Watch the video to understand how this tool works.
Table of Contents
How to keep track of G Suite mail server IP addresses
In this blog post you will learn how to access and track the IP addresses of the G Suite mail servers. You can either do it manually by running DNS lookup commands, or you can use a Google Sheets tool described here.
In 2019, more than 293 billion emails are being sent worldwide every day, and the figure is projected to grow to 347 billion by the end of 2023 (source). Gmail has over 1.5 billion active users worldwide, according to Statista.
So, you can very well understand the quantity of incoming and outgoing emails the Gmail servers, that are basically the backbone of G Suite email servers, must have to handle on a daily basis.
To handle this massive traffic, Google maintains a global infrastructure that scales dynamically as per the demand. These are email servers. Email servers are used to handle incoming and outgoing traffic.
Every email server has a unique IP address. Since these email servers are randomly chosen to handle email traffic, your emails need to interact with multiple IP addresses on different occasions.
The same is the case with G Suite. When using G Suite, you need to set up an email account (or multiple email accounts according to the needs of your organization or business) for your domain.
When you send emails to your customers, clients and business partners, their email clients, they want to make sure that the email is actually coming from you and not from a spammer. You do this by adding an SPF record to your domain
SPF stands for “Sender Policy Framework”, to summarize, this is the way for you to tell your recipient email servers about the email servers you authorize to send emails on your behalf.
This way your recipient email servers can check if the email came from your authorized email server or not.
You can watch my video guide on G Suite SPF record for better understanding.
There is no definitive list of your G Suite mail server IP addresses. As mentioned above, these servers are randomly picked according to the demand.
Hence, even if you have a list of the G Suite mail server IP addresses, sometimes a list may change. It doesn’t happen often but if and when it does, it may stop certain emails from reaching destination in boxes. For such a case scenario, it is advisable that you have a system of tracking your G Suite mail server IP addresses in cases where instead of using SPF, you are relying on the list of G Suite block IP addresses.
Why do you need to track G Suite IP addresses ?
An example of why you would need to access and track a list of G Suite mail server IP addresses
My Use Case -: Email Outbound Gateway
- An example of why you would need to access and track a list of G Suite mail server IP addresses
Suppose you’re using an external email outbound gateway.
You may want to set up an outbound gateway server with your G Suite account to route all outgoing messages from your domain for the purpose of spam filtering or archiving.
An external email outbound gateway gives you more control over what types of messages are allowed to go to your recipients from your domain so that if a spam or a phishing attack is attempted using your domain, it can be stopped before it passes through the external email outbound gateway. Such an attack, if left unchecked, can cause irreparable damage to your business and brand.
You can set up rules in your email outbound gateway service to process email messages before they are delivered so that messages carrying certain attachments and bits of information are not allowed to pass through.
Most of the outbound mail gateway servers need you to supply a list of approved IP addresses through which email messages can be accepted.
These are white-listed server IP addresses.
You have to manually enter all the G Suite mail server IP addresses that should be allowed to relay email messages. This way the spammers won’t be able to use your gateway for open email relay.
If the IP address from where the email is coming does not already exist at the outbound mail gateway server list of approved IP addresses, the email will not be allowed to go further.
The problem is, since the IP addresses under your SPF record may change (because G Suite scales the servers up and down according to the demand at a particular point), in case there are a few IP addresses that haven’t yet been entered in your outbound mail gateway server account, the emails originating from these IP addresses will be stopped, even the legitimate ones.
Hence, you need to keep track of the changes and keep updating the list.
To enter all these G Suite mail server IP addresses so they are white-listed and approved, two things are needed
- The current list of G Suite mail server IP addresses.
- A way of finding out if the list has changed so that it can be updated on your outbound mail gateway server side.
G Suite IP Tracker
In this section, I will talk about how this utility can help you get and track IP ranges behind G Suite.
So What is G Suite IP Tracker?
G Suite IP Tracker is a free utility built with Google Apps Script which helps you easily get list of all G Suite IP addresses, automatically track changes in them, and notify G Suite Administrators in case of any changes found.
Getting G Suite SMTP Server IP addresses manually (painful)
Although you can manually get the G Suite IP addresses that your G Suite account currently uses, accessing this list manually, regularly, might be cumbersome and prone to mistakes.
This manual method is as per Google support documentation page here https://support.google.com/a/answer/60764?hl=en
You can obtain a list of the current G Suite IP addresses by using the DNS lookup command like nslookup, dig, host and retrieve SPF records for your domain. For example, to retrieve the SPF records for the domain _spf.google.com you would use the following command:
nslookup -q=TXT _spf.google.com 184.108.40.206
This gives you a list of all the domains included in Google’s SPF records such as _netblocks.google.com, _netblocks2.google.com, _netblocks3.google.com.
After this, you can, turn by turn, look for the DNS records associated with these domains, one at a time:
nslookup -q=TXT _netblocks.google.com 220.127.116.11
nslookup -q=TXT _netblocks2.google.com 18.104.22.168
nslookup -q=TXT _netblocks3.google.com 22.214.171.124
You can replace “google.com” with your own domain.
As you can see, if done manually, you will need to run these commands every day, or at least, whenever you want to seek out an updated list of your G Suite IP addresses.
To help you refresh your list everyday or to make sure that there are no changes that need to be done in your outbound mail gateway server list of white-listed IP addresses, you can use my G Suite IP tracker script that I have built using App Script.
Once you have installed it in your own G Suite account using Google Sheets, it will automatically run at a set interval to fetch the list of your G Suite mail server IP addresses, compare it with the last updated list, and in case there is a change, notify you by mail in case a change is detected.
How does G Suite IP Tracker work?
- Let’s suppose I want to track the progress of my weight loss effort.
- I take my weight for the first day and note it somewhere.
- Then the next day I again take my weight and compare it with my weight from the previous day.
- For comparison, I need yesterday’s weight and today’s weight.
- We follow the similar logic while tracking the G Suite mail server IP addresses to make sure that we have an updated list.
- Fetch the list of G Suite mail server IP addresses for the first time in one column.
- You copy this list to the adjacent columns so that the next day this column can be compared when the list of G Suite email IP addresses is fetched again or refreshed.
- The second day, the script again extracts the list of G Suite mail server IP addresses and compares it with the list in the adjacent column (mentioned in point 7 above).
- If there is no change, nothing happens.
- If a change is detected, the new IP address is mentioned in a third, dedicated column.
- An email is sent to you (or to a designated group) notifying you of the changes detected.
G Suite IP Tracker - Installation
In this section, I will tell you how to install this utility in your domain, so you can get a list of Google IP addresses, and can also easily track changes in them.
Step 1 -: Login to Google Account
Log into your G Suite (or Gmail) account and go to your Google Sheets section. This is the account you will be using to track your G Suite mail server IP addresses. This is also needed for authentication.
Step 2 -: Go to iptracker.goldyarora.com
The web page will prompt you to copy the IP tracker script onto your own G Suite account.
Step 3 -: Copy Scripts Sheet
Click the “Make a copy” button and it creates a Google Sheets copy under your account.
Don’t worry about a blank worksheet. You will need to execute some menu commands to fetch the G Suite mail server IP addresses.
The new commands must appear under the “Add-ons” menu. It may take a few seconds for the new commands to appear. Once they do, you will have the following addition to the “Add-ons” menu:
Step 4 -: Setup Sheet
Go to the IP Tracke for G Suite from the add-on menu and click on “1. Setup Shets”.
This will make all the necessary connections and also fetch you the needed authorization, along with creating a dedicated worksheet to handle all the information.
Step 5 -: Authorize Script
In the proceeding screen the script asks you to choose the G Suite account that you would like to use with this particular sheet.
Once you have chosen your preferred G Suite account, it will ask for various permissions that you give to the script.
As you can see, the G Suite IP tracker script needs the following permissions from you:
- Edit, create and delete your spreadsheets in Google Drive (for the purpose of altering the sheet you have just created).
- Connect to an external service (in this case, the DNS command to the G Suite servers to get the IP addresses).
- Send email as you (the script should be able to send an email when a change in the list is detected).
Once you have given the authorization, the changes in the spreadsheet are implemented.
As you can see, all the needed columns are created including
- G Suite IPs (the list that is fetched through the DNS command).
- Your Outbound Gateway IPs (the saved list or updated list to which the list in the G Suite IPs will be compared).
- Difference/s Detected (in case new or altered IP addresses are found).
- Group Email Address to Notify.
Step 6 -: FETCH G SUITE IP RANGES
This fills up the leftmost column with all the fetched G Suite IP addresses.
Step 7 -: Copy CIDRs to outbound column
Now copy all the IP ranges from “G Suite IPs” column and paste them in “Your Outbound Gateway Ips ” column, with this, you are assuring yourself that you have added these IP ranges in your outbound gateway.
The first time, and until values in the first column don’t change, these values are going to be the same. The next time “2. Get G Suite IPs” is run, the just-fetched values will be compared with the adjacent column.
Before proceeding, you would also like to add an email ID to the “Group Email Address to Notify” column on the extreme right, so that in case a difference is detected, a notification can be sent to the concerned person or persons.
Step 8 -: Copy CIDRs to outbound column
For the first time, you can run the command manually and detect the differences, if any, between the first two columns. Use the following command path:
Add-ons > IP Tracker for G Suite > 3. Compute Differences
For the first time, since there might not be any differences, nothing will appear.
Step 9 -: Test the script
Test-run the script by inserting a new CIDR manually (e.g ip4:1126.96.36.199/32)
Note, please make sure to put the IP range as per the formatting in column one (e.g do include ip4: before the CIDR) as shown in the screenshot below.
After this, when you run the “3. Compute Differences” command, you will get the following results in the spreadsheet:
Step 10 -: Automate the script
Now you need to run the script automatically.
App Script allows you to executive the commands at a set interval of time so that the updated IP addresses can be fetched from the DNS server and then the new list can be compared with the list previously generated.
For this, you can use the Google apps triggers functionality.
Go to the script editor using the following command path:
Tools > Script editor
This opens a new browser tab and you can access the area where you can edit the code of the scripts or modify their behaviour.
On the left-hand side panel you can see the names of all the scripts that have been installed in your G Suite Google Sheets sheet and on the right-hand side you can see the source editor.
Here is a quick primer on what the individual script does:
- Menu.gs – It is executed for the first time when you setup the sheet. It creates the menu items under the Add-ons menu option.
- Sheets Manager.gs – It inserts the sheet where all the action takes place.
- Get Netblocks.gs – Makes the DNS call to get the netblocks behind _spf.google.com
- Get G Suite IPs.gs – It queries all of the netblocks one by one and get the list of all IP ranges behdind each netblock.
- Compute Differences.gs – Checks if there are differences between the previously saved list of IP addresses and the newly acquired list, and if differences are detected, send an email to the group (or user) email address provided in the sheet.
- Get GCP IPs.gs –Fetches the GCP IP addresses in case in you need it, I haven’t put added it in the menu, but you can run it from the script editor itself.
Now, two scripts can be automatically triggered at set intervals.
Click the clock icon.
In the preceding screen, click the “Add Trigger” button at the bottom right corner.
Triggers are basically events that are initiated automatically when another event takes place. For example, for our current IP tracker script, we want its modules to execute automatically at a particular time of the day.
I have written the modules in App Script because one, it readily interacts with Gmail and G Suite email and two, since it is hosted on the Google Cloud I don’t need to invest in my own Virtual machine to keep the script running so that it performs certain actions at designated times (for this, the script needs to remain in action 24 x 7).
Make the appropriate selections in the proceeding screen. The entire automation process is menu-driven.
To be able to get the G Suite mail server IP addresses every day and then compare them with the existing list, you will need to add 2 triggers.
The first trigger is to automatically kick start the getGSuiteIps script function.
First select the script you want automated, in this case it would be getGSuiteIps.
In the option “Choose which deployment should run” let it be “Head”.
For “Select event source” you can select “Time-driven” because the script should be executed at a particular time of the day.
Let it be “Day timer” for the “Select type of time based trigger” because you want the script to execute once a day.
For the time, you can select “5 AM to 6 AM”.
In the last option, you can instruct the interface to notify you immediately in case there is a problem in the execution of the script.
That’s it. You can click Save and now this script will be executed every morning between 5 AM and 6 AM and the first column of your spreadsheet will be updated with a fresh set of G Suite mail IP addresses.
The second Trigger is for the computeIpDifferences module. Again click the Add Trigger button, and in the preceding screen, make the following choices:
Select the name of the module from the drop-down options computeIpDifferences.
For the “Choose which deployment should run” select “Head”.
For the next drop-down, let the event source be “Time-driven” which means it should be initiated based on the time of the day.
Choose “Day timer” for the “Select type of time-based trigger” because you want the trigger to activate on a daily basis rather than weekly, monthly or yearly basis.
Since the first model you had selected “Select time of the day” as 5 AM to 6 AM, this time, you can select 6 AM to 7 AM.
Select “Notify me immediately” so that in case there is a problem executing the trigger, you are notified.
Click Save to save the second trigger.
Now onwards, every morning, a fresh list of your G Suite email IP addresses will be fetched and then this list will be compared with the list that was generated the previous day and if a difference is detected, you will be immediately notified.
Most frequent questions and answers about G Suite IP Tracker
You do not. All you need is access to Google Sheet, so it can be your personal @gmail account or G Suite account.
This tool can be run with both.
Once you copy the script, all the scripts will be local to you then, and will run in your Google or G Suite environment.
It has no connection anymore to my original script.
Ask it in the comments below, and I would try to answer it (if i can) as soon as I get time.