Enforce 'IP lock' in G Suite

You can specify an IP address or range of addresses within a domain, and only allow messages from those addresses. This feature is sometimes referred to as IP lock.

IP lock is a method that lets you simultaneously whitelist all incoming traffic from a particular domain while equally preventing spoofing by manually defining the allowed IP ranges. IP lock is particularly useful with domains that do not have a Sender Policy Framework (SPF) record, or use third party applications, or both, to legitimately spoof their address.

You set up an IP lock using the Content compliance setting. Setting up IP lock involves 3 separate procedures: Adding the domain, defining the allowed IP range, and setting the correct disposition and Non-Deliverable Response (NDR).

Step 1: Add the domain

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Appsand thenG Suiteand thenGmailand thenAdvanced settings.

    Tip: To see Advanced settings, scroll to the bottom of the Gmail page.

  3. Open the Content compliance setting.

  4. Under Email messages to affect, select Inbound.

  5. From the menu, select If ALL of the following match the message.

  6. In the Expressions section, click Add.

  7. From the menu, click Advanced content match.

  8. From the Location menu, click Sender header.

  9. From the Match type menu, click Matches regex.

  10. Enter the domain name you want IP Lock to work with using the format @domain\.com(\W|$), such as @google\.com(\W|$).

  11. Click Save.

  12. Leave the Content compliance setting open so that you can add another expression, below.

Step 2: Define the allowed IP range

  1. In the Expressions section, click Add.

  2. From the menu, click Metadata match.

  3. From the Attribute menu, click Source IP.

  4. From the Match type menu, click is not within the following range.

  5. In the field under the menu, enter the IP addresses to match.

    Note: The field only accepts CIDR format ranges and individual IP addresses. Also, you can only enter one range per expression, such as 64.18.0.0/20, shown in the image below. To add more ranges, click Add to add another expression, and repeat.

  6. Click Save.

  7. Leave the Content compliance setting open so that you can continue with Step 3 below.

In the following example, multiple IPs were included by adding more Expressions and repeating the steps above.

Step 3: Set the correct disposition and NDR

To exclusively allow traffic from the IPs defined in Step 2, set the disposition to Reject message and optionally add a custom rejection notice.

Using a tool such as Wormly, you can quickly spoof the address and simulate the outcome without having to wait for the client to test it.

Example of the SMTP transcript output provided when rejecting a spoofed message using IP Lock
Result:
Resolving hostname...
Connecting...
SMTP -> FROM SERVER:
220 mx.google.com ESMTP s65si3000818qge.100 - gsmtp
SMTP -> FROM SERVER:
250-mx.google.com at your service, [184.72.226.23]
250-SIZE 35882577
250-8BITMIME
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-PIPELINING
250 CHUNKING
MAIL FROM: frank@supportdomain068.info
SMTP -> FROM SERVER:
250 2.1.0 OK s65si3000818qge.100 - gsmtp
RCPT TO: frank@supportdomain068.info
SMTP -> FROM SERVER:
250 2.1.5 OK s65si3000818qge.100 - gsmtp
Sending Mail Message Body...
SMTP -> FROM SERVER:
354 Go ahead s65si3000818qge.100 - gsmtp
SMTP -> FROM SERVER:
550 5.7.1 Sender Authorization failed s65si3000818qge.100 - gsmtp
SMTP -> ERROR: DATA not accepted from server: 550 5.7.1 Sender Authorization failed s65si3000818qge.100 - gsmtp
Message sending failed
Was this helpful?
How can we improve it?