Skip to main content
Skyhigh Security

Set up Inline DLP for Gmail

IMPORTANT: Before setting up Gmail Inline DLP, you must open a support ticket, and request assistance in pre-configuring your tenant.


Step 1: Create a Gmail Instance in Skyhigh CASB 

  1. Log in to Skyhigh CASB.
  2. Go to Settings > Service Management.
    service management.png
  3. Click Add Service Instance.
  4. Select Gmail, enter a name for this new instance, and click Done.
  5. To configure the instance, click Configure.
  6. Activate the Data Loss Prevention (DLP) to ensure compliance checkbox, and under Email DLP Mode, select Inline Only.
    inline Only.png
  7. Review the prerequisites, and activate I have reviewed all prerequisites checkbox.
  8. Make sure the following are complete:
  • Domains. Populate with all public domains configured with the Google Suite tenant. Make sure that the domains belong to your tenant and are not common public domains.

NOTE: Skyhigh CASB Inline DLP for Gmail supports emails only from your organization's email domains and not from public domains. For example, you must not add or domains.

  • Take a note of the Skyhigh CASB Email Service Domain. You will need this later.
  • Select the checkbox confirming you've configured Gmail, as you need this in the next step. clipboard_e05345a472c017d6dbaf63f1200c48420.png
  1. Review the settings, and click Done.

Step 2: Configure Gmail to Route Email to Skyhigh CASB 

  1. Log in to Google Suite admin (, and go to Apps.
  2. Select Google Workspace.
  3. Select Gmail
  4. Scroll down and select Hosts.
  5. On the Hosts tab, click ADD ROUTE.
  6. Enter the following details for the new mail route:
    • Enter a name
    • Enter the single host as captured earlier (Skyhigh CASB Email Service Domain).
    • Enter port 25.
    • Disable MX lookup and Require secure transport TLS.

NOTE: Do not enable Require secure transport (TLS) because it requires communication between the email servers initiated with TLS. Skyhigh CASB uses START-TLS instead, which initiates communication with standard SMTP. Then upgrade to TLS after the connection is set up.




  1. Select the Settings for Gmail tab, and click Compliance.
    7inline new.png
  2. Under the Content compliance section, click CONFIGURE .

  3. Configure the rule as follows:
    • Enter a name for the rule (for example, Skyhigh CASB DLP).
    • Select Outbound.
    • Select Internal - sending to enable scanning for internal emails, sent from GMail to the Skyhigh CASB PoP. Click ADD.
    • Advanced content match. Full headers, Not contains text, "X-SHN-DLP-SCAN: success".
    • Change Route and select the host created earlier.
    • More options:
      • Select Users and Groups as the account type to affect.
      • IMPORTANT: If this is a production environment, apply this rule to a test user/group so all mailboxes are not impacted.

IMPORTANT: Do not save the configuration yet.


  • To enable DLP for specific users or mail groups, configure the following:
    • Under Envelope filter, select Only affect specific envelope senders.
    • Select Group membership (only sent mail) to enable DLP for mail groups.
    • Click Select groups, and select the required mail groups.
    • Click Save.
  1. Under the Settings for Gmail, select Routing.
    10 inline.png
  2. Find the SMTP relay service and click CONFIGURE.
  3. Configure the SMTP relay service rule as follows:
    • Enter a name for the rule (for example,  Skyhigh CASB DLP).
    • Allowed Senders. Set to Only addresses in my domains.
    • Authentication. Select Only accept mail from the specified IP addresses and enter the following based on the environment. 
    • You must add each IP address to the list as in the following Gmail rule:
Skyhigh CASB Source IP Addresses
United States Canada EU GOV
  1. Encryption: Set Require TLS encryption and click SAVE.
  2. Once saved, you can view the compliance and SMTP relay configurations.
  3. Under the Settings for Gmail tab, select Spam, Phishing and Malware.
  4. Under Email allowlist, click the Edit icon.
    Email allow list.png
  5. Add the IP addresses that were added in the Step 12 based on your environment separated by commas.
  6. Click SAVE.
    IP allowlist.png
  7. Once saved, you can view the following message.

Step 3: Configure a DLP Rule

  1. In Skyhigh CASB, go to Policy> DLP Policies, and add a new rule applied to Gmail. An example is shown below.
    • Type: API
    • Active: ON
    • Services: Gmail instance you created earlier
    • Action: Block email
      policy data.png

​​​​​NOTE: The only actions supported are Generate Incident or Block Email.


Step 4: Test the Configuration

  1. Log in to Gmail using a user account, and send an email with content that will trigger the configured DLP rule.
  2. Confirm that the email is NOT received by the recipient.
  3. Confirm that a policy incident is created and the action blocked the email.
  • Was this article helpful?