In order to use MXGuardian's outbound filtering service, you must configure Google Workspace to relay all outbound mail to MXGuardian. This is sometimes called a smarthost. This guide will walk you through configuring an outbound gateway and configuring it to relay outbound mail to MX Guardian.
Note: Make sure outbound filtering is enabled on your account before following this procedure.
Step 1: Configure Google Workspace to handle internal mail
First, we need to configure Google Workspace to handle your internal company mail so that mail from one user to another doesn't get routed to MXGuardian
- Sign in to the Google Admin Console
- Select Apps, and then Google Workspace, and then Gmail
- Scroll down to the section labeled Hosts, and click Add Route
- Give the new route a name like "Internal Company Mail"
- Under Specify email server, choose Single Host, and enter aspmx.l.google.com, and the port number 25
Make sure the checkbox Perform MX lookup on host is NOT checked. Check the boxes
- Require mail to be transmitted via a secure (TLS) connection (Recommended)
- Require CA signed certificate (Recommended)
- Validate certificate hostname (Recommended)
- Click Save
Step 2: Configure Google Workspace to route outbound mail to MXGuardian
In the breadcrumbs at the top, select Settings for Gmail to navigate back to the settings page.
- Scroll down and click the section labeled Routing. (Not Default Routing)
- Click the section Outbound Gateway
- Under Route outgoing emails to the following SMTP Server, enter smtp.mxguardian.net and click Save
Under Routing click Add another rule
Give the route a name like Internal Mail Route
Select the checkbox Internal - Sending
- In section #2, Make sure the Modify message menu item is checked, and choose the checkbox Change Route and use the menu below that to chose the host you set up earlier Internal Company Mail
- Scroll all the way down to the bottom and click Show options
In Section B, choose the checkboxes
In Section C choose the checkbox Only affect specific envelope senders, choose Pattern Match from the dropdown menu, and enter your domain in the Regexp field:
- Click Save
Step 3: Configure your SPF record for both Google Workspace and MXGuardian
Your SPF record MUST include both the entries for MXGuardian and for Google Workspace, so it must include include:spf.mxguardian.net and include:_spf.google.com
For example, a minimal SPF record would look like this:
"v=spf1 include:spf.mxguardian.net include:_spf.google.com -all"
Your SPF record may include other hosts if you need to send mail from a third party (i.e. marking platforms, CRM systems, etc...)