This document will cover all aspects of whitelisting in Google Workspace to allow our simulated phishing emails through.
This guide is split into 3 sections:
Whitelisting via IP
Setting up an Inbound Gateway
Whitelisting via Content Compliance.
Each section is required to ensure your service is delivered as smoothly as possible.
An up-to-date list of our IPs can be found here.
The estimated time for completion is 15 minutes.
Google Workspace - Whitelisting via IP
This section of the guide will walk you through the generic whitelisting for Google Workspace. Usually, this stage is enough to ensure our emails get through, however, we recommend setting up all the whitelisting stages in this guide to ensure the service runs smoothly.
Steps to whitelist via IP Address:
- First, you need to log in to https://admin.google.com with your admin credentials.
- Then you need to Navigate to Apps > Google Workspace > Gmail.
- Now you will need to scroll down to Spam, Phishing, and Malware.
- Under the Organisational Unit section, highlight your domain. Do not select a sub-organisational unit (OU).
- In the Email Whitelist section, click the pencil icon, and enter our IP addresses, separated by commas. The 3 IP addresses are given below:
- 193.115.202.254
- 193.115.202.246
- 178.17.44.157
- Click Save.
Setting up an Inbound Gateway
This stage of whitelisting is to prevent our emails from being flagged by Google and then applying a banner warning users of a suspicious message.
Steps to set up an Inbound Gateway:
- First, you need to log in to your Admin Portal with your admin credentials.
- Then you need to navigate to Apps > Google Workspace > Gmail > Spam, Phishing, and Malware.
- Under Organisational Unit, select your top-level organisation. This will typically be your Primary Domain.
- Scroll down to the Inbound Gateway section, and click the pencil icon. This should open the Inbound Gateway screen.
- Now you need to click the Enable checkbox.
- After that, you will need to hit the Add button to add the 3 IP addresses:
- 193.115.202.254
- 193.115.202.246
- 178.17.44.157
- Note: you will need to add each IP address separately, i.e., 1 IP at a time, and then click Save each time. (Once added, they can be edited or deleted).
Once both IPs are added, You need to make sure that the last option out of the three checkboxes, is ticked, i.e., Require TLs... needs to be ticked.
Configure the Inbound Gateway using the settings below. ( Refer to the points below the image ).
-
A - The rule needs to be Enabled in order to be in place to be applied for users.
B - Gateway IPs: Add our IPs to this section, an up-to-date list of our IPs can be found here.
C - Ensure the Reject all mail, not from gateway IPs option is unchecked, and ensure that the 'Require TLS for... ' option is checked.
D - Message Tagging: Ensure that the checkbox 'Message is considered... ' is ticked. Now, you need to enter a Regexp for the Spam Header Tag that is unlikely to be found in our emails. We recommend using "/dzndsfsklinjvafdnfiourynfroiwadspoun/".
E- Make sure that the first one out of the 2 circle checkboxes, is selected, i.e., 'Message is... ' needs to be selected. Next, you need to make sure to select the 'Disable Gmail spam... ' option.
- Note: make sure that you click Save, after you've followed through the above configuration steps.
Whitelisting via Content Compliance:
Content Compliance is an alternative method to whitelisting via IP, however, we still suggest setting this up as an additional layer of assurance, that our service will run smoothly. This method does require parts of the previous sections so make sure all previous steps of this guide have been completed.
Steps to set up Content Compliance:
- Log in to your Admin Portal using your admin credentials.
- Navigate to Apps > Google Workspace > Gmail.
- Within Gmail, head to Compliance.
- First of all, you need to add 'Content Compliance for CSA Services' in the Short Description field, as it is a required section to be filled.
- Within Compliance, navigate to the Content Compliance and click on the Configure button.
- Configure your new Content Compliance rule using the configuration below:
- (1.) In the Email Messages to Affect area, select Inbound.
- (1.) In the Email Messages to Affect area, select Inbound.
-
- (2.) Make sure that the option 'If ANY of the following match the message' is chosen from the first drop down menu.
- Then create the following expression under (2.):
-
- Click on Add.
- From the first drop-down menu under Expressions, select Metadata match.
- Set the Attribute to Source IP.
- From the Match type drop-down menu, select Source IP is within the following range.
- In the Source IP is within the following range field, enter one of our IPs.
- Click Save.
-
- (2.) Make sure that the option 'If ANY of the following match the message' is chosen from the first drop down menu.
-
-
-
- Repeat the steps above for each of our IP Addresses. After both IP addresses are added, it should look something like this:
- In the If ANY of the following match the message section (2.) , add another expression with the following settings:
- Select Advanced content match from the first drop-down.
- Set the Location to Full headers.
- Set the Match type to Contains text.
- In the Content field, enter "CSAServices".
- Click Save.
-
-
- (3.) Enable the following checkboxes under If the above expressions match, do the following.
- Under Spam, select Bypass spam filter for this message.
- Under Encryption, select Require secure transport (TLS).
- Leave all the other sections & checkboxes as they are - unticked.
- Completed configuration for (3.) looks something like this:
-
- Note: you need to click on the Save button, at the bottom of the Add Setting page, so that the rule can be added.
- After you've gone through all the steps in this section, and after saving the rule, it should look something similar to this, within the Compliance section under Gmail:
This completes the Google Workspace whitelisting guide. Please note that these settings may take up to an hour to propagate to all users.
Comments
0 comments
Please sign in to leave a comment.