Configuring an outbound gateway for email scanning

This article describes how to configure Coro's Outbound Gateway for your email service. As part of Coro's User Data Governance module, an outbound gateway enables Coro to scan outgoing emails from your organization for exposure and sharing of monitored sensitive data in line with your configured data loss prevention policies.

note

For information on Coro's Inbound Gateway, see Introducing the Inbound Gateway.

Setting up an outbound gateway requires changes to an organization's own DNS and email infrastructure, as well as enabling the gateway inside your Coro workspace.

To learn more about Coro's User Data Governance module, see Introducing User Data Governance. To learn more about configuring the detection mode and sensitive data types, see Configuring data governance settings.

Summary of steps required

To set up the Coro Outbound Gateway to scan your outgoing emails, you must perform some configuration steps in your email and DNS services before you can configure your Coro workspace. You need to:

note

Given the potential for service disruption during this process, Coro recommends scheduling these changes at a time of least impact.

Prerequisites

Before you begin, make sure you have the following information:

  • Coro’s Outbound Gateway host details. Contact Coro Support for details.
  • Coro’s Outbound Gateway SPF domain: _spf.coroep.com .
  • The identity of your email service provider.
  • Your email domain.

Configuring your email domain DNS settings

To ensure your email service does not treat messages received from Coro's Outbound Gateway as spam, add the gateway domain to the SPF record in the DNS configuration for your email domain.

This section provides a general example of the configuration you need to add in your domain provider's management console, as well as a specific guide for Google Domains Service.

General example

Add Coro's Outbound Gateway SPF domain together with the original IP address, if originally included, and SMTP server of your mail provider as a TXT record in your DNS configuration, using the format:

Copy
Copied
v=spf1 include:_spf.coroep.com ip4:52.14.71.218 include:emailsvr.com ~all

In this example, 52.14.71.218 and emailsvr.com are the original IP address and SMTP server for your email service.

To configure your DNS, add or update the relevant record with this content. For example:

Outbound Gateway DNS SPF record example

Google Domains Service

To configure MX records in Google Domains Service (for organizations that registered their domains using Google DNS):

  1. Sign in to Google Domains Service ( https://domains.google.com/ ) with your administrator credentials.
  2. Select your domain, then select Manage :

    Configuring Google DNS

  3. Select DNS .
  4. (Recommended) Back up the current DNS settings as a precaution by selecting Export DNS records .
  5. Select Manage Custom Records > Create new Record , or change an existing record if one was already added.
  6. Configure the following settings:
    • Type : Select TXT .
    • TTL : Enter 3600 .
    • Data : Add Coro's Outbound Gateway SPF domain together with Google's SPF domain, using the format:
      Copy
      Copied
      v=spf1 include:_spf.coroep.com include:_spf.google.com ~all

    Outbound Gateway DNS SPF record example

  7. Select Save .
  8. (Optional) If Google requests confirmation of overwriting an existing configuration, select Yes .

Configuring your original mail provider

Coro's Outbound Gateway operates with the following email providers:

Gmail

To configure Gmail to work with Coro's Outbound Gateway, perform the following two-part procedure:

Part 1: Add an Outbound Gateway route

  1. Sign in to Google Workspace Admin with your administrator credentials.
  2. From the Admin console menu, select Apps > Google Workspace > Gmail > Hosts .
  3. Select Add Route :

    Add route in Gmail Hosts

    Gmail displays the Add mail route dialog.

  4. Enter the following details:
    • Name : Enter a route name for the Outbound Gateway.
    • Specify email server : If Coro Support supplies one hostname or IP address for the Outbound Gateway in your circumstances, select Single host . If you recieve multiple hostnames or IP addresses, select Multiple hosts .
    • Enter host name or IP : Enter the specified Outbound Gateway hostname or IP address. Specify port 25 for all entries (unless instructed otherwise by Coro Support).
    • Options : Disable all checkboxes.

    Add mail route dialog

  5. Select SAVE .

Part 2: Set up the Outbound Gateway route in Gmail

  1. From the Admin console menu, select Apps > Google Workspace > Gmail > Routing .
  2. In the left pane, select your top-level organization.
  3. Locate Routing and select CONFIGURE (or ADD ANOTHER ROUTE if you have existing routing in place):

    Configure routing in Gmail

    Gmail displays the Add setting dialog.

  4. Enter the following details:
    • Routing : Enter a name or description for the routing setting.
    • Email messages to affect : Select Outbound and Internal - Sending .
    • For the above types of messages, do the following : Select Modify message .
    • Route : Select Change route .
    • Normal Routing : Select the Outbound Gateway route you created in Part 1 .

    Configure routing in Gmail

  5. Select SAVE .

Microsoft 365

To configure Microsoft 365 (M365) to work with Coro's Outbound Gateway, perform the following two-part procedure:

Part 1: Create an email flow connector

Create an email flow connector for Coro in Microsoft Exchange admin center:

  1. Sign in to Microsoft Exchange admin center with your administrator credentials.
  2. Go to Mail flow > Connectors .
  3. In the Connectors page, select + Add a connector :

    Adding a new mail flow connector

    Exchange admin center displays the Add a connector dialog, starting at the New connector step.

  4. Select the following options:
    • Connection from : Select Office 365 .
    • Connection to : Select Partner organization .

    Select Next to continue.

  5. In the Name step: Add a name (and optional description) describing the outbound mail connection.

    Select Next to continue.

  6. In the Use of connector step, select Only when i have a transport rule set up that redirects messages to this connector .

    Select Next to continue.

  7. In the Routing step, select Route email through these smart hosts , then enter the hostnames or IP addresses of the Outbound Gateway provided to you by Coro Support.

    Select Next to continue.

  8. In the Security restrictions step, make sure Always use Transport Layer Security (TLS) to secure the connection is enabled, then select Any digital certificate, including self-signed certificates .

    Select Next to continue.

  9. In the Validation email step, enter a valid email address in your domain at which to receive a validation email to test the connector. Then, select Validate .

    Review your email inbox to confirm and validate the email test.

    Select Next to continue.

  10. Use the Review connector step to confirm your connector settings:

    Reviewing the new mail flow connector settings

  11. Select Create connector .

M365 creates your new connector based on the settings you provided.

Important

Make sure to enable the new connector before proceeding to part 2.

Part 2: Add rules

Add rules for the new mail flow connector in Microsoft Exchange admin center:

  1. Sign in to Microsoft Exchange admin center with your administrator credentials.
  2. Go to Mail flow > Rules .
  3. Select Add a rule :

    Adding a new transport rule in Exchange admin center

  4. From the dropdown, select Create a new rule .
  5. In the Set rule conditions step, enter the following details:
    • Name : Add a descriptive name for your rule.
    • Apply this rule if : Select The sender and is external/internal .
      • In the select sender location dialog, select Inside the organization . Select Save to continue.
    • Do the following : Select Redirect the message to and the following connector .
      • In the select connector dialog, select the connector you created in Part 1 . Select Save to continue.
    • Except if : Select The message headers... and matches these text patterns .
      • Select Enter text then, in the specify header name dialog, enter X-Coro-Relay-Domain . Select Save to continue.
      • Select Enter words then, in the specify words or phrases dialog, enter your email domain. Select Save to continue.

    setting rule conditions

    Select Next to continue.

  6. In the Set rule settings step, enter the following settings:
    • Rule mode : Select Enforce .
    • Severity : Select Not specified .
    • Leave all checkboxes disabled.
    • Match sender address in message : Select Header .
    • Comments : (Optional) Add any further information you need.

    Adding rule settings

    Select Next to continue.

  7. In the Review and finish step, review your settings.
  8. Select Finish .

M365 creates your new rule based on the settings you provided.

Other third party Mail Transport Agents (MTAs)

Request technical support from the service provider to add Coro's Outbound Gateway as an outbound gateway proxy.

Configuring your Coro workspace

After you have configured your DNS and email service, enable the Outbound Gateway in your Coro workspace. This process takes place inside the Coro console.

Before you begin this procedure, make sure you have the following:

  • Your email domain name
  • A configured default email app on your local device capable of sending external emails

To enable the Outbound Gateway:

  1. Sign in to the Coro console .
  2. From the sidebar, select Control Panel to access the Control Panel .
  3. Select Gateway Settings :

    Gateways

  4. Select Outbound Gateway :

    Outbound gateway tab

  5. Select + ADD DOMAIN :

    Add a domain

    Coro displays the Add Outbound Gateway dialog:

    Add a domain for the Outbound Gateway

  6. Enter your email domain, then select ADD .

    Before you can use the gateway, Coro displays a dialog requesting you test the connection by sending a verification email:

    Send a verification email through the Outbound Gateway

  7. Select Click here to send a verification email .

    Coro opens your device's default email app and prepopulates a new email with the required details. For example:

    Default email app

    Important

    Do not change the To address. Coro uses this address to observe receipt of the email, confirming that the test was successful.

  8. Send the email, then return to the Coro console. Select CONFIRM to acknowledge:

    Confirm you sent the test email

    Coro displays a dialog confirming that the test is now running:

    Confirm you sent the test email

  9. Select DONE to close the dialog.

Coro checks for receipt of the test email at five minute intervals. During this time, Coro shows your new domain in the Outbound Gateway tab with a Test status of Pending:

Domain added with test status of pending

After Coro confirms receipt of the test email, this status changes to Passed:

Domain added with test status of pending

This completes configuration of the Outbound Gateway. Coro is now monitoring and protecting your outbound email.

Coro displays the current status of the Outbound Gateway in a banner at the top of the User Data Governance > Monitoring tab:

User Data Governance - Monitoring tab

Rerunning the connection test or changing your settings

Coro provides the following options for an added domain through the corresponding three-dot menu:

Domain menu

  • Edit : Change the domain and retest the connection.
  • Test : Repeat the connection test.
  • Remove : Delete the domain and remove the connection to the Outbound Gateway.