Inbound Shield™
  2. Home
  4. Docs
  6. Inbound Shield™
  8. Inbound Relay integration – Google Workspace
  10. Bypassing Default Google Protections

Bypassing Default Google Protections

After finishing the deployment of Trustifi’s inbound relay in Google, we highly recommend disabling or modifying some of Google’s default protection policies. This is for a couple of reasons:
  1. To make sure that emails will be successfully received by your users after Trustifi sends them back to user mailboxes, and that Google will not block or quarantine these emails.
  2. To consolidate all inbound quarantine in Trustifi – so that you will only need to manage the Trustifi inbound quarantine, instead of both Trustifi and Google.
Important note: If you are in the process of a POC, or if otherwise Trustifi protection is enabled only on specific mailboxes and not the entire organization, we highly recommend making these changes for a specific org unit and not for the entire organization. This is to make sure mailboxes which are not protected by Trustifi will still have Google’s protections. If you have not yet completed the deployment of Trustifi’s inbound relay in Google, you can find a guide for deployment here: https://trustifi.com/docs/inbound-shield/inbound-relay-integration-google-workspace/configuration/
Step 1 – Editing “Comprehensive mail storage” policy
First, navigate to the Google Admin Center via the following link – https://admin.google.com/. Then, go to the “Compliance” page. In the “Compliance” page, find the section titled “Comprehensive mail storage” and click on the pencil icon to edit the policy.
Editing the comprehensive mail storage policy
Step 2 – Disabling “Comprehensive mail storage”
Find the check box titled “Ensure that a copy of all sent and received mail is stored in associated users’ mailboxes” and disable it. Note: disabling this setting will allow Trustifi to quarantine malicious emails. If this setting is left enabled, malicious emails will still arrive into the recipient’s mailbox.
Disabling comprehensive mail storage
Step 3 – Adding the Trustifi IPs in the Email allowlist
Navigate to the Spam, phishing, and malware page and find the “Email allowlist” section. Click on the pencil icon at this section to edit it.
In the allowlist editor, add the following Trustifi IPs:
  • 3.93.243.176
  • 3.93.139.220
  • 3.251.32.127
  • 54.195.145.1
Note: you will need to a comma separator between each IP. Once all of the IPs have been added, don’t forget to save at the bottom right.
Step 4 – Disabling enhanced pre-delivery message scanning
Under the email allowlist, look for the section titled “Enhanced pre-delivery message scanning” and set it to “OFF“. Disabling "Enhanced pre-delivery message scanning"
Step 5 – Editing the inbound gateway
Find “Inbound gateway” section and click to edit it.
Editing the inbound gateway
Step 6 – Adding the Trustifi IPs to the inbound gateway
First, make sure the gateway is enabled, then add the same Trustifi IPs you added in the allowlist.
You will also need to check the boxes for “Automatically detect external IP (recommended)” and “Require TLS for connections from the email gateways listed above“.
Adding the Trustifi IPs to the inbound gateway
Step 7 – Message tagging
Check the box for “Message is considered spam if the following header regexp matches“. Now you will need to add a fake header into the regex field. This is used only to enable the policies below, so make sure to add a header which will not actually be found in a real email. After adding the header regex, select the option “Message is spam if regexp matches” and check the box for “Disable Gmail spam evaluation on mail from this gateway; only use header value Once these settings have been configured, click on “Save“. Message tracing
Step 8 – Creating a spam bypass
Find the “Spam” section and click on the “Configure” link.
Add a description to the spam bypass setting, for example “Trustifi spam bypass“.
Scroll all the way down the window and check the box for “Bypass spam filters and hide warnings for all messages from internal and external senders (not recommended)
Note: Google will display a warning that you will need to confirm.
Step 9 – Disabling Google’s spoofing and authentication protections
Navigate to the “Safety” page by searching for the keyword “safety” in the search bar on top. On this page, make sure all the default protections are disabled under “Spoofing and authentication“:
Disabling Google's spoofing and authentication protections

How can we help?