mxHERO Email Routing - Google Workspace Configuration Guide

Follow
mxHERO Google Workspace Configuration Guide

mxHERO Email Routing

Google Workspace Configuration Guide

ARC Sealing • DKIM • SPF • DMARC • Gmail Routing

1. Overview

mxHERO acts as an email processing intermediary: it receives messages, modifies content in transit, and re-delivers them to the final destination. This guide covers all Google Workspace configuration required to ensure reliable mail flow and correct email authentication (SPF, DKIM, DMARC) throughout the mxHERO processing hop.

mxHERO uses ARC (Authenticated Received Chain) sealing to preserve the original authentication state of every processed message. Gmail honors ARC chains from recognized mail intermediaries automatically — no admin-side ARC configuration is required in Google Workspace.

Deployment Architectures

This guide covers the following deployment patterns:

  • Inbound — Loopback: External sender → Gmail (hop 1) → mxHERO (hop 2) → Gmail (hop 3) → Recipient mailbox
  • Inbound — Border System: External sender → Proofpoint / Barracuda / other gateway → mxHERO → Gmail → Recipient mailbox
  • Outbound — Standard: Sender (Gmail) → mxHERO → External recipient MX
  • Outbound — Loopback: Sender (Gmail) → mxHERO → Gmail SMTP Relay → External recipient
Steps marked “Loopback only” apply when Gmail routes mail to mxHERO via a routing rule or Content Compliance rule. Steps without that label apply to all architectures.

2. mxHERO Connection Details

Use the following endpoints and IP addresses when configuring Gmail hosts and spam bypass policies. These values are required in several steps throughout this guide.

2.1 SMTP Endpoints

Inbound (mail flowing into mxHERO for processing):   smtp-in.mxhero.com
Outbound (mxHERO delivering to external recipients):  smtp-relay.mxhero.com
                                                      (alias: smtp.mxhero.com)
Use smtp-in.mxhero.com for the mxHERO Inbound mail host and smtp-relay.mxhero.com for the mxHERO Outbound mail host. Mixing these up is a common source of misconfiguration.

2.2 mxHERO IP Addresses

Use these IPs when configuring the Inbound Gateway spam bypass:

54.208.111.28
54.236.184.32
54.165.252.128
54.165.253.193
3.211.77.148
52.22.51.97
54.209.222.83
107.23.152.206
Your mxHERO account team will notify you if new IPs are added. Keep the Inbound Gateway IP list and any SMTP Relay Service rules in sync with any changes.

3. ARC and Authentication

mxHERO seals every processed message with ARC (Authenticated Received Chain) before modifying its content. ARC cryptographically records the authentication state — SPF, DKIM, and DMARC pass/fail — as it existed when the message arrived at mxHERO, so that the receiving mail server can verify the message was legitimate before mxHERO touched it.

Unlike Office 365, Google Workspace does not require any admin-side ARC configuration. Gmail automatically recognizes and evaluates ARC chains from established intermediaries. No “Trusted ARC Sealers” setting exists or needs to be configured.

The Inbound Gateway IP allowlist (section 5.1) is the primary practical safety net for newly deployed configurations. ARC reputation for a domain builds over time based on mail volume and quality, so the IP allowlist ensures reliable delivery from day one while that reputation establishes itself.
For border system deployments (Barracuda, Proofpoint, etc.): configure your border appliance to add the X-mxHero-Transport-Agent header — value: your domain hash from mxHERO Dashboard → Settings → Gateway — to every message it relays through mxHERO. This header identifies your tenant to mxHERO for logging, scoping, and feature purposes. No loop prevention exception is needed on the border appliance side since border systems do not loop mail back through Gmail.

4. Google Groups — Selective Routing (Optional)

If you want to route only specific users through mxHERO rather than the entire organization, define a Google Group containing those users. This group is then referenced as an envelope filter in both the inbound Content Compliance rule (section 5.3) and the outbound Routing rule (section 6.2). If you are routing all users, this step is optional.

📍 admin.google.com → Directory → Groups

  • Sign in to the Google Workspace admin dashboard (https://admin.google.com/)
  • Click on Groups
  • Click on Create Group
Group name:   mxHero users
Group email:  mxhero@<your-domain>
Access level: Team (or as appropriate for your organization)
  • Click CREATE
  • Click into the newly created group
  • Add the users whose email should be processed by mxHERO as members of the group
Only mail to/from members of this group will be routed through mxHERO when the group filter is applied. You can also maintain separate inbound and outbound groups if different sets of users require processing in each direction.

5. Inbound Configuration

Section 5.1 (Inbound Gateway) and section 5.4 (mxHERO Dashboard Server field) are required for all inbound architectures. Sections 5.2 and 5.3 (mail host definition and Content Compliance rule) are required only in loopback architecture, where Gmail is both the first and last inbound hop.

In border system architecture, the border gateway (Barracuda, Proofpoint, etc.) routes inbound mail to mxHERO directly. Gmail does not need a routing rule — it only needs to accept and trust the mail that mxHERO returns.

5.1 Inbound Gateway — Spam Bypass

Add mxHERO’s IP addresses to Gmail’s Inbound Gateway. This prevents Gmail from marking mxHERO-processed messages as spam when they are re-delivered and ensures mxHERO’s ARC-sealed messages are accepted cleanly. Required for all inbound architectures.

📍 admin.google.com → Apps → Google Workspace → Gmail → Advanced settings → Spam → Inbound gateway

Scroll down to “Inbound gateway” in the “Spam” section and click Configure. Set the configuration as follows:

1. Gateway IPs

Add all mxHERO IP addresses (see section 2.2):

54.208.111.28
54.236.184.32
54.165.252.128
54.165.253.193
3.211.77.148
52.22.51.97
54.209.222.83
107.23.152.206
  [x] Automatically detect external IP (recommended)
  [ ] Reject all mail not from gateway IPs
  [ ] Require TLS for connections from the email gateways listed above

2. Message Tagging (Loopback only)

Configure this section only if you are using inbound loopback architecture. In loopback, Gmail sees the message at hop 1 and stamps the X-Gm-spam header before routing it to mxHERO. When mxHERO re-delivers the processed message at hop 3, this setting tells Gmail to use the existing X-Gm-spam score rather than re-evaluating spam from scratch. In border system architecture the message never passes through Gmail before mxHERO, so the X-Gm-spam header will not be present and this section should be left at its defaults.

  [x] Message is considered spam if the following header regexp matches

  Regexp:  ^X-Gm-spam: (0|1)$

  ( ) Message is spam if regexp matches
  (x) Regexp extracts a numeric score
      Message is considered spam if extracted numeric score is:
      Greater than or equal to: 1

  [x] Disable Gmail spam evaluation on mail from this gateway; only use header value
  • Click SAVE

5.2 Define mxHERO Inbound Mail Host (Loopback only)

Before creating the Content Compliance rule, define mxHERO as a named mail host in Gmail. This host is the route target in section 5.3. Only required in loopback architecture.

📍 admin.google.com → Apps → Google Workspace → Gmail → Hosts → Add Route

Name:                     mxHERO Inbound
Specify email server:     Single host
Hostname:                 smtp-in.mxhero.com
Port:                     25

Options:
  [ ] Perform MX lookup on host
  [x] Require TLS delivery
      [x] Require CA signed certificate
  • Click SAVE

5.3 Content Compliance Rule — Route Inbound via mxHERO (Loopback only)

In loopback architecture, a Content Compliance rule intercepts inbound mail and routes it to mxHERO for processing before mailbox delivery. The same rule also serves as the loop prevention mechanism: mxHERO stamps an X-mxHero-Server header on every message it returns, and the rule’s expression checks for the absence of this header — so the rule only fires on messages that have not yet been processed.

📍 admin.google.com → Apps → Google Workspace → Gmail → Compliance → Content compliance → Configure

Full organization — route all inbound mail

Use this variant when all users in the organization should be processed by mxHERO:

Name:                       mxHero inbound routing

1. Email messages to affect:
   [x] Inbound
   [ ] Outbound
   [ ] Internal - sending
   [x] Internal - receiving

2. Add expressions — If ANY of the following match the message:
   Location:    Full headers
   Match type:  Not contains text
   Content:     X-mxHero-Server: <your-domain-hash>

3. If the above expressions match, do the following:
   Action:  Modify message
   Headers:
     [x] Add X-Gm-Spam and X-Gm-Phishy headers
     [x] Add custom headers
         X-mxHero-Transport-Agent: <your-domain-hash>
   Route:
     [x] Change route → mxHERO Inbound
The domain hash value for both the expression check (X-mxHero-Server) and the custom header (X-mxHero-Transport-Agent) is the same unique per-tenant identifier. Retrieve it from mxHERO Dashboard → Settings → Gateway. Example format: 585439da368cbc9d4fe026ab3795e8c7

Selective routing — route only specific recipients

To limit inbound processing to a specific group of recipients, expand “Show options” and configure the envelope filter. All other settings remain the same as the full organization variant:

Show options → C. Envelope filter:
   [ ] Only affect specific envelope senders
   [x] Only affect specific envelope recipients
       Group membership (only received mail)
       Group: mxHero users (<mxhero@your-domain>)
Create the group first in section 4. Messages sent to recipients outside this group are delivered directly to their mailbox without passing through mxHERO.
  • Click SAVE
  • Click SAVE at the bottom of the Advanced Settings page to apply all changes

5.4 mxHERO Dashboard — Server Configuration

Configure the Server field in the mxHERO Dashboard to tell mxHERO where to deliver processed messages. This is required for all deployments — both loopback and border system. For inbound loopback, this is where mxHERO re-delivers processed messages for mailbox delivery. For border system deployments, this ensures mxHERO can route directly back to Gmail when needed.

📍 mxHERO Dashboard → Settings → Organization and domains → Domains → Edit

Server:  smtp.google.com
         (Google Workspace SMTP endpoint — used by mxHERO to re-deliver processed messages)
The Server field is mandatory. If it is not set or is set incorrectly, mxHERO cannot complete inbound delivery and messages will bounce.

5.5 Summary — Inbound

Configuration Location Status Purpose
Inbound Gateway — Spam Bypass Gmail → Advanced settings → Spam ✅ Required (all) Accept mxHERO-processed messages without re-scanning as spam
mxHERO Inbound Mail Host (smtp-in.mxhero.com) Gmail → Hosts ⚠ Loopback only Route target for the Content Compliance rule
Content Compliance Rule (inbound routing + loop prevention) Gmail → Compliance ⚠ Loopback only Route inbound mail to mxHERO; skip re-routing on X-mxHero-Server header
mxHERO Dashboard → Server field (smtp.google.com) mxHERO Dashboard ✅ Required (all) mxHERO re-delivers processed messages to Gmail

6. Outbound Configuration

These steps configure Google Workspace to route outbound mail through mxHERO for processing before delivery to external recipients.

6.1 Define mxHERO Outbound Mail Host

Define a second mail host for outbound traffic. This host is used by the Outbound Gateway setting or the Routing rule in section 6.2.

📍 admin.google.com → Apps → Google Workspace → Gmail → Hosts → Add Route

Name:                     mxHERO Outbound
Specify email server:     Single host
Hostname:                 smtp-relay.mxhero.com
Port:                     25

Options:
  [ ] Perform MX lookup on host
  [x] Require TLS delivery
      [x] Require CA signed certificate
  • Click SAVE

6.2 Route Outbound Mail via mxHERO

Choose one of the two options below. Option B (Content Compliance Rule) is recommended in all deployments because it supports header stamping, loop prevention, and selective routing. Option A (Outbound Gateway) is simpler but provides none of those capabilities.

Option A — Outbound Gateway (full organization, no loop prevention)

Routes all outbound mail from the entire organization through mxHERO. Use only when mxHERO processes 100% of outbound messages and loopback architecture is not in use, as this option cannot add headers or prevent re-routing loops.

📍 admin.google.com → Apps → Google Workspace → Gmail → Setup → Outbound gateway

Outbound gateway:  smtp-relay.mxhero.com
The Outbound Gateway setting routes all outbound mail with no conditions, no header modifications, and no loop prevention. Do not use this option if you are deploying outbound loopback architecture — use Option B instead.

Option B — Content Compliance Rule (recommended: header stamp + loop prevention)

Configuring outbound routing as a Content Compliance rule — the same mechanism used for inbound in section 5.3 — allows the rule to check for the X-mxHero-Server header before routing. This provides the same loop prevention as the inbound rule: if mxHERO has already processed the message and stamped its X-mxHero-Server header, the expression does not match and the rule does not fire, preventing re-routing loops. This is essential in outbound loopback architecture and is good practice in all cases.

📍 admin.google.com → Apps → Google Workspace → Gmail → Compliance → Content compliance → Configure

Full organization — route all outbound mail

Name:                       mxHero outbound routing

1. Email messages to affect:
   [ ] Inbound
   [x] Outbound
   [x] Internal - sending
   [ ] Internal - receiving

2. Add expressions — If ANY of the following match the message:
   Location:    Full headers
   Match type:  Not contains text
   Content:     X-mxHero-Server: <your-domain-hash>

3. If the above expressions match, do the following:
   Action:  Modify message
   Headers:
     [x] Add custom headers
         X-mxHero-Transport-Agent: <your-domain-hash>
   Route:
     [x] Change route → mxHERO Outbound
The expression checks for the ABSENCE of the X-mxHero-Server header (Match type: Not contains). When mxHERO processes a message it stamps X-mxHero-Server on the return — the rule then does not match and the message is delivered normally, breaking the loop. The domain hash value is the same for both the expression check and the X-mxHero-Transport-Agent header: retrieve it from mxHERO Dashboard → Settings → Gateway.

Selective routing — route only specific senders

To process only a specific group of senders, expand “Show options” and add an envelope filter. All other settings remain the same as the full organization variant:

Show options → C. Envelope filter:
   [x] Only affect specific envelope senders
       Group membership (only sent mail)
       Group: mxHero users (<mxhero@your-domain>)
   [ ] Only affect specific envelope recipients
  • Click SAVE
  • Click SAVE at the bottom of the Advanced Settings page

6.3 mxHERO Dashboard — Relay Server Configuration (Loopback / Border Relay)

Configure the Relay Server field in the mxHERO Dashboard when mxHERO should not deliver processed outbound messages directly to the recipient’s MX, but instead hand them off to an intermediate hop first. This applies in two scenarios:

  • Outbound loopback: mxHERO returns the processed message to Gmail’s SMTP relay service, which then delivers externally. Google re-signs with DKIM on final delivery.
  • Outbound via border relay: mxHERO routes the processed message through your on-premises or cloud border MTA (Barracuda, Proofpoint, etc.) before external delivery. Use this when outbound mail must pass through a security gateway after mxHERO processing.

📍 mxHERO Dashboard → Settings → Organization and domains → Domains → Edit

Outbound loopback:
  Relay Server:  smtp-relay.gmail.com
                 (Google Workspace SMTP relay service — Google re-signs DKIM on delivery)

Outbound via border relay:
  Relay Server:  <your-border-mta-hostname>
                 (your border gateway SMTP hostname, e.g. relay.yourcompany.com)
For outbound loopback, Gmail accepts the return trip via the SMTP Relay Service rule configured in section 6.4. Google re-signs the message with DKIM before delivering to the external recipient, which ensures correct DKIM alignment.
The Relay Server field is not required for standard outbound (Option A or B without loopback or border relay). Leave it empty if mxHERO should deliver processed messages directly to the recipient MX.

6.4 Google SMTP Relay Service (Loopback only)

In outbound loopback, mxHERO re-submits processed messages to Gmail’s SMTP relay service. Configure the relay service to accept connections from mxHERO’s IP addresses.

📍 admin.google.com → Apps → Google Workspace → Gmail → Routing → SMTP relay service → Add another rule

Allowed senders:  Only registered Apps users in my domains
Authentication:   Only accept mail from these IP addresses:
                  <mxHERO IPs — see section 2.2>
Encryption:       Require TLS encryption
Do NOT set “Use MX Records” in any mxHERO host definition if your domain’s MX resolves back to Gmail. This creates an immediate loop. Always use a specific hostname (smtp-relay.mxhero.com for outbound, smtp-relay.gmail.com for the loopback return).

6.5 SPF Record

Required for all deployments regardless of architecture. Include mxHERO’s sending infrastructure in your domain’s SPF record so that messages sent from mxHERO IPs pass SPF checks at external recipients.

v=spf1 include:_spf.google.com include:_spf.mxhero.com ~all
The include:_spf.mxhero.com entry covers all mxHERO sending IPs. Note the leading underscore — a common mistake is using include:mxhero.com without _spf, which points to a different or missing DNS record. Merge this include into your existing SPF record rather than creating a duplicate TXT record.

6.6 Summary — Outbound

Configuration Location Status Purpose
mxHERO Outbound Mail Host (smtp-relay.mxhero.com) Gmail → Hosts ✅ Required Route target for outbound mail to mxHERO
Outbound Gateway or Routing Rule Gmail → Setup or Routing ✅ Required Routes outbound mail through mxHERO for processing
X-mxHero-Transport-Agent header stamp Routing Rule (Option B) ✅ Recommended Tenant identification; use Routing Rule, not Gateway setting
SPF: include:_spf.mxhero.com Customer DNS ✅ All architectures mxHERO sending IPs authorized; safety net for all scenarios
Google SMTP Relay Service (mxHERO IPs) Gmail → Routing ⚠ Loopback only Accept return trip from mxHERO for external delivery
mxHERO Dashboard → Relay Server mxHERO Dashboard ⚠ Loopback / border relay Hand off processed outbound to Gmail SMTP relay or border MTA before external delivery

7. Architecture Quick Reference

Step Inbound Border System Inbound Loopback Outbound Standard Outbound Loopback
Inbound Gateway — Spam Bypass (section 5.1) –– ––
mxHERO Inbound Mail Host (section 5.2) –– –– ––
Content Compliance Rule (section 5.3) –– –– ––
mxHERO Dashboard → Server field (section 5.4)
SPF: include:_spf.mxhero.com (section 6.5)
mxHERO Outbound Mail Host (section 6.1) –– ––
Outbound Gateway or Routing Rule (section 6.2) –– ––
X-mxHero-Transport-Agent header (section 6.2 Opt B) –– ––
Google SMTP Relay Service (section 6.4) –– –– ––
mxHERO Dashboard → Relay Server (section 6.3) –– –– ⚠ Border relay
Google Groups — selective routing (section 4) Optional Optional Optional Optional

Note: In inbound border system architecture, the border gateway routes mail to mxHERO. Gmail does not need a routing rule or Content Compliance rule for inbound — it only needs the Inbound Gateway spam bypass so that mxHERO-processed messages are accepted cleanly on the return trip.

8. Troubleshooting

Messages landing in spam despite Inbound Gateway configuration

  • Verify the IPs in the Inbound Gateway match the current mxHERO IP list in section 2.2
  • Check whether any of mxHERO’s IPs appear on external blocklists
  • Confirm TLS is required on the mxHERO Inbound host definition (section 5.2)
  • Ensure “Disable Gmail spam evaluation on mail from this gateway” is checked in the Inbound Gateway message tagging settings

Mail loops (“too many hops” bounce)

  • Verify the Content Compliance rule (section 5.3) is active and enabled
  • Confirm the X-mxHero-Server value in the expression exactly matches the hash in mxHERO Dashboard → Settings → Gateway
  • Confirm the rule’s Match type is “Not contains text” (not “Contains”) — the rule should fire when the header is absent
  • Confirm the Content Compliance rule is routing to “mxHERO Inbound” and not back to another mxHERO route
  • Verify mxHERO host definitions use smtp-in.mxhero.com (inbound) and smtp-relay.mxhero.com (outbound), not MX records

DKIM or authentication failures at external recipients

mxHERO modifies message content, which breaks the original DKIM signature. This is expected behavior. Gmail’s ARC implementation preserves the original authentication chain so that receiving servers honoring ARC will still pass DMARC. For external recipients that do not support ARC, confirm with your mxHERO account team that outbound DKIM re-signing is enabled for your domain.

SPF failure at external recipients (outbound standard)

Verify your domain’s SPF record includes include:_spf.mxhero.com (note the leading underscore). A common mistake is using include:mxhero.com without the _spf prefix, which resolves to a different or missing DNS record.

Selective inbound: a recipient is not being processed by mxHERO

Verify the recipient’s account is a member of the group referenced in the Content Compliance rule envelope filter. In Google Admin → Directory → Groups, open the group and check membership. Group membership changes may take a few minutes to propagate.

Selective outbound: a sender’s mail is not being processed by mxHERO

Verify the sender’s account is a member of the group referenced in the Routing rule envelope filter. Also confirm the Routing Rule (Option B) is used and not the Outbound Gateway — the Gateway setting does not support group-based filtering.

X-mxHero-Transport-Agent header not present on messages reaching mxHERO

If mxHERO is not identifying your tenant on outbound messages, confirm you are using Option B (Routing Rule) in section 6.2 with “Add custom headers” checked. The Outbound Gateway setting (Option A) does not stamp custom headers. Verify the custom header name is exactly X-mxHero-Transport-Agent and the value matches your domain hash from mxHERO Dashboard → Settings → Gateway.

Have more questions? Submit a request

Comments

Powered by Zendesk