Configure Inbound Email Gateway


  • Log into the Google Admin Console (https://admin.google.com/)
  • Navigate to Apps > Google Workspace > Gmail > Spam, phishing, and malware.
  • Hover the cursor to the right of Inbound gateway and, when the pencil icon is shown, click on it
  • Under Gateway IPs, do the following:
    • Add all of the sending IP ranges for Proofpoint in your region as listed on the Connection Details page
    • Also add the following IP ranges for Google
      • 35.190.247.0/24
      • 64.233.160.0/19
      • 66.102.0.0/20
      • 66.249.80.0/20
      • 72.14.192.0/18
      • 74.125.0.0/16
      • 108.177.8.0/21
      • 173.194.0.0/16
      • 209.85.128.0/17
      • 216.58.192.0/19
      • 216.239.32.0/19
      • 172.217.0.0/19

      • 172.217.32.0/20

      • 172.217.128.0/19

      • 172.217.160.0/20

      • 172.217.192.0/19

      • 172.253.56.0/21

      • 172.253.112.0/20

      • 108.177.96.0/19

      • 35.191.0.0/16

      • 130.211.0.0/22

      • 2001:4860:4000::/36

      • 2404:6800:4000::/36

      • 2607:f8b0:4000::/36

      • 2800:3f0:4000::/36

      • 2a00:1450:4000::/36

      • 2c0f:fb50:4000::/36

    • Check the boxes for "Automatically detect external IP" and "Require TLS for connections from the email gateways listed above"

    • Uncheck "reject all mail not from gateway IPs"

      • Checking this box will effectively lock your Google environment down to only accept external connections that have gone through Proofpoint. However, checking this option can also sometimes cause Google to reject legitimate mail from its own IP addresses.

    • Click Save, then enable the inbound gateway



Update Safety Settings


  • While signed into the Google Admin console, go to Apps > Google Workspace > Gmail
  • Click Safety to expand options
    • The settings for Attachments and Links & External Images can be left as is
  • Disable all of the Spoofing and Authentication options, including "Apply future recommended settings automatically"
    • Leaving these enabled can cause delivery issues with an error message that indicates a problem with DMARC.



Configure Outbound Email Gateway


  • From the Google Admin console, go to Apps > Google Workspace > Gmail > Hosts.
  • Click Add Route
  • Give this a name such as "Outbound for Proofpoint Essentials"
  • In the Outbound Gateway text field, enter the Proofpoint Essentials Smart host valuefor your region
    • US customers: outbound-us1.ppe-hosted.com
    • EU customers: outbound-eu1.ppe-hosted.com
  • Click Save on this page
  • Navigate to Apps > Google Workspace > Gmail > Routing, and under routing, click "Configure" or if a rule is there, then "Add another Rule"
  • Enter an appropriate Routing name, e.g.,"Outbound Through Proofpoint"
  • For "Emails messages to affect", select "Outbound".
  • For "For the types of messages above do the following", check "Change the route" and "Also reroute spam"
  • Under this section there is a dropdown box. Select the Outbound route.
  • Click "Show Options" to show additional fields
  • Under "B. Account types to affect", select all the choices (users, groups and unrecognized/catch-all)
  • Under "C. Envelope Filter", select Only affect specific envelope senders and then change the dropdown from "Single email address" to Pattern match
  • In the Regexp field, enter your domain name
  • When finished, click Save at the bottom of the page


Configure Internal Routing


  • Navigate to Apps > Google Workspace > Gmail > Hosts.
  • Select Add Route.
  • For Name, enter Internal Google Workspace, for single host, enter aspmx.l.google.com and then, in the second field, enter 25.
  • Make sure that the option Perform MX lookup on host is NOT checked, and that the following options are checked:
    • Require mail to be transmitted via a secure connection,
    • Require CA signed certificate
    • Validate certificate hostname is checked, then press Save
  • Scroll down to Routing, and then click Configure or if there is a rule already, click Add Another Rule
  • Enter a description at the top, e.g. Internal Routing.
  • Under Messages to affect, check the box that says Internal Sending.
  • Scroll down, and under Route, check Change route, and then change the default dropdown from Normal Routing to
  • Internal Google Workspace.
  • Scroll down and select Show options. The screen expands.
  • Under B. Account types to affect, check both Users and Groups
  • Under C. Envelope Filter, check Only affect specific envelope senders and then change the dropdown from "Single email address" to Pattern Match
  • Under Regexp, enter your domain name
  • When finished, click Save


Proceed to next step: Test Mail Flow