Configuring Google Workspace for MailShield

To allow MailShield to protect your organisation, you need to route your incoming emails through our security filters and configure Google Workspace to send your outgoing emails through our secure gateway.

Do not worry if this sounds highly technical. It is essentially like filing a change-of-address form with the post office, and the process only takes a few minutes.

Setting up inbound protection (MX Records)

Mail Exchange (MX) records dictate where your incoming mail is delivered. We need to point them to MailShield so we can intercept threats before they reach your Gmail inboxes.

If Google Domains/Workspace manages your DNS:

1. Log into the Google Workspace Admin Console.
2. Navigate to Account > Domains > Manage domains.
3. Click View Details next to your domain, then click Manage DNS.
4. Delete existing records: Locate the existing Google Workspace MX records (e.g., ASPMX.L.GOOGLE.COM) and delete them. If you leave your old records active, spammers will bypass our filters.
5. Add the new record: Create a new MX record.
6. In the Host field, type @ (or leave it blank, depending on the interface).
7. In the Value or Data field, paste the incoming server address provided in your MailShield dashboard (typically seg-in.cadmuscyber.com).
8. For Priority, type 10. Click Save.
9. Return to the Fix MX Records page in your MailShield dashboard and click Run DNS Verification.

(Note: If your DNS is managed externally at a registrar like GoDaddy or Cloudflare, update your MX records there instead).

Securing outbound emails

To protect your outgoing emails and ensure high deliverability, you must configure Google Workspace to route outbound mail through MailShield.

Generate your Smart Host credentials

1. In the MailShield portal, navigate to the Outbound Setup page and click Generate Outbound Profile.
2. The system will provide you with a Smart Host address, a username, and a secure SMTP password. Copy this password immediately.

Configure the Google Workspace Outbound Gateway Because Google Workspace routes mail dynamically, you must add MailShield as a secure Host, then create a routing rule to use it.

1. In the Google Workspace Admin Console, go to Apps > Google Workspace > Gmail > Hosts.
2. Click Add Route. Name it "MailShield Outbound".
3. Select Single host and enter your MailShield Smart Host address (e.g., seg-out.cadmuscyber.com). Set the port to 587.
4. Check Require secure transport (TLS) and save.
5. Next, navigate to Apps > Google Workspace > Gmail > Routing.
6. Scroll to the Routing section and click Configure or Add Another Rule.
7. Under "Messages to affect", select Outbound.
8. Under "Route", check Change route and select the "MailShield Outbound" host you just created. Save the rule. (Note: If your specific Workspace environment restricts SASL (username/password) authentication for third-party hosts, please contact MailShield Support to authorize your Google Workspace IP range instead).

Updating your SPF and DKIM records Finally, you must authorise MailShield to send on your behalf.

1. In your DNS settings, edit your existing SPF (v=spf1) record to include MailShield. It should look similar to this: v=spf1 include:_spf.google.com include:_spf.cadmuscyber.com ~all.
2. Add a new TXT record. Set the Name to cadmus._domainkey.
3. Paste the long cryptographic DKIM key from your MailShield dashboard into the Value field and save.

Waiting for the changes

Once you have saved these records, return to the MailShield Outbound Setup page and click Verify DNS.

The internet acts like a giant, slow-updating address book. It can take anywhere from a few minutes to a few hours for these DNS changes to spread globally. Your MailShield dashboard will automatically confirm once everything is perfectly aligned.