icon-unified.svg
Experience Center

Configuring Gmail for Zscaler Outbound Email DLP

Zscaler Outbound Email Data Loss Prevention (DLP) allows you to establish a connection between your Gmail server and Zscaler's cutting-edge Data Loss Prevention (DLP) tools to prevent the exfiltration of sensitive data in outbound emails sent to external domains. To do so, you must configure routing to allow bidirectional communication between your Gmail server and the Zscaler smart host, and you must configure compliance rules to determine how mail flows from your Gmail server to the Zscaler service, and vice versa.

This article explains how to configure your Gmail server to use a Zscaler smart host for a basic use case. To learn more about configuring your Gmail server for other use cases, refer to the Google technical documentation. To learn about configuring your Microsoft Exchange server for Outbound email DLP, see Configuring Microsoft Exchange for Zscaler Outbound Email DLP.

Configuration changes in the Google Admin console can sometimes take up to 24 hours to propagate across Google Services before reaching your users. To learn more, refer to the Google technical documentation.

To configure your Gmail server to use a Zscaler smart host:

    1. Go to config.zscaler.com.

      The Zscaler Config page appears.

    2. Select your organization's Zscaler cloud from the Cloud drop-down menu at the top left of the page.
    3. In the left-side navigation, go to Email DLP. The Email DLP page lists all of the outbound connections that need to be configured for the Zscaler smart host to communicate with your Gmail server.

      The Zscaler Config page for Outbound Email DLP

      Close
    4. Make note of all the IPs that are listed on this page because you need to add them when you configure your Gmail server to communicate with the Zscaler smart host.
    Close

    1. Sign in to the Google Admin console.
    2. In the left-side navigation, go to Apps > Google Workspace > Gmail.

      The Gmail overview page appears.
    3. Click Hosts.
      The Hosts page appears.
    4. On the Hosts page, click Add Route.

      The Add mail route window appears.
    5. In the Add mail route window:

      1. Specify a name for the host, then specify the FQDN for your Zscaler smart host.

        You can find the smart host FQDN on the Edit Email Tenant page in the Admin Portal.

      2. Select Require mail to be transmitted via a secure (TLS) connection (Recommended).
    6. Click Save.
    Close

    1. Sign in to the Google Admin console.
    2. In the left-side navigation, go to Apps > Google Workspace > Gmail.

      The Gmail overview page appears.
    3. Click Routing.
      The Routing page appears.

    4. On the Routing page, in the SMTP relay service section, click Add another rule.

      If you have not previously configured rules, you must click Configure to add a rule.

      The Add setting window appears.

    5. In the Add setting window:
      1. Specify a description for the rule.
      2. In the Allowed senders section, select Only addresses in my domains from the drop-down menu.
      3. In the Authentication section, select Only accept mail from the specified IP addresses.
      4. Click Add, enter an optional description and the IP range that you retrieved earlier for the Zscaler smart host, select Enable, then click Save.
      5. Repeat the previous step as needed.
    6. In the Add setting window, click Save.
    Close

  • Rules in Gmail are used to perform various actions based on the criteria you specify (e.g., adding custom headers or rejecting the emails that contain sensitive information). In this step, you add a header with information from your configured Zscaler smart host so that the Zscaler service can properly receive and process email content from your Gmail server.

    To configure a compliance rule to add headers for the Zscaler smart host:

    1. Sign in to the Google Admin console.
    2. In the left-side navigation, go to Apps > Google Workspace > Gmail.

      The Gmail overview page appears.
    3. Click Compliance.
      The Compliance page appears.
    4. On the Compliance page, in the Content compliance section, click Add another rule.
      The Add setting window appears.
    5. In the Add setting window:
      1. Specify a description for the compliance rule.
      2. In the Email message to affect section, select Outbound.

      3. In the Add expressions that describe the content that you want to search for in each message section:

        1. Select If ALL of the following match the message from the drop-down menu.
        2. Click Add.
          The Add setting window appears.

        3. In the Add setting window:

          1. Select Metadata match from the drop-down menu.
          2. In the Attribute section, select Source IP from the drop-down menu.
          3. In the Match type section, select Source IP is not within the range from the drop-down menu, then add the IP range that you retrieved earlier for the Zscaler smart host.
          4. Click Save.

          You return to the first Add setting window.

        4. In the Add setting window, in the If the above expressions match, do the following section, select Modify message in the drop-down menu.
        5. In the Headers section, select Add custom headers then click Add.

          The Add setting window appears.

        6. In the Add setting window:

          1. Enter Zscaler-Tenantid in the Header key field, then paste the Key for Transport Rules value from the Admin Portal in the Header value field. You copied the Key for Transport Rules value when you configured the email tenant in the Admin Portal. You can also find the value on the Edit Email Tenant page in the Admin Portal.
          2. Click Save.

          You return to the first Add setting window.

        7. In the Add setting window, in the Route section, select Change route then select the host you created earlier from the drop-down menu.
        8. Click Show options, then, in the Account types to affect section, select all options (i.e., Users, Groups, and Unrecognized/catch-all).
        9. Click Save.

    Close

  • To properly route email that was processed by the Zscaler smart host but not blocked by policy rules, you must configure a compliance rule so that your Gmail server can deliver those messages.

    To configure compliance rules to deliver email received from the Zscaler smart host:

    1. Sign in to the Google Admin console.
    2. In the left-side navigation, go to Apps > Google Workspace > Gmail.

      The Gmail overview page appears.
    3. Click Compliance.
      The Compliance page appears.
    4. On the Compliance page, in the Content compliance section, click Add another rule.
      The Add setting window appears.
    5. In the Add setting window:
      1. Specify a description for the compliance rule.
      2. In the Email message to affect section, select Outbound.

      3. In the Add expressions that describe the content that you want to search for in each message section:

        1. Select If ALL of the following match the message from the drop-down menu.
        2. Click Add.
          The Add setting window appears.

        3. In the Add setting window:

          1. Select Metadata match from the drop-down menu.
          2. In the Attribute section, select Source IP from the drop-down menu.
          3. In the Match type section, select Source IP is within the range from the drop-down menu, then add the the IP range that you retrieved earlier for the Zscaler smart host
          4. Click Save.

          You return to the first Add setting window.

        4. In the Add setting window, click Add again.
          The Add setting window appears.

        5. In the Add setting window:

          1. Select Advanced content match from the drop-down menu.
          2. In the Location section, select Full headers from the drop-down menu.
          3. In the Match type section, select Contains text from the drop-down menu, enter X-Zscaler-Block: 0 in the Content field.
          4. Click Save.

          The Add custom header option on the Google Admin console

          Close

          You return to the first Add setting window.

        6. In the Add setting window, in the If the above expressions match, do the following section, select Modify the message from the drop-down menu.
        7. In the Headers section, select Add X-Gm-Original-To header.
        8. Scroll down and click Show options, then, in the Account types to affect section, select all options (i.e., Users, Groups, and Unrecognized/catch-all).
        9. Click Save.

    Close

  • As a final setup step, you must configure a compliance rule so that your Gmail server rejects email that was processed by the Zscaler smart host and was blocked by policy rules. With this rule in place, all emails returned with a X-Zscaler-Block header value of 1 are rejected and are not delivered to the recipient. Instead, the sender receives a rejection message.

    To configure compliance rules to reject blocked email received from the Zscaler smart host:

    1. Sign in to the Google Admin console.
    2. In the left-side navigation, go to Apps > Google Workspace > Gmail.

      The Gmail overview page appears.
    3. Click Compliance.
      The Compliance page appears.
    4. On the Compliance page, in the Content compliance section, click Add another rule.
      The Add setting window appears.

    5. In the Add setting window:

      1. Specify a description for the compliance rule.
      2. In the Email message to affect section, select Outbound.
      3. In the Add expressions that describe the content that you want to search for in each message section:
        1. Select If ALL of the following match the message from the drop-down menu.
        2. Click Add.
          The Add setting window appears.

        3. In the Add setting window:

          1. Select Metadata match from the drop-down menu.
          2. In the Attribute section, select Source IP from the drop-down menu.
          3. In the Match type section, select Source IP is within the range from the drop-down menu, then add the the IP range that you retrieved earlier for the Zscaler smart host
          4. Click Save.

          You return to the first Add setting window.

      4. In the Add setting window, click Add again.
        The Add setting window appears.

      5. In the Add setting window:

        1. Select Advanced content match from the drop-down menu.
        2. In the Location section, select Full headers from the drop-down menu.
        3. In the Match type section, select Contains text from the drop-down menu, enter X-Zscaler-Block: 1 in the Content field.
        4. Click Save.

        The Add custom header option on the Google Admin console

        Close

        You return to the first Add setting window.

      6. In the Add setting window, in the If the above expressions match, do the following section, select Reject the message from the drop-down menu.
      7. In the Customize the rejection notice field, enter a message to notify senders that their email contained sensitive information (i.e., Sensitive or confidential information found.).
      8. Click Show options, then, in the Account types to affect section, select all options (i.e., Users, Groups, and Unrecognized/catch-all).
      9. Click Save.

    Close

With these settings configured, and with a Zscaler outbound email policy rule configured to detect and block sensitive information, users who try to send an email containing sensitive or confidential information to an external domain receive a message from the Gmail server that their message was blocked.

Related Articles
What Is Zscaler Outbound Email DLP?Step-by-Step Configuration Guide for Zscaler Outbound Email DLPUnderstanding Outbound Email Policy EnforcementAbout Email TenantsAdding Email TenantsEditing Email TenantsConfiguring Gmail for Zscaler Outbound Email DLPConfiguring Microsoft Exchange for Zscaler Outbound Email DLPAbout Email ProfilesAdding Email ProfilesEditing Email ProfilesAbout Outbound Email PolicyConfiguring Outbound Email Policy Rules