Enforce IP lock in Google Workspace

You can specify an IP address or range of addresses within a domain, and allow messages only from those addresses. This feature is sometimes referred to as IP lock.

IP lock lets you:

  • Whitelist all incoming traffic from a particular domain
  • Prevent spoofing by manually defining the allowed IP ranges

IP lock is useful for domains that do not have a Sender Policy Framework (SPF) record, or that use third party applications to send mail on behalf of the domain.

Set up an IP lock using the Content compliance setting. Setting up IP lock involves 3 steps:

  1. Add the domain
  2. Define the allowed IP range 
  3. Set the correct disposition and Non-Deliverable Response (NDR)

Read details about how to Set up rules for content compliance.

Step 1: Add the domain

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Appsand thenGoogle Workspaceand thenGmailand thenCompliance.
    Note: You might find this setting at Appsand thenGoogle Workspaceand thenGmailand thenAdvanced Settings.
  3. Scroll to Content compliance, and click Configure or Add Another Rule.

  4. Under Email messages to affect, select Inbound.

  5. From the menu, select If ALL of the following match the message.

  6. In the Expressions section, click Add.

  7. From the menu, click Advanced content match.

  8. From the Location menu, click Sender header.

  9. From the Match type menu, click Matches regex.

  10. Enter the domain name you want IP Lock to work with using the format @domain\.com(\W|$), for example: @google\.com(\W|$)

  11. Click Save.

  12. Leave the Content compliance setting open so that you can add another expression, below.

Step 2: Define the allowed IP range

  1. In the Expressions section, click Add.

  2. From the menu, click Metadata match.

  3. From the Attribute menu, click Source IP.

  4. From the Match type menu, click Source IP is not within the following range.

  5. In the field under the menu, enter the IP addresses to match.

    Note: The field only accepts CIDR format ranges and individual IP addresses. You can enter only one range per expression, as shown in the example in Step 7. To add more ranges, click Add to add another expression, and repeat.

  6. Click Save.

  7. Leave the Content compliance setting open so that you can continue with Step 3 below.

In the following example, multiple IP addresses were included by adding more expressions and repeating the steps above.

Step 3: Set the correct disposition and NDR

To exclusively allow traffic from the IPs defined in Step 2, select Reject message. You can optionally enter text for a custom rejection notice.

Example of the SMTP transcript output provided when rejecting a spoofed message using IP Lock
Result:
Resolving hostname...
Connecting...
SMTP -> FROM SERVER:
220 mx.google.com ESMTP s65si3000818qge.100 - gsmtp
SMTP -> FROM SERVER:
250-mx.google.com at your service, [184.72.226.23]
250-SIZE 35882577
250-8BITMIME
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-PIPELINING
250 CHUNKING
MAIL FROM: frank@supportdomain068.info
SMTP -> FROM SERVER:
250 2.1.0 OK s65si3000818qge.100 - gsmtp
RCPT TO: frank@supportdomain068.info
SMTP -> FROM SERVER:
250 2.1.5 OK s65si3000818qge.100 - gsmtp
Sending Mail Message Body...
SMTP -> FROM SERVER:
354 Go ahead s65si3000818qge.100 - gsmtp
SMTP -> FROM SERVER:
550 5.7.1 Sender Authorization failed s65si3000818qge.100 - gsmtp
SMTP -> ERROR: DATA not accepted from server: 550 5.7.1 Sender Authorization failed s65si3000818qge.100 - gsmtp
Message sending failed
Was this helpful?
How can we improve it?

Need more help?

Sign in for additional support options to quickly solve your issue