

This article provides the steps to protect Google email with Impersonation Protection.

Impersonation Protection for Google Workspace is currently limited to early adopters. Please contact your account manager for details and potential early access.

NOTE: You must be a Super Administrator to use Barracuda Impersonation Protection with Google Workspace. 

All four steps of this process must be completed to protect Google email.

Step 1 – Sign In and Grant Barracuda Access to Google Workspace

  1. Sign in to Impersonation Protection to get started. If you do not already have an account, you can create one here. 

  2. Select Google when asked to connect to an email provider. 

  3. Sign in to your Google Workspace account as a Super Admin

  4. Click Allow when asked to grant access to Barracuda Networks. 

  5. After Barracuda Networks verifies your Super Admin account, you will be taken to Step 2. 

Step 2 – Set Up Privileges in Google Workspace

Google Workspace must have the correct privileges to use Impersonation Protection. Follow the steps below to configure privileges.

  1. Sign in to the Google Workspace Admin Console. The link provided can take you to the login.
    (Note: Super Administrator permissions are required.)

  2. Navigate to Security > Access and data control > API controls.

    Step 2.2_.png

  3. Click MANAGE DOMAIN WIDE DELEGATION.

  4. Select Add new.

  5. Enter the following into the Client ID field: 116785958912330628458

    add-a-new-client-id.png

  6. Add the following OAuth scopes:
    https://www.googleapis.com/auth/userinfo.profile,
    https://www.googleapis.com/auth/userinfo.email,
    https://www.googleapis.com/auth/admin.directory.user,
    https://www.googleapis.com/auth/gmail.modify,
    https://www.googleapis.com/auth/admin.reports.audit.readonly,
    https://www.googleapis.com/auth/apps.licensing,
    https://www.googleapis.com/auth/admin.directory.domain.readonly,
    https://www.googleapis.com/auth/admin.directory.customer.readonly,
    https://www.googleapis.com/auth/admin.directory.group.readonly

  7. Click Authorize.

  8. The Workspace privileges are now configured. Return to Impersonation Protection and click Verify.
    Note: It may take time for privileges to propagate; you may need to wait and try again.  

    Step 2.8_.png

  9. After privileges have been verified, click the Next button at top-right of your screen to go to Step 3. 

Step 3 – Set Up Headers in Google Workspace

Impersonation Protection looks for specific headers in Google email. Follow the steps below to configure these headers.

  1. Continue or sign in to the Google Workspace Admin Console.

  2. Navigate to Apps > Google Workspace > Gmail > Routing.

    Step 3.2_.png

  3. Under the Routing table, click the ADD ANOTHER RULE link.

  4. The Add setting dialog opens. This is the first of three rules to be added.

    1. Enter a name for the rule in the top field. Example: Routing Inbound

    2. Under Email messages to affect, select the Inbound option.

    3. Under Modify message > Headers, select the Add custom headers option.

    4. In the Custom headers box, click Add.

      Step 3.4d_.png

    5. For Header key, enter Gm-EP-Direction-Inbound

    6. For Header value, enter 1.

      Step 3.4f_.png

    7. Click SAVE. The rule setting should look like this:

      Step 3.4g_.png

    8. Click ADD at the bottom. The rule should appear in the Routing table.

  5. Add a second rule by doing the following:

    1. Give the rule a name. Example: Routing Outbound

    2. Under Email messages to affect, select the Outbound option. 

    3. Under Modify message > Headers, select the Add custom headers option. 

    4. In the Custom headers box, click Add

    5. For Header key, enter Gm-EP-Direction-Outbound 

    6. For Header value,enter 1

    7. The rule setting should look like this:

      Step 3.5g_.png

    8. Click ADD at the bottom. The rule should appear in the Routing table.

  6. Add a third rule by doing the following:

    1. Give the rule a name. Example: Sending and Receiving 

    2. Under Email messages to affect, select both the Internal - Sending and Internal – Receiving options. 

    3. Under Modify message > Headers, select the Add custom headers option. 

    4. In the Custom headers box, click Add

    5. For Header key, enter Gm-EP-Direction-Internal 

    6. For Header value,enter 1

    7. The rule setting should look like this:  

      Step 3.6g_.png

    8. Click ADD at the bottom. The rule should appear in the Routing table.

  7. Return to Impersonation Protection.

  8. Barracuda will send emails to ensure that the headers have been set up correctly. As in the example shown in the image below, an email will be sent from your Google admin account to a Barracuda email address. Another email will be sent from Barracuda to your Google admin account.

    send-emails.png

  9. In the empty field shown above, add an email address that is internal to your mailbox. (i.e. user@yourdomain.com)
    As you start to type, the field should pre-populate with internal email addresses.

  10. Click the Send emails button. The green Emails sent chip will display once all messages are away.
    It typically takes a minute or two for Barracuda to receive and inspect the emails.

  11. Click the Verify button to ensure all headers have been added correctly.

    verify-button.png

  12. If headers are correct, the green Verified chip will display.
    If there is a problem, an error will be displayed. Wait a few minutes to see if the emails are received by Barracuda and the error goes away. If the error message persists, try again by clicking Resend emails and then waiting several minutes before clicking the Verify button. If that is still unsuccessful, return to the beginning of this step (Step 3).

  13. Once the Google email header configuration is verified, click the Next button at top-right of your screen to go to Step 4.

Step 4 – Select Protection Setting

Now that the Workspace setup is verified, select how Impersonation Protection will remediate phishing and other email fraud attacks.

  1. The options for default settings are:

    1. Enforcement mode (Recommended)
      Barracuda remediates attacks as they happen by:

      1. Moving the messages to the recipient’s junk folder.

      2. Alerting you and the recipient.
        You will be able to customize this behavior.

    2. Reporting mode
      Barracuda will track attacks and display them on your dashboard. Barracuda will not take any remediation action in real time (as they happen). With this option, you are not protected by phishing and fraud.

  2. After making a selection, click Complete setup.

Barracuda will take anywhere from several hours to several days (depending on the size of your account) to fully learn about your environment. After the initial learning phase is finished, you will receive an email notifying you that Impersonation Protection is now available.