Setting up Paubox Encrypted Email for G Suite (Google Apps) contains three parts: Changing DNS records, setting up Inbound security, and setting up Outbound encryption. This guide is for G Suite customers that have multiple sub organizations in their G Suite account and will only be setting up Paubox for one or a few sub organizations. If you will be setting up Paubox on all of your G Suite sub organizations or if you only have a single organization in your G Suite account, please follow our guide here.
Part I: Changing DNS Records for G Suite (Google Apps)
G Suite (Google Apps) asks that you setup your MX records so that they look similar to these:
MX 1 aspmx.l.google.com.
MX 5 alt2.aspmx.l.google.com.
MX 5 alt1.aspmx.l.google.com.
MX 10 alt4.aspmx.l.google.com.
MX 10 alt3.aspmx.l.google.com.
To get Paubox Inbound Security going, you’ll need to make two changes to your domain’s DNS records. First, change your MX record so that it has just one MX record. To change the MX record, figure out who your domain name host is and then update your domain host records.
The only MX record you want to have for your domain name is: mx2.paubox.com
Second, change your TXT record so that it’s set to:
v=spf1 include:_spf.paubox.com include:_spf.google.com -all
These changes should be made on each domain that will be using Paubox inbound security. Before making these changes however, make sure we have verified that you are correctly setup on our end first. Click here to get started.
Part II: Setting up Inbound Security on G Suite (Google Apps)
You will need to use the Google Admin Console to configure your inbound and outbound email to go through Paubox. Here’s how you do it:
- Go to the Google Admin Console.
- Click the Apps icon.
- Click on the G Suite box.
- Click on the Gmail icon.
- On the following screen, scroll down to the bottom of the screen and click on Advanced settings >>.
- Type Inbound gateway in the Search settings bar.
- Hover over Inbound gateway and click the Configure button on the right.
- Click the Add button and enter this subnet range: 220.127.116.11/16
- Click Save
- Check the box for Require TLS for connections from the email gateways listed above.
- Click ADD SETTING.
- Click the blue SAVE button on the bottom right side of your screen.
Part III: Setting up Outbound Encryption on G Suite (Google Apps)
- Click on the Hosts tab at the top of the screen.
- Click on Add Route on the right side of the screen.
- Type Paubox in the name section.
- Select Single host for the email server drop down option and enter outbound.paubox.com in the Enter host name or IP section. Enter 587 to the right of the colon.
- Check the box for Require secure transport (TLS).
- Click the SAVE button.
- Click on the General Settings tab at the top of the screen.
- Type Routing in the Search settings bar.
- Hover over the Routing section and click on the Configure button at the right of the screen.
- Enter Paubox for the description.
- In Messages to affect, select Outbound and Internal - sending
- In Envelope filter, check the box for Only affect specific envelope senders.
- Select Pattern match from the drop down menu.
- Enter [^@]+@yourdomain\.com under Regexp, replaced with your domain name. See below for examples.
- example.net: [^@]+@example\.net
- yourdomain.com: [^@]+@yourdomain\.com
- In For the above types of messages, do the following, select Modify message from the drop down menu.
- Check the box for Change route and select Paubox from the drop down menu.
- Click the SAVE button.
- Click the SAVE button again at the bottom right corner of the screen.