Enforce 'IP lock' in G Suite

G Suite enables you to specify an IP address or range of addresses within a domain, and allow messages from those addresses only. This feature is sometimes referred to as IP lock. In G Suite, you set up this feature in the Content compliance setting.

IP lock is a method that readily enables an administrator to simultaneously whitelist all incoming traffic from a particular domain while equally preventing spoofing by manually defining the allowed IP ranges. The following instructions are particularly useful with domains that do not have an SPF record and/or use third party applications to legitimately spoof their address.

Setting up IP lock with the Content compliance setting includes three separate procedures: Adding the domain, defining the allowed IP range, and setting the correct disposition and NDR.

Step 1: Add the domain

  1. Sign in to the Google Admin console.
  2. From the Home page, go to Apps > G Suite > Gmail > Advanced settings.
  3. Open the Content compliance setting.
  4. Under Email messages to affect, select Inbound.
  5. From the menu, select If ALL of the following match the message.
  6. In the Expressions section, click Add.
  7. From the drop-down menu, click Advanced content match.
  8. From the Location menu, click Sender header.
  9. From the Match type menu, click Matches regex.
  10. Enter the domain name you want IP Lock to work with using the format @domain\.com(\W|$).
  11. Click Save. Leave the Content compliance setting open so that you can add another expression, below.

Step 2: Define the allowed IP range

  1. In the Expressions section, click Add.
  2. From the menu, click Metadata match.
  3. From the Attribute menu, click Source IP.
  4. From the Match type menu, click is not within the following range.
  5. In the field under the menu, enter the IP addresses to match.

    Note: The field will only accept CIDR format ranges and individual IP addresses. Also, you can only enter one range per expression (for example, as shown in the image below). To add more ranges, simply click Add to add another Expression, and repeat.
  6. Click Save. (Leave the Content compliance setting open so that you can continue with Step 3 below.)

In the following example, multiple IPs were included by adding more Expressions and repeating the steps above.

Step 3: Set the correct disposition and NDR

To exclusively allow traffic from the IPs defined in Step 2, set the disposition to Reject message and add a custom rejection notice (optional).

Using a tool such as Wormly, you can quickly spoof the address and simulate the outcome without having to wait for the client to test it.

Example of the SMTP transcript output provided when rejecting a spoofed message using IP Lock
Resolving hostname...
220 mx.google.com ESMTP s65si3000818qge.100 - gsmtp
250-mx.google.com at your service, []
250-SIZE 35882577
MAIL FROM: frank@supportdomain068.info
250 2.1.0 OK s65si3000818qge.100 - gsmtp
RCPT TO: frank@supportdomain068.info
250 2.1.5 OK s65si3000818qge.100 - gsmtp
Sending Mail Message Body...
354 Go ahead s65si3000818qge.100 - gsmtp
550 5.7.1 Sender Authorization failed s65si3000818qge.100 - gsmtp
SMTP -> ERROR: DATA not accepted from server: 550 5.7.1 Sender Authorization failed s65si3000818qge.100 - gsmtp
Message sending failed
Was this helpful?
How can we improve it?