Sophos Email customers using IP-based mailflow rule connectors must migrate to certificate-based configuration by March 31st. To see if you're affected Click Here.

Sophos Email: Google Selective Mail Flow Routing

Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.


This Recommend Read shows you how to create routing that only applies to a group of users using Google Workspace and have the email destined for that group of users routed to/from Sophos Central Email processing.



DNS Configuration

Set your MX record to point to Google


1 hour


Create Host Entry for Sophos Central

In google go to Apps > Google Workspace > Setting for Gmail > Hosts

Note: Set to proper region from Sophos Email

Create a Group of Users in Google Admin



Create a group for the users you wish to have email redirected for.
Ensure that you have configured Google Directory sync for this group of users in Sophos Central or all messages will be rejected.

Default Routing

Apps > Google Workspace > Settings for Gmail > Default Routing

Create a route that works for the Group membership.
Select Add custom headers, create a custom header like X-GroupName value 1 ( value can be anything, we are not using the value just the header name later)

Compliance header check

Create the rule based on  the header created earlier X-GROUPNAME : Location Full headers and contains text: X-GROUPNAME then select Change route to Normal Routing (this prevents a loop)


  • For split delivery outbound
  • There should be no Outbound Gateway in Routing
  • Just like for Inbound this focuses on Groups
  • Only messages sent from the Group created for Inbound will be send via Central
         This allows for filtering for Malware
         Data Control Policies
         Secure Message Policies
         Removal of smart banners

Create Hosts in Google Admin

In Sophos Central go to My Products > Email Protection > Settings > Domain Settings/ Status > Configure External Dependencies > Outbound Settings  and make a note of the Outbound Relay Host

In Google go to Apps > Google Workspace > Settings for Gmail > Hosts

Setup Routing

In google go to > Apps > Google Workspace > Settings for Gmail > Routing

Create route to the host created (Sophos Central), select Outbound, add custom header, select Change route, select the host created, bypass spam filter, Show Options, pick Users and C. Envelope Filter > Only affect specific senders > Group based on earlier created group used for Inbound.

Note: Allow 15-20 minutes for changes to take affect when creating groups and up to 3-5 minutes when creating the various policies.

Note: Google states Groups could take 24 hrs. 

Added TAGs
[edited by: Raphael Alganes at 9:30 AM (GMT -7) on 17 Apr 2024]