WatchGuard Email Protection Integration with Google Workspace

Deployment Overview

This document describes the steps to integrate WatchGuard Email Protection with Google Workspace.

Contents

Platform and Software

The platform and software used in this integration include:

  • WatchGuard Email Protection administrative account
  • Google Workspace administrator account
  • DNS hosting provider

Integration Topology

This diagram shows the topology for the WatchGuard Email Protection with Google Workspace integration.

Screenshot of topology diagram

Before You Begin

Before you complete the procedures in this document, make sure that:

  • You have a domain in Google Workspace that is managed by your DNS hosting provider.
  • Your Google Workspace Gmail account can send email messages to an external mailbox and receive email messages from an external mailbox.

Update the Domain MX Record

When you add WatchGuard Email Protection servers to the MX record for your domain, you can route incoming email messages for your domain to WatchGuard Email Protection servers. WatchGuard Email Protection servers then filter the email messages and forward them to the Google Workspace email server. This process takes place before the email messages reach your Gmail mail inbox.

To update the MX record for your domain:

  1. Log in to your DNS hosting provider. Back up then remove all the original MX records.
  2. Add the WatchGuard Email Protection MX records shown in WatchGuard Email Protection Server MX Records. We recommend that you add all the records with different priorities in each range.

    3. Screenshot of DNS MX records

Add the Domain to WatchGuard Email Protection

To add your domain to WatchGuard Email Protection:

  1. Log in to WatchGuard Email Protection as an administrator.
  2. From the Scope Selection drop-down list, select the company domain.
  3. From the navigation menu, select Customer Settings > Domains.
    The Customer Settings - Domains page opens.

Screenshot of the WatchGuard Email Protection add domain

  1. Click Add Domain.
  2. In the Domain text box, type the name of the domain. Click Add.
  3. Next to the new domain, click Screenshot of the select icon.
    A menu opens.
  4. To verify that the MX records point to WatchGuard Email Protection, click Trigger Verification.
    If the domain passes verification, the domain status shows as Verified.

    5. Screenshot of the WatchGuard Email Protection trigger domain verification

Update Domain SPF Records and Activate SPF Check

The Sender Policy Framework (SPF) records of your domain must point to WatchGuard Email Protection SPF records. This authorizes Email Protection to send email messages from your domain. Recipients outside your organization can use the SPF records to perform SPF checks on email messages from your domain.

To update the SPF record:

  1. Log in to your DNS hosting provider.
  2. Add this SPF record: v=spf1 include:spf.hornetsecurity.com ~all
    It might take some time for the DNS resolution to take effect.

    3. Screenshot of DNS SPF record

To activate SPF check:

  1. Log in to WatchGuard Email Protection as an administrator.
  2. From the Scope Selection drop-down list, select the company domain.
  3. From the navigation menu, select Security Settings > Email Authentication.
  4. To refresh the status, click Refresh DNS Settings.
    The DNS status settings for the domain show in the table.
    • A green check mark indicates that the domain settings are correct.
    • A yellow exclamation mark icon indicates that no records are set for the domain.
    • A red X icon indicates that the domain settings are not correct.

    5. Screenshot of the WatchGuard Email Protection SPF check status

  5. From the Sender Authentication section, enable Activate SPF Check.
  6. Select For All Incoming Emails.

Configure Spam and Malware Protection

To configure Spam and Malware Protection in WatchGuard Email Protection:

  1. From the navigation menu, select Security Settings > Spam and Malware Protection.
    The Security Settings - Spam and Malware Protection page opens.
  2. Select the General Settings tab.
  3. From the Domain drop-down list, select the domain you want to activate Spam and Malware Protection for.
  4. Disable Inherit From Primary Domain.

Screenshot of the WatchGuard Email Protection Spam and Malware Protection page

  1. Enable Activate Spam and Malware Protection.
  2. From the Primary Environment Settings > Destination section, select IP/Hostname.
  3. In the Destination Server text box, type aspmx.l.google.com:25
  4. If you configure the outgoing traffic relay in the server, enable IP Addresses of Relay Servers for Outgoing Emails.
    1. In the text box, type the IP addresses of the server that send the outgoing messages to Email Protection.
    2. Clear the Restrict Email Sending to the Relay Server IP Addresses and Bounce Management (Recommended) check boxes.
  5. From the User Check section, select SMTP.
  6. Disable Alternative IP Address for User Check.
  7. Click Save.

Configure an Outbound Gateway and Catch-all Mailbox in Google Workspace

To prevent email messages sent by your Google Workspace environment from being defined as malicious by other external mail servers, you must add an outbound gateway to route all outbound emails through the WatchGuard Email Protection smart host.

To add the WatchGuard Email Protection smart host to outbound gateway:

  1. Log in to Google Admin console with your administrator account.
    You must use an administrator account to open the Admin console.
  2. From the left navigation menu, select Apps > Google Workspace > Gmail > Routing.
  3. From the Outbound Gateway section, specify the server domain:
    • United States — relay-cluster-usa01.hornetsecurity.com
    • Europe — relay-cluster-eu01.hornetsecurity.com
    • Canada — relay-cluster-ca01.hornetsecurity.com

    4. Screenshot of the Google Workspace Outbound Gateway

  4. Click Save.

When you activate SMTP user check in Email Protection in the previous section, you must disable catch-all rules in Google Workspace.

To disable catch-all rules in Google Workspace:

  1. From the Routing section, disable or delete all of your routing rules.

    2. Screenshot of the Google Workspace Routing Rules

Configure an Inbound Gateway in Google Workspace

To prevent your Google Workspace from receiving unprocessed email messages, you must add all of the WatchGuard Email Protection server IP address ranges to the inbound gateway. The inbound gateway makes sure that the Google Workspace email server only accepts messages coming from the WatchGuard Email Protection server IP address ranges. Any email messages that do not originate from WatchGuard Email Protection IP address ranges are rejected.

To add the Email Protection server IP ranges to an inbound gateway:

  1. Log in to Google Admin console with administrator account.
    If you aren’t using an administrator account, you can’t access the Admin console.
  2. From the left navigation menu, select Apps > Google Workspace > Gmail > Spam, Phishing and Malware.
  3. From the Inbound Gateway section, select the Enable check box.
  4. Click Add.

    5. Screenshot of the Google Workspace Inbound Gateway 1

  5. Add all IP addresses shown in IP Addresses of WatchGuard Email Protection Servers.
  6. Select the Automatically Detect External IP (Recommended) and Reject All Mail Not From Gateway IPs check boxes.

    7. Screenshot of the Google Workspace Inbound Gateway 2

  7. Click Save.

Test the Integration

To test the integration:

  1. Send an email message from outside to the WatchGuard Email Protection protected mail server. (Inbound)
  2. Send an email message from the WatchGuard Email Protection protected mail server to outside. (Outbound)
  3. Verify that inbound and outbound mail sends and receives successfully.
    It might take a minute for the email records to show in the Email Live Tacking list. To refresh the list, click Refresh.
  4. Verify that email messages appear in the Email Live Tracking page in WatchGuard Email Protection.

    5. Screenshot of the WEP Email Live Tracking page 1

  5. Add a policy in WatchGuard Email Protection. For example, we added a deny list entry to deny email messages from the watchguard.com domain.
    For more information about deny and allow lists, go to About Deny & Allow Lists in Email Protection Help.

    6. It might take some time before the incoming email message is filtered.

  6. Verify that inbound mail is blocked by WatchGuard Email Protection according to the policy you created.
  7. Verify that outbound mail sends and receives successfully.
  8. Verify that the expected information appears in the Email Live Tracking page.

    9. Screenshot of the WEP Email Live Tracking page 2

WatchGuard Email Protection Server MX Records

Europe

The MX records for customers in Europe are:

Domain Class Type Priority Email server
<domain.tld> IN MX 10 mx01.hornetsecurity.com
<domain.tld> IN MX 20 mx02.hornetsecurity.com
<domain.tld> IN MX 30 mx03.hornetsecurity.com
<domain.tld> IN MX 40 mx04.hornetsecurity.com

For customers of the DNS provider 1&1, use these MX records:

Domain Class Type Priority Email server
<domain.tld> IN MX 10 mx23a.antispameurope.com
<domain.tld> IN MX 20 mx23b.antispameurope.com
<domain.tld> IN MX 30 mx23c.antispameurope.com
<domain.tld> IN MX 40 mx23d.antispameurope.com

United States

The MX records for customers in the United States are:

Domain Class Type Priority Email server
<domain.tld> IN MX 10 mx-cluster-usa01.hornetsecurity.com
<domain.tld> IN MX 20 mx-cluster-usa02.hornetsecurity.com
<domain.tld> IN MX 30 mx-cluster-usa03.hornetsecurity.com
<domain.tld> IN MX 40 mx-cluster-usa04.hornetsecurity.com

Canada

The MX records for customers in Canada are:

Domain Class Type Priority Email server
<domain.tld> IN MX 10 mx-cluster-ca01.hornetsecurity.com
<domain.tld> IN MX 20 mx-cluster-ca02.hornetsecurity.com
<domain.tld> IN MX 30 mx-cluster-ca03.hornetsecurity.com
<domain.tld> IN MX 40 mx-cluster-ca04.hornetsecurity.com

IP Addresses of WatchGuard Email Protection Servers

WatchGuard Email Protection Servers IP Address Ranges

83.246.65.0/24 94.100.128.0/24 94.100.129.0/24 94.100.130.0/24 94.100.131.0/24
94.100.132.0/24 94.100.133.0/24 94.100.134.0/24 94.100.135.0/24 94.100.136.0/24
94.100.137.0/24 94.100.138.0/24 94.100.139.0/24 94.100.140.0/24 94.100.141.0/24
94.100.142.0/24 94.100.143.0/24 173.45.18.0/24 185.140.204.0/24 185.140.205.0/24
185.140.206.0/24 185.140.207.0/24      

WatchGuard Email Protection Servers IP Address Ranges in Canada

108.163.133.224/27 199.27.221.64/27 209.172.38.64/27 216.46.2.48/29 216.46.11.224/27