Skip to main content

(Optional) Configure Inbound mail to reject non-EMS emails

This option will ensure all inbound email traffic received is done so through GravityZone Security for Email.

Warning

Implementing this setting might result in the loss of messages in certain situations.

On Office 365

You should configure Office 365 to block any inbound email that does not originate from GravityZone Security for Email product. There are two options available discussed below. The option best suited to you depends on your environment and requirements.

As a Connection Filter

This method will allow the GravityZone Security for Email server IP addresses to deliver emails even if spam filtering is enabled in Office 365. This will ensure emails processed by the GravityZone Security for Email product are delivered without delay and do not land in the junk mailbox folder for Office 365 users.

Note

Your EMS account must have an inbound TLS rule for this option to complete successfully.

  1. Login to Office 365 Exchange Admin Center and go to Admin Centers > Classic Exchange Admin Center.

  2. Go to Protection > Connection Filter.

  3. Edit the Default entry and navigate to the Connection Filtering tab.

  4. In the Allowed IP Address section, add all of the IP addresses for the GravityZone Security for Email region you are using.

    You can find a list of our IP addresses here:

    Important

    There are three sets of IP addresses:

    • Set 1 - use this if your GravityZone is provisioned with https://cloudgz.gravityzone.bitdefender.com/

    • Set 2 - use this if your GravityZone is provisioned with https://cloud.gravityzone.bitdefender.com/

    • Set 3 - use this if your GravityZone is provisioned with https://cloudap.gravityzone.bitdefender.com/

    You can check how you are provisioned by logging in to the GravityZone console and checking the URL.

  5. Click Enable Safe List and then Save.

Note

Office 365 is now configured to block any email that does not originate from EMS.

As a Rule

Using a rule provides more flexibility than just using IP address, for example you could control based on email address or attachment. Depending on your requirements or environment this may be the best option, if you have other means to restrict direct connection to your Office 365 tenant other than just IP address.

  1. Log in to the Office 365 Admin Center, and go to Admin Centers > Exchange.

  2. In the left-hand pane, click Mail Flow and then Rules.

  3. Click + and then click Create a new rule.

  4. In the New Rule page, enter a Name to represent the rule. For example, Email Security IP restriction.

  5. Scroll down and click More options.

  6. From the Apply this rule if drop-down menu, select The Sender, Is External/Internal and Outside the organization.

  7. From the Do the following drop-down menu, select Block the message and Reject the message with the Explanation.

  8. Click Enter text and enter the message that you want to include in the non-delivery report (NDR) that will be sent to the email's sender. For example:

    IP restricted, not using MX record. Please ensure your DNS is up-to-date and try sending this message again.

  9. Click Add exception.

  10. Select Sender and then Sender's IP address is in the range or exactly matches, and enter the GravityZone Security for Email IP for your cluster - see MX records and IP addresses - Set 1, MX records and IP addresses - Set 2 , or or MX records and IP addresses - Set 3 .

  11. Click + to add each of the IP addresses for your region.

  12. Once all the IP addresses have been added, click OK.

  13. Scroll to the Properties of the rule section. Under Match sender address in message, select Header or Envelope.

  14. Click Stop processing more rules.

  15. Click Save.

  16. Verify that the new rule displays at the top of the list of mail flow rules. If it's not at the top, select the rule and use the Up arrow to move it.

Note

Office 365 is now configured to block any email that does not originate from EMS.

Configure Inbound mail on Gmail using Google Workspace to reject non-EMS emails

You should configure GMail using Google Workspace to block any inbound email that does not originate from the GravityZone Security for Email (EMS) product. However, you will need to do this via a two-step process. This section is split into two sections – prior MX record change and post MX record change.

Prior to changing MX records

Before changing MX records it is recommended that the GravityZone Security for Email IP addresses are added to the inbound gateway so that when MX records are changed all messages are not quarantined.

Note

You may already have inbound gateway entries listed. If this is the case you need to append the entries below to the existing list and then remove the existing entries once the MX records have been changed.

Follow the steps below:

  1. Login to the Google Workspace Admin Console with an administrators account.

  2. Click on the Menu button google_workspace_dots.PNG.

  3. Select Admin > Apps > Google Workspace.

  4. Click on GMail to take you to Settings for Gmail.

  5. Click on Advanced Settings at the bottom of the page.

  6. Scroll down to Spam, phishing, and malware and configure/edit the Inbound Gateways.

  7. Add a Name to the Inbound setting.

  8. Add the IP addresses for our service and click Save.

    Note

    You can find a list of our IP addresses here:

    The entries should look like this if using the EU servers:

    104340_1.png

    Note

    Ensure you do not check the Reject all mail not from gateway IPs box.

  9. Select the Message is considered spam if the following header regex matches checkbox and select the options below.

    104340_1_2.png

  10. At the bottom of the Advanced Settings page, click Save to apply the changes.

  11. Ensure that this configuration is replicated to Google Workspace before changing any MX records.

    Note

    It can take up to an hour for changes to propagate to user accounts for GMail using Google Workspace You can track changes in the Admin console audit log.

Post MX record change

Once MX records have been changed and replicated to the internet email should start flowing through the GravityZone Security for Email product. You can verify this via the GravityZone Security for Email Activity reports and charts.  You can also check this in the Google Workspace portal by following these steps:

  1. Login to the Google Workspace Admin Console with an administrators account.

  2. Click on the Menu button google_workspace_dots.PNG.

  3. Select Admin > Apps > Google Workpace.

  4. Click on GMail to take you to Settings for Gmail.

  5. Click on Setup.

  6. Check that the MX records match the below:

In this section: