The Google Apps antispam system uses a unique means of allowlisting. Customers on shared IPs should allowlist Marketo's entire sending ranges, because we sometimes need to move customers between IPs for technical reasons. The way to allowlist a range in Google Apps is to configure a manual IP block with a pass through.


G Suite enables you to specify an IP address or range of addresses within a domain, and allow messages from those addresses only. This feature is sometimes referred to as IP lock. In G Suite, you set up this feature in the Content compliance setting.

IP lock is a method that readily enables an administrator to simultaneously whitelist all incoming traffic from a particular domain while equally preventing spoofing by manually defining the allowed IP ranges. The following instructions are particularly useful with domains that do not have an SPF record and/or use third party applications to legitimately spoof their address.

Setting up IP lock with the Content compliance setting includes three separate procedures: Adding the domain, defining the allowed IP range, and setting the correct disposition and NDR.


See this page of Google documentation for more information:

Enforce 'IP lock' in G Suite - G Suite Administrator Help

Instead of using a CIDR range, this interface asks for the first and last IPs in the given range. Here are ours: - - - - - - - - - - - -


Is this article helpful ?


Labels (1)