Connect Gmail and Enterprise DLP

1. Contact your email domain provider to update your SPF record to add the required Enterprise DLP service IP addresses.

   Add the IP addresses for the region where your email domain is hosted. You can update your SPF record with multiple regional IP addresses if you have email domains hosted in multiple regions.

   • APAC—35.186.151.226 and 34.87.43.120
   • E.U—34.141.90.172 and 34.107.47.119
   • U.S—34.168.197.200 and 34.83.143.116
2. Log in to the Google Admin Console.
3. Add an SMTP relay service entry to forward outbound emails to Enterprise DLP.

   1. Select AppsGoogle WorkspaceGmailRouting.
   2. For the SMTP relay service, Add Another Rule.
   3. In the Description, enter a descriptive name for the Enterprise DLP SMTP relay service.
   4. For Allowed Senders, verify Only addresses in my domains is selected.
   5. For Authentication, check (enable) Only accept mail from the specified IP addresses.
   6. Add a new SMTP relay service
   7. In the Enter IP address/range field, enter the required IP addresses for the region where your email domain is hosted. You can add multiple sets of IP addresses if needed.

      • APAC—35.186.151.226 and 34.87.43.120
      • E.U—34.141.90.172 and 34.107.47.119
      • U.S—34.168.197.200 and 34.83.143.116
   8. Verify that the SMTP relay service is Enabled.
   9. Save.
   10. Repeat this step to add both the required Enterprise DLP SMTP relay service IP addresses for the region where your email domain is hosted.
   11. For Encryption, check (enable) Require TLS Encryption.
   12. Save.
4. Configure Gmail to allow download of emails for investigative analysis when you review Email DLP incidents.

   • E.U—Create a Domain Wide Delegation
     1. In the Google Admin Console, select SecurityAccess and data controlAPI ControlsManage Domain Wide Delegation and Add New.
     2. Enter the Client ID for the region where your email domain is hosted.
        If you have multiple email domains hosted in different regions associated with one Google Workspace, you need to add a Domain Wide Delegation for each region in the same Google Workspace.
        If you have multiple email domains hosted in different regions but each is associated with a different Google Workspace, you need to add the appropriate Domain Wide Deletion in the appropriate Google Workspace.
        • E.U—102967811737819901800
     3. Add the OAuth scopes
        You must add all the comma-delimited OAuth scopes listed below.
        • https://mail.google.com
        • https://www.googleapis.com/auth/gmail.addons.current.message.action
        • https://www.googleapis.com/auth/gmail.addons.current.message.metadata
        • https://www.googleapis.com/auth/gmail.addons.current.message.readonly
        • https://www.googleapis.com/auth/gmail.modify
        • https://www.googleapis.com/auth/gmail.readonly
        • https://www.googleapis.com/auth/aim
     4. Authorize.
   • APAC and U.S—Download the Email DLP Palo Alto Networks app
     See the Microsoft 365 Defender prerequisites for more information.
     1. Log in to the Google Workspace Marketplace.
     2. Enter Email DLP in the search bar and select the Email DLP app for your region.
        You can only download the Email DLP app for the region from which you are currently accessing the Google Workspace Marketplace.
        • APAC—Email DLP by Palo Alto Networks (APAC)
        • U.S—Email DLP by Palo Alto Networks (US)
        For example, if you are access the Google Workspace Marketplace from California, you can only download the Email DLP by Palo Alto Networks (US) version of the Email DLP app.
     3. Click the Email DLP by Palo Alto Networks app tile.
     4. Click Admin Install.
     5. You are prompted with a confirmation that you are about to install the Email DLP by Palo Alto Networks app. Click Continue.
     6. Select for which users you want to install the Email DLP app.
        • Everyone at your organization—Select this option if you want to be able to download emails for everybody in your organization who generates an Email DLP incident.
        • Certain groups or organizational units—Select this option if you want to be able to download emails for specific user groups and organizational units when they generate an Email DLP incident.
          For example, you have user groups Group1, Group2, and Group3 where your CEO and other executives are part of Group3. You do not want to give your security administrators the ability to download emails sent by the CEO and other executives. In this case, you would select the Certain groups or organizational units option and add Group1 and Group2 but not Group3.
     7. Agree to the app Terms and Conditions.
     8. (Certain groups or organizational units) Select the user groups and organizational you want to install the app for.
     9. Click Finish.
     10. A notification is displayed notifying you the Email DLP by Palo Alto Networks app successfully installed.
     11. Click Done.
     12. Enter Email DLP in the search bar and select the Email DLP app for your region. Verify that the app tile displays Installed.
5. Set Up a Proofpoint Server for Email Encryption.

   This is required to encrypt emails inspected by Enterprise DLP that match your encryption Email DLP policy rule.
6. Create the Gmail transport rules, and create the Email DLP Policy.

   Palo Alto Networks recommends setting Email DLP Host, transport rules, and Email DLP policies to ensure enforcements begins as soon as you successfully connect Gmail to Enterprise DLP.

   • Set Up the Email DLP Host
     Setting up a routing to the Email DLP Host allows Gmail to forward emails to Enterprise DLP and for inspection and verdict rendering to prevent exfiltration of sensitive data.
   • Create Gmail Transport Rules
     Transport rules instructs Gmail to forward emails to Enterprise DLP and establish the actions Gmail takes based on verdicts rendered by Enterprise DLP.
     A transport rule is not required for emails that match your Email DLP policy where the action is set to Monitor. In this case, the x-panw-action - monitor email header is added, a DLP incident is created, and the email continues to its intended recipient.
   • Add a Enterprise DLP Email Policy
     The DLP email policy specifies the incident severity and the action Enterprise DLP takes when matching traffic is inspected and sensitive data is detected.
7. Log in to Strata Cloud Manager.
8. Select ManageConfigurationSaaS SecuritySettingsApps Onboarding.
9. Add the Gmail application to SaaS Security.

   1. Search for Exchange and click Gmail.

   2. Add the Gmail app to SaaS Security.
10. In the Email DLP Instance, click Add Instance.
11. In the Setup Connectors and Rules page, add the email domains and relay hosts.

    Adding one or more email domain and the Gmail Relay Host is required to ensure emails inspected by Enterprise DLP are successfully forwarded to the Gmail Relay Host.

    1. Enter an Email Domain.

       The Gmail Relay Host is always smtp-relay.gmail.com. The Port is always 587. This fields are automatically populated by default.
    2. (Optional) Add any additional email domains as needed.
    3. Connect.
12. Gmail is now successfully connected and onboarded.

13. Configure the Email DLP settings.

    • Snippet Settings for SaaS Security (Email DLP Only)
    • Policy Evaluation Timeout Settings for SaaS Security (Email DLP Only)
    • Evidence Storage