Configuring an outbound gateway for email scanning

This article describes how to configure Coro's Outbound Gateway for your email service. As part of Coro's User Data Governance module, an outbound gateway enables Coro to scan outgoing emails from your organization for exposure and sharing of monitored sensitive data in line with your configured data loss prevention policies.

note

For information on Coro's Inbound Gateway, see Introducing the Inbound Gateway.

Setting up an outbound gateway requires changes to an organization's own DNS and email infrastructure, as well as enabling the gateway inside your Coro workspace.

To learn more about Coro's User Data Governance module, see Introducing User Data Governance. To learn more about configuring the detection mode and sensitive data types, see Configuring data governance settings.

Summary of steps required

To set up the Coro Outbound Gateway to scan your outgoing emails, you must perform some configuration steps in your email and DNS services before you can configure your Coro workspace. You need to:

note

Given the potential for service disruption during this process, Coro recommends scheduling these changes at a time of least impact.

Prerequisites

Before you begin, make sure you have the following information:

  • Coro’s Outbound Gateway host details. Contact Coro Support for details.
  • Coro’s Outbound Gateway SPF domain for your workspace region:
    • US: _spf-us.coroep.com
    • EU: _spf-eu.coroep.com
    • CA: _spf-ca.coroep.com
  • The identity of your email service provider.
  • Your email domain.

Configuring DKIM

Coro uses DomainKeys Identified Mail (DKIM) to add digital signatures to email messages to confirm the sender's identity and message validity to recipient mail servers.

DKIM requires sender organizations to configure their DNS records with a public key, enabling recipient mail servers to establish the validity of the message. This section describes how to configure DKIM email authentication in Gmail and Microsoft 365.

Configuring DKIM for Gmail

To configure DKIM for Gmail:

  1. Sign in to Google Workspace Admin with your administrator credentials.
  2. From the Admin console menu, select Apps > Google Workspace > Settings for Gmail > Authenticate email :

    Set up email authentication in Gmail with DKIM

  3. In Authenticate email , select your domain. Then select GENERATE NEW RECORD :

    Selecting the GENERATE NEW RECORD button

    Google displays the Generate new record dialog:

    Generate a new DKIM auth record

  4. Enter the following values:
    • DKIM key bit length : Coro recommends 2048 or higher.
    • Prefix selector : (optional) Enter a prefix for the TXT record name, if required, or use the default value provided.
  5. Select GENERATE .

    Google returns to the Authenticate email screen, displaying the generated DKIM record details:

    DKIM record details

  6. Make a note of the values shown for DNS Host name and TXT record value .
  7. In a new browser window, sign in to your DNS provider's admin console.
  8. Add a new TXT record to your DNS records containing the generated DKIM record:
    • Host name : < DNS host name >
    • Type : TXT
    • TTL : Automatic , or use the default value
    • Data : < Generated TXT record value >

    For example:

    New TXT record

  9. Return to the Google Workspace admin console, and go to Apps > Google Workspace > Gmail > Authenticate email .
  10. Select START AUTHENTICATION .
note

DNS record propagation can take up to an hour. After the DNS updates become visible, Google verifies the new record and enables DKIM for your domain.

Configuring DKIM for Microsoft 365

To configure DKIM for Microsoft 365 (M365):

  1. Sign in to Microsoft Defender with your administrator credentials.
  2. Go to Email & collaboration > Policies & rules .

    Defender displays the Policies & rules page:

    Microsoft Defender - Policies and rules

  3. Select Threat policies .

    Defender displays the Threat policies page:

    Microsoft Defender - Threat policies

  4. Select Email authentication settings , then select DKIM :

    Defender displays the DomainKeys Identified Mail (DKIM) page:

    Microsoft Defender - DKIM settings

  5. Select your domain and then, in the settings dialog, select Create DKIM keys :

    Microsoft Defender - create DKIM keys

    Defender displays a Publish CNAMEs dialog containing the generated DKIM keys:

    Microsoft Defender - generated DKIM keys

  6. Select Copy to copy the DKIM keys to your clipboard. Or, make a note of the host names and corresponding key values.
  7. In a new browser window, sign in to your DNS provider's admin console.
  8. Add new CNAME records to your DNS records containing the generated DKIM keys:
    • Host name : < host name >
    • Type : CNAME record
    • TTL : Automatic , or use the default value
    • Data : < DKIM key value >

    For example:

    New CNAME record

    note

    DNS record propagation can take up to 48 hours. Confirm that your changes have taken effect before proceeding.

  9. Return to the Microsoft Defender admin console, and go to Email & collaboration > Policies & rules > Threat policies > Email authentication settings > DKIM .
  10. Select your domain and then, in the settings dialog, enable Sign messages for this domain with DKIM signatures :

    Microsoft Defender - enable DKIM signing

    Defender displays a security notice concerning a short time delay for change synchronization.

  11. Select OK to acknowledge and dismiss the notice.

Configuring your email domain DNS settings

To ensure your email service does not treat messages received from Coro's Outbound Gateway as spam, add the gateway domain to the SPF record in the DNS configuration for your email domain.

This section provides a general example of the configuration you need to add in your domain provider's management console, as well as a specific guide for Google Domains Service.

General example

Add Coro's Outbound Gateway SPF domain together with the original IP address, if originally included, and SMTP server of your mail provider as a TXT record in your DNS configuration, using the format:

Copy
Copied
v=spf1 include:_spf-us.coroep.com ip4:52.14.71.218 include:emailsvr.com ~all

In this example, 52.14.71.218 and emailsvr.com are the original IP address and SMTP server for your email service. Substitute _spf-us.coroep.com with the SPF domain for your workspace region, as applicable (see Prerequisites).

To configure your DNS, add or update the relevant record with this content. For example:

Outbound Gateway DNS SPF record example

Google Domains Service

To configure SPF records in Google Domains Service (for organizations that registered their domains using Google DNS):

  1. Sign in to Google Domains Service ( https://domains.google.com/ ) with your administrator credentials.
  2. Select your domain, then select Manage :

    Configuring Google DNS

  3. Select DNS .
  4. (Recommended) Back up the current DNS settings as a precaution by selecting Export DNS records .
  5. Select Manage Custom Records > Create new Record , or change an existing record if one was already added.
  6. Configure the following settings:
    • Type : Select TXT .
    • TTL : Enter 3600 .
    • Data : Add Coro's Outbound Gateway SPF domain together with Google's SPF domain, using the format:
      Copy
      Copied
      v=spf1 include:_spf-us.coroep.com include:_spf.google.com ~all

      Substitute _spf-us.coroep.com with the SPF domain for your workspace region, as applicable (see Prerequisites).

    Outbound Gateway DNS SPF record example

  7. Select Save .
  8. (Optional) If Google requests confirmation of overwriting an existing configuration, select Yes .

Configuring your original mail provider

Coro's Outbound Gateway operates with the following email providers:

Gmail

To configure Gmail to work with Coro's Outbound Gateway, perform the following two-part procedure:

Part 1: Add an Outbound Gateway route

  1. Sign in to Google Workspace Admin with your administrator credentials.
  2. From the Admin console menu, select Apps > Google Workspace > Gmail > Hosts .
  3. Select Add Route :

    Add route in Gmail Hosts

    Gmail displays the Add mail route dialog.

  4. Enter the following details:
    • Name : Enter a route name for the Outbound Gateway.
    • Specify email server : If Coro Support supplies one hostname or IP address for the Outbound Gateway in your circumstances, select Single host . If you recieve multiple hostnames or IP addresses, select Multiple hosts .
    • Enter host name or IP : Enter the specified Outbound Gateway hostname or IP address. Specify port 25 for all entries (unless instructed otherwise by Coro Support).
    • Options : Disable all checkboxes.

    Add mail route dialog

  5. Select SAVE .

Part 2: Set up the Outbound Gateway route in Gmail

  1. From the Admin console menu, select Apps > Google Workspace > Gmail > Routing .
  2. In the left pane, select your top-level organization.
  3. Locate Routing and select CONFIGURE (or ADD ANOTHER ROUTE if you have existing routing in place):

    Configure routing in Gmail

    Gmail displays the Add setting dialog.

  4. Enter the following details:
    • Routing : Enter a name or description for the routing setting.
    • Email messages to affect : Select Outbound and Internal - Sending .
    • For the above types of messages, do the following : Select Modify message .
    • Route : Select Change route .
    • Normal Routing : Select the Outbound Gateway route you created in Part 1 .

    Configure routing in Gmail

  5. Select SAVE .

Microsoft 365

To configure Microsoft 365 (M365) to work with Coro's Outbound Gateway, perform the following two-part procedure:

Part 1: Create an email flow connector

Create an email flow connector for Coro in Microsoft Exchange admin center:

  1. Sign in to Microsoft Exchange admin center with your administrator credentials.
  2. Go to Mail flow > Connectors .
  3. In the Connectors page, select + Add a connector :

    Adding a new mail flow connector

    Exchange admin center displays the Add a connector dialog, starting at the New connector step.

  4. Select the following options:
    • Connection from : Select Office 365 .
    • Connection to : Select Partner organization .

    Select Next to continue.

  5. In the Name step: Add a name (and optional description) describing the outbound mail connection.

    Select Next to continue.

  6. In the Use of connector step, select Only when i have a transport rule set up that redirects messages to this connector .

    Select Next to continue.

  7. In the Routing step, select Route email through these smart hosts , then enter the hostnames or IP addresses of the Outbound Gateway provided to you by Coro Support.

    Select Next to continue.

  8. In the Security restrictions step, make sure Always use Transport Layer Security (TLS) to secure the connection is enabled, then select Any digital certificate, including self-signed certificates .

    Select Next to continue.

  9. In the Validation email step, enter a valid email address in your domain to test the connector. Then, select Validate .

    Exchange admin center tests the connector, showing a Validation failed warning for the email send test:

    Validation step failure warning

    Important

    This is an expected failure since Coro is not yet fully configured. It is safe to ignore.

    Select Next. Then, when Exchange prompts you to confirm that you want to proceed despite the validation failure, select Yes, proceed:

    Validation step failure confirmation

  10. Use the Review connector step to confirm your connector settings:

    Reviewing the new mail flow connector settings

  11. Select Create connector .

M365 creates your new connector based on the settings you provided.

Important

Make sure the new connector has a Status of On before proceeding to part 2.

Part 2: Add rules

Add rules for the new mail flow connector in Microsoft Exchange admin center:

  1. Sign in to Microsoft Exchange admin center with your administrator credentials.
  2. Go to Mail flow > Rules .
  3. Select Add a rule :

    Adding a new transport rule in Exchange admin center

  4. From the dropdown, select Create a new rule .
  5. In the Set rule conditions step, enter the following details:
    • Name : Add a descriptive name for your rule.
    • Apply this rule if : Select The sender and is external/internal .
      • In the select sender location dialog, select Inside the organization . Select Save to continue.
    • Do the following : Select Redirect the message to and the following connector .
      • In the select connector dialog, select the connector you created in Part 1 . Select Save to continue.
    • Except if : Select The message headers... and matches these text patterns .
      • Select Enter text then, in the specify header name dialog, enter X-Coro-Relay-Domain . Select Save to continue.
      • Select Enter words then, in the specify words or phrases dialog, enter your email domain. Select Save to continue.

    setting rule conditions

    Select Next to continue.

  6. In the Set rule settings step, enter the following settings:
    • Rule mode : Select Enforce .
    • Severity : Select Not specified .
    • Leave all checkboxes disabled.
    • Match sender address in message : Select Header .
    • Comments : (Optional) Add any further information you need.

    Adding rule settings

    Select Next to continue.

  7. In the Review and finish step, review your settings.
  8. Select Finish .

    Exchange creates your new rule based on the settings you provided.

  9. Locate your new rule and select it.

    Exchange shows a dialog of your rule configuration.

  10. Enable the rule:

    Enabling the rule

    After a short wait, Exchange shows a banner with the updated rule state.

  11. Close the rule configuration dialog.
  12. Refresh the browser page to reload the rule list. Make sure the new rule has a Status of Enabled .

Other third party Mail Transport Agents (MTAs)

Request technical support from the service provider to add Coro's Outbound Gateway as an outbound gateway proxy.

Configuring your Coro workspace

After you have configured your DNS and email service, enable the Outbound Gateway in your Coro workspace. This process takes place inside the Coro console.

Before you begin this procedure, make sure you have the following:

  • Your email domain name
  • A configured default email app on your local device capable of sending external emails

To enable the Outbound Gateway:

  1. Sign in to the Coro console .
  2. From the sidebar, select Control Panel to access the Control Panel .
  3. Select Gateway Settings :

    Gateways

  4. Select Outbound Gateway :

    Outbound gateway tab

  5. Select + ADD DOMAIN :

    Add a domain

    Coro displays the Add Outbound Gateway dialog:

    Add a domain for the Outbound Gateway

  6. Enter your email domain, then select ADD .

    Before you can use the gateway, Coro displays a dialog requesting you test the connection by sending a verification email:

    Send a verification email through the Outbound Gateway

  7. Select Click here to send a verification email .

    Coro opens your device's default email app and prepopulates a new email with the required details. For example:

    Default email app

    Important

    Do not change the To address. Coro uses this address to observe receipt of the email, confirming that the test was successful.

  8. Send the email, then return to the Coro console. Select CONFIRM to acknowledge:

    Confirm you sent the test email

    Coro displays a dialog confirming that the test is now running:

    Confirm you sent the test email

  9. Select DONE to close the dialog.

Coro checks for receipt of the test email at five minute intervals. During this time, Coro shows your new domain in the Outbound Gateway tab with a Test status of Pending:

Domain added with test status of pending

After Coro confirms receipt of the test email, this status changes to Passed:

Domain added with test status of pending

This completes configuration of the Outbound Gateway. Coro is now monitoring and protecting your outbound email.

Coro displays the current status of the Outbound Gateway in a banner at the top of the User Data Governance > Monitoring tab:

User Data Governance - Monitoring tab

Rerunning the connection test or changing your settings

Coro provides the following options for an added domain through the corresponding three-dot menu:

Domain menu

  • Edit : Change the domain and retest the connection.
  • Test : Repeat the connection test.
  • Remove : Delete the domain and remove the connection to the Outbound Gateway.