The steps outlined below detail how to add a mail route, an SMTP relay, and a content
compliance rules in the Google Workspace Admin console to route outbound emails to
Cloud App Security for Inline Protection.
![]() |
ImportantThe steps contained in these instructions were valid as of September 2023.
|
Procedure
- Log on to the Google Workspace Admin console as a Google Super Admin.
- Add a mail route to direct outbound emails to Cloud App Security .
- Go to and click Hosts.
- Add a mail route for outbound messages by clicking ADD
ROUTE specifying the following settings on the
Add mail route screen. SettingOutbound MessagesNameSet a name for the mail route for outbound messages.Specify email serverSelect Single host and specify the hostname and port number of Cloud App Security for outbound protection.
-
Hostname: Type the Cloud App Security hostname for outbound protection displayed on the access grant screen in the Cloud App Security console. The hostname is also available in .
-
Port number: Type 25.
OptionsMake sure the following settings are selected to implement secure communication between Gmail and Cloud App Security:-
Require mail to be transmitted over a secure transport (TLS) connection (recommended): Encrypt messages between sending mail servers and receiving mail servers with Transport Layer Security (TLS).
-
Require CA signed certificate (recommended): The client SMTP server must present a certificate signed by a Certificate Authority that is trusted by Google.
-
Validate certificate hostname (recommended): Verify that the receiving hostname matches the certificate presented by the SMTP server.
To verify the connection to Cloud App Security, click Test TLS connection. -
- Click Save.
- Create an SMTP relay that receives scanned outbound messages from Cloud App Security.
- Go to . Locate SMTP relay service.
- Click CONFIGURE or ADD ANOTHER
RULE (if the setting is already configured) and specify
the following settings:SettingDescriptionSMTP relay serviceType TMCAS Inline SMTP Relay Service.Allowed sendersSelect Only addresses in my domain.Authentication
-
Select Only accept mail from the specified IP addresses.
-
Click ADD, add the IP address of Cloud App Security based on your serving site, and click SAVE.The IP addresses of Cloud App Security for outbound protection are as follows:
-
US site: 20.66.85.0/28, 104.210.59.109, 104.42.190.154, 20.72.147.115, 20.72.140.41
-
EU site: 20.160.56.80/28, 20.126.64.109, 20.126.70.251, 20.54.65.179, 20.54.68.120
-
Japan site: 20.78.49.240/28, 20.222.60.8, 52.140.200.104, 104.46.227.238, 104.46.237.93
-
Australia and New Zealand site: 20.227.209.48/28, 20.227.165.104, 20.213.244.63, 20.39.98.131, 20.39.97.73
-
Canada site: 20.220.229.208/28, 52.228.125.196, 52.139.13.202, 20.104.170.106, 20.104.172.35
-
Singapore site: 52.163.216.240/28, 20.43.148.85, 20.195.17.222
-
UK site: 20.0.233.224/28, 20.68.214.138, 20.68.212.120, 52.142.171.6, 52.142.170.53
-
India site: 20.235.86.144/28, 4.213.51.121, 4.213.51.126, 104.211.202.104, 52.172.7.14
-
Middle East (UAE) site: 20.233.170.240/28, 20.74.137.84, 20.74.179.106, 20.21.106.164, 20.21.108.130
-
EncryptionSelect Require TLS encryption. -
- Add a content compliance rule for routing outbound messages to Cloud App Security.
- Go to and click Compliance.
- In the Content compliance section, add a
compliance rule for outbound messages by clicking
CONFIGURE or ADD ANOTHER
RULE (if the setting is already configured) and
specifying the settings on the Add setting
screen.SettingOutbound MessagesContent complianceType TMCAS Content Compliance Rule for Outgoing Messages.Email messages to affectSelect Outbound.Add expressions that describe the content you want to search for in each messageThe following settings ensure that messages already scanned by Cloud App Security are not routed to Cloud App Security again.
-
Select If ANY of the following match the message.
-
Click ADD.
-
On the Add setting screen, specify the following settings:
-
Select Advanced content match.
-
Under Location, select Full headers.
-
Under Match type, select Not contains text.
-
Under Content, type the Loop prevention header for outbound protection displayed on the access grant screen in the Cloud App Security console. The loop prevention header is also available in .
-
If the above expressions match, do the followingThe following settings ensures that messages already scanned by Cloud App Security will not be routed to Cloud App Security again.-
Select Modify message.
-
Under Headers, select Add custom headers, and click ADD.
-
Add the string you just typed in Content.
-
Under Route, select Change the route and select the name of the mail route you just created for outbound messages.
Account types to affect-
Click Show options.
-
Select Users and Groups.
Envelope filter-
Select Only affect specific envelope senders.
-
Specify the senders affected by this rule based on the targets of your Cloud App Security policies for Gmail (Inline Mode).
-
Users/groups: Select Group membership (sent mail only), click Select groups and select the group TMCAS Inline Outgoing Gmail Virtual Group.
-
Domains only or both domains and users/groups in these domains: Select Pattern match, type the target domains in the format .*@<domain>, for example, .*@example.com.
Important
The default targets for a Gmail (Inline Mode) policy are all domains.If the targets of your Cloud App Security policies for Gmail (Inline Mode) include some domains and users/groups in some other domains, create two content compliance rules for each target type. Make sure the two rules share the same configuration except the Only affect specific envelope recipients settings. -
-
- Click Save.
- Disable the compliance rule by clicking Disable
after the rule and then clicking PROCEED on the
displayed dialog box.
Note
This ensures that emails can deliver to their destinations properly before the access grant for Gmail (Inline Mode) is completed.