# 49 Email gateway interception

> v0.0.2 · role: Prevent · edition: All (3rd-party) · [policy: #6 · #19](https://docs.google.com/spreadsheets/d/1nOztaPd1Y7eNeRSR_hdovYy-ncpx-bAx/edit?usp=sharing&ouid=115159875779023172526&rtpof=true&sd=true)

Points the domain's MX records at a third-party mail security gateway so inbound mail is filtered before Google ever sees it, declares the gateway's IPs to Gmail as the trusted hop so Gmail reads the gateway's verdict rather than its IP reputation, rejects anything that arrives at Google without passing through the gateway, and optionally smart-hosts outbound mail through it too. The MX change is DNS, not console — and it is the step that can black-hole all of your mail.

Documentation: [Email routing and delivery options for Google Workspace](https://knowledge.workspace.google.com/admin/gmail/advanced/email-routing-and-delivery-options-for-google-workspace)

## Caveats

- Weigh this one carefully — for most organisations a third-party gateway in front of Gmail adds little that Gmail's own stack does not already do, while adding a supplier, a cost and a new single point of failure in the mail path.
- Gmail does not enforce the sender's DMARC policy on messages arriving via the inbound gateway — you inherit the gateway's verdict, having traded Google's anti-abuse stack for the vendor's.
- The gateway sees every message in plaintext — it is now a supplier holding all your mail, and a compelled-disclosure target in its own right.
- 'Reject all mail not from gateway IPs' is the setting that makes the control real — and the setting that black-holes mail the moment the vendor changes IPs without telling you.
- Inbound gateway settings do not accept private IP addresses.

## Setup steps

1. Point the domain's MX records at the third-party gateway so inbound mail is processed before Google sees it. This is a DNS change, not a console change — and it is the step that can black-hole all mail.

   ```
   MX → gateway vendor's hosts (lowest priority first); TTL lowered beforehand
   ```

2. Declare the gateway's public IPs to Gmail so it treats them as the trusted hop and reads the gateway's spam verdict instead of the gateway's own IP reputation. — `Apps › Google Workspace › Gmail › Spam, Phishing and Malware › Inbound gateway`

   - **Gateway IPs** = <vendor CIDRs>
   - **Automatically detect external IP** = ON

   docs: [Set up an inbound mail gateway](https://knowledge.workspace.google.com/admin/gmail/advanced/set-up-an-inbound-mail-gateway)

3. Close the bypass: reject anything that arrives at Google without having passed through the gateway, and require TLS on the gateway hop. — `Apps › Google Workspace › Gmail › Spam, Phishing and Malware › Inbound gateway`

   - **Reject all mail not from gateway IPs** = ON
   - **Require TLS for connections from the gateway** = ON

   docs: [Set up an inbound mail gateway](https://knowledge.workspace.google.com/admin/gmail/advanced/set-up-an-inbound-mail-gateway)

4. Add the gateway as a mail host so outbound mail can be routed through it too (smart host). — `Apps › Google Workspace › Gmail › Hosts`

   Add route → gateway smarthost:port; Require TLS = ON; Require CA-signed certificate = ON

   docs: [Add mail servers for Gmail email routing](https://knowledge.workspace.google.com/admin/gmail/advanced/add-mail-servers-for-gmail-email-routing)

5. Add the outbound routing rule that sends internal→external mail via that host, then verify with test mail in both directions before removing the direct path. — `Apps › Google Workspace › Gmail › Routing`

   - **Affect** = Outbound
   - **Route** = the gateway host
   - **Change envelope recipient** = off

   docs: [Add Gmail routing settings](https://knowledge.workspace.google.com/admin/gmail/advanced/add-gmail-routing-settings)

## Ongoing maintenance

- **[automatable: script]** Continuously: monitor gateway queue depth and delivery latency.
- **[requires a human]** Per incident/policy change: keep gateway rules in step with Workspace-side controls.

## How to verify

1. The MX records are public — confirm they point at the gateway, then send a test message from outside and read its headers for the gateway hop.

   dig +short MX <domain>

## Settings screens

- Apps > Google Workspace > Gmail > Spam, Phishing and Malware (Inbound gateway)
  - console: https://admin.google.com/ac/apps/gmail/spam
  - screenshot: ../screenshots/admin.google.com/ac/apps/gmail/spam.png
- Apps > Google Workspace > Gmail > Hosts (define the gateway host for outbound routing)
  - console: https://admin.google.com/ac/apps/gmail/hosts
  - screenshot: ../screenshots/admin.google.com/ac/apps/gmail/hosts.png
- Apps > Google Workspace > Gmail > Routing (outbound route through the gateway)
  - console: https://admin.google.com/ac/apps/gmail/routing
  - screenshot: ../screenshots/admin.google.com/ac/apps/gmail/routing.png
