Skip to main content
McAfee Enterprise MVISION Cloud

Set up Inline Gmail DLP

IMPORTANT: Before setting up Gmail Inline DLP, you must open a support ticket and request assistance in pre-configuring your tenant.

Step 1: Create a Gmail Instance in MVISION Cloud 

  1. Log in to MVISION Cloud.
  2. Go to Settings > Service Management.
    service management.png
  3. Click Add Service Instance.
  4. Select Gmail, enter a name for this new instance, and click Done.
  5. To configure new instance, click Configure.
  6. Activate the Data Loss Prevention (DLP) to ensure compliance checkbox, and under Email DLP Mode, select Inline Only.
    inline Only.png
  7. Review the prerequisites and activate I have reviewed all prerequisites checkbox.
  8. Make sure the following are complete:
    • Domains. Populate with all public domains configured with the Google Suite tenant.
    • Take a note of the MVISION Cloud Email Service Domain. You will need this later.
    • Select the checkbox confirming you've configured Gmail, as you need this in the next step. 
  9. Review the settings and click Done.

Step 2: Configure Gmail to Route Email to MVISION Cloud 

  1. Log in to Google Suite admin ( and go to Apps.
    google admin.png
  2. Select G Suite.
    G Suite.png
  3. Select Gmail
    gs gmail.png
  4. Scroll down and select Advanced settings.
    advanced settings.png
  5. Select the Hosts tab. Then select ADD ROUTE.
  6. Enter the following details for the new mail route:
    • Enter a name 
    • Enter the single host as captured earlier (MVISION Cloud Email Service Domain).
    • Enter port 25.
    • Disable MX lookup and Require secure transport TLS .

NOTE: Do NOT enable Require secure transport (TLS) because it requires communication between the email servers initiated with TLS. MVISION Cloud uses START-TLS instead, which initiates communication with standard SMTP. Then upgrade to TLS after the connection is set up.


Host Actions.png

  1. Select the General Settings tab. Under Compliance section, find the Content compliance and click CONFIGURE. (Use  the mouse to hover over Content compliance, the CONFIGURE button will then appear.)
    gen settings compliance.png
    content compliance.png
  2. Configure the rule as follows:
    • Enter a name for the rule (for example, MVISION Cloud DLP).
    • Select Outbound.
    • Select Internal - sending to enable scanning for internal emails, sent from GMail to the MVISION Cloud PoP.
    • Advanced content match. Full headers, Not contains text, "X-SHN-DLP-SCAN: success".
    • Change Route and select the host created earlier.
    • More options:
      • Select Users and Groups as the account type to affect.
      • IMPORTANT: If this is a production environment, apply this rule to a test user/group so all mailboxes are not impacted.
        mod message.png
        hide options.png

IMPORTANT: DO NOT save the configuration yet.

  1. Scroll down to the Routing section and find the SMTP relay service and click CONFIGURE.
  2. Configure the SMTP relay service rule as follows:
    • Enter a name for the rule (for example,  MVISION Cloud DLP).
    • Allowed Senders. Set to Only addresses in my domains.
    • Authentication. Select Only accept mail from the specified IP addresses and enter the following based on the environment. 

MVISION Cloud source IP addresses (you need to add each IP address to the list in the GMail rule):

  • PROD:,,,
  • EUPROD:, 
  • GovCloud:,
  1. Encryption: Set Require TLS encryption
    TLS encryption_b.png
  2. Select SAVE to apply both the compliance and SMTP relay configurations.
    relay config.png

Step 3: Configure a DLP Rule 

  1. In MVISION Cloud, go to Policy> DLP Policies, and add a new rule applied to Gmail. An example is shown below.
    • Type: API
    • Active: ON
    • Services: Gmail instance you created earlier
    • Action: Block email
      policy data.png

​​​​​NOTE: The only actions supported are Generate Incident or Block Email.

Step 4: Test the Configuration

  1. Log in to Gmail using a user account, and send an email with content that will trigger the configured DLP rule.
  2. Confirm that the email is NOT received by the recipient.
  3. Confirm that a policy incident is created and the action blocked the email.
  • Was this article helpful?