Configure Dual Delivery: G Suite

This article describes how to configure Dual Delivery directly from within the Google Apps Gmail administrative user interface. To access the Administrative Interface, log into the Google Apps admin control panel at with appropriate Administrator credentials.  

It is recommended you use the Google Chrome browser to configure Google Apps. Agari has encountered UI bugs that prevent other browsers (specifically Safari) from completing the dual delivery configuration.

The general procedure is as follows:

Step 1: Create a New Route: a host or host combination as an additional “Route” for the Agari Sensors to which you want to send copies of email.

Step 2: Add a Default routing rule to copy the messages to the Sensors via the new route.

Step 3: Whitelist Agari’s alerts server to ensure that you and your users receive alerts.

Step 1: Create a New Route

1. In the Google Apps admin control panel, go to Apps > G Suite > Gmail > Advanced settings.
2. Click the Hosts tab.

   

3. Click ADD ROUTE.
4. Enter the details for the Mail Route:
   • Enter a useful, recognizable name, for example, Agari Sensor.
   • Enter one or more values for email servers, which are Hostnames (recommended) or IP addresses and Port Numbers that correspond to the network location of the Sensors.
     • If Agari is hosting your Sensors, select Single host and enter the Hostname (your sales or support representative will provide you with the information to enter here, which will be in the form of "symbolicname.hosted.agari.com" where symbolicname is the symbolic name used for your organization) and Port Number (25) for your Sensors. (Technically, the hostname is for a load balancer "in front" of all of the Sensors you use.)
     • If you are hosting your Sensors, then select Single host if you are using one Sensor and Multiple hosts if you are using more than one sensor. For the latter, click Add and enter the IP address, Port Number, and Load Percentage for each sensor you use. You can define hosts as primary and secondary (the latter for fallback purposes), but the total percentage for each category must total 100%. For example, you could have three sensors you define as primary hosts with load percentages of 34, 33, and 33, and two sensors you define as secondary hosts with load percentages of 50 each.
   • TLS certificates are already configured on your Sensors, so you can enable Require secure transport (TLS) and optionally also Require CA-signed certificate (if appropriate; work with your sales or support representative to determine the proper settings).

     

5. Click SAVE.

Step 2: Add a “Default routing” Rule to Copy Messages to the Sensor

To divert a copy of messages to the Sensor, you will create a routing rule under the Default routing. You will reference the route you created in the section above in this new routing rule setting.

1. In the Google Apps admin control panel, go to Apps > G Suite > Gmail > Advanced settings.
2. Click the Default routing tab.
3. Click ADD SETTING.
4. Enter the details for the route settings:
   • For Specify envelope recipients to match, select All recipients.
   • Select the Add more recipients checkbox.
   • Click ADD.
   • Switch from Basic to Advanced view.
   • Select the Change route checkbox, and select the sensor mail route you created in Step 1: Create a New Route.
   • In the Spam and delivery options section, select the Do not deliver spam to this recipient and Suppress bounces from this recipient checkboxes.
   • In the Headers section, select the Add X-Gm-Original-To header and Add X-Gm-Spam and X-Gm-Phishy headers checkboxes.
   • Click SAVE.
   • In the Options section, select Perform this action on non-recognized and recognized addresses.
5. Click SAVE.

Mail will begin to be delivered to the sensors.

You may have other Default routing options configured. If so, you will need to carefully consider where to place this new setting among other routes that may be configured. Agari recommends adding this route as the first setting (Order = “1”) to ensure that all deliverable mail is also delivered to the sensors. However, you may need to consider routing policies that may be unique to your organization and its policies.

Step 3: Whitelist Agari’s Notifications Server

When Agari deems an email suspicious, Phishing Defense can optionally send an email alert to administrators and/or the original recipient of the suspicious message.

Besides identifying the threatening message, the alert email can contain additional information about the type or severity of the threat.  In case of operational problems, the Agari notification server may also send out alerts regarding your sensor and the overall health of the Phishing Defense service. Given the importance and utility of these alerts, Agari recommends that you Whitelist the Agari notifications server to ensure that your system does not block or quarantine these messages.

For example, the messages that the Agari notifications server sends may sometimes contain portions of the content of the original messages. Because the original messages may contain spam or otherwise be perceived as suspicious by email filtering software, it is possible that the Agari alerts may themselves accidentally be perceived as threats.

For this reason, it is important to whitelist the Agari notification server to prevent the triggering of false positives in the filtering software. If there are intermediate filtering steps (for example, other intermediate MTAs, or other anti-phishing solutions which filter email) they should also be configured to whitelist the Agari notifications server. Agari’s Sales Engineering and Customer Success teams can assist with configuring the whitelist, if necessary.

Gmail provides two basic methods for whitelisting an upstream MTA:

• Email whitelist (preferred)
• Inbound gateway

Whitelist an Upstream MTA via Email Whitelist

In the Email whitelist method, there is a small risk that a specified IP address may still be blocked or delayed based on the spam and reputation scanning that Gmail uses. The Agari alerts server has a good reputation and sends a relatively small volume of mail, so the risk of alerts being blocked or throttled is very small. If you are concerned about any Agari alerts being blocked or throttled, you can whitelist the Agari alerts server using the Inbound Gateway below.

1. In the Google Apps admin control panel, go to Apps > G Suite > Gmail > Advanced settings.
2. Click the General Settings tab. Scroll down the list of options to the Spam, phishing, and malware section.
3. In the Email whitelist setting, enter 198.2.132.180 in the Enter the IP addresses for your email whitelist field.
4. Click SAVE.

The IP address of the Agari alerts server is 198.2.132.180. Agari also maintains a DNS entry for this address at the domain “outbound.agari.com." In general, it is recommended to use the explicit IP address for this whitelisting rule.

Whitelist an Upstream MTA via Inbound gateway

Perform these steps only if you cannot whitelist the Agari alerts server using the method described above.

The preferred method for whitelisting the Agari alerts server is the Email Whitelist method , but if using it is not be practical for you, you can use the Inbound Gateway method. This method ensures that absolutely any message sent from the Agari alerts server will be delivered; however, the steps are slightly more complicated.

Even if you have no inbound gateway configured already, you can use this method. If you do already have at least one inbound gateway configured, then consider the fact that using this method will disable spam checking for all of your other inbound gateways. If those gateways do their own spam checking, that may be acceptable, but if they do not, you should consider the Email whitelist method.

1. In the Google Apps admin control panel, go to Apps > G Suite > Gmail > Advanced settings.
2. In the Spam, phishing, and malware section, for the Inbound gateway setting, click Configure (if you do not already have an inbound gateway) or Edit (for your existing inbound gateway).
3. Enter a Text description of the gateway settings, for example: “Whitelist the Agari Alerts server.”
4. Click ADD in the IP addresses/ranges box.
5. Enter the IP address 198.2.132.180.
6. Click SAVE.

Note : Do not select the Automatically detect external IP (recommended) option, which relates to the “last-hop” IP address of messages. Because the Agari notifications server does not relay external messages, this option is not needed. Do not select the Reject all mail not from gateway IPs option unless you are certain that you have the correct configuration; otherwise, you may interrupt your mail service.

7. Select the Require TLS for connections from the email gateways listed above checkbox unless you have other gateways that require this option to be off.
8. Select the Message is considered spam if the following header regexp matches the checkbox.

In this section, you will create a regular expression (“regexp”) that never matches any message. This may seem counterintuitive, but it ensures that Gmail will not block any incoming messages from the IP address 198.2.132.180. (Using the alternative Email whitelist method does not guarantee that the IP address will be truly whitelisted, just that the messages passed via that IP won’t be screened for spam.)

9. In the Regexp field, enter the following text exactly: x^ (that is, a lower-case x and a caret).

This is an expression intentionally crafted to not match any message. (It means: “match the character x when it occurs before the beginning of the string”, which is impossible.)

10. Leave the Message is spam if regexp matches checkbox selected.
11. Select the Disable Gmail spam evaluation on mail from this gateway; only use the header value checkbox.

Again, these options apply to all configured Inbound Gateway IPs, so they may or may not be appropriate for your organization. Consider the implications before using this method.

Once configured, the window will look like the following:

12. Click ADD SETTING.

The Inbound gateway will be listed in your overall settings, looking similar to the following:

Wrapping Up

When the above steps are completed, the Agari sensors will start receiving copies of the email messages sent to your organization. There may be a small delay of a few minutes before Google’s systems commit the changes and they take full effect.  You can confirm the traffic flow by logging into Phishing Defense at https://ep.agari.com and navigating to Manage > Sensors to see the status of your installed sensors.