>
    Strata Copilot
    Set Up the Email DLP Host
    Focus
    Download PDF
    Focus
    1. Home
    2. Enterprise DLP
    3. Administration
    4. Configure Enterprise DLP
    5. Email DLP
    6. Onboard Gmail
    7. Set Up the Email DLP Host
    Download PDF
    Enterprise DLP

    Set Up the Email DLP Host

    Table of Contents

    Set Up the Email DLP Host

    Create a route from Gmail to the Enterprise Data Loss Prevention (E-DLP) Email DLP host.
    On May 7, 2025, Palo Alto Networks is introducing new Evidence Storage and Syslog Forwarding service IP addresses to improve performance and expand availability for these services globally.
    You must allow these new service IP addresses on your network to avoid disruptions for these services. Review the Enterprise DLP Release Notes for more information.
    Where Can I Use This?What Do I Need?
    • Data Security
    • One of the following licenses that include the Enterprise DLP license
      Review the Supported Platforms for details on the required license for each enforcement point.
      • Prisma Access CASB license
      • Next-Generation CASB for Prisma Access and NGFW (CASB-X) license
      • Data Security license
    • Email DLP license
    Enterprise Data Loss Prevention (E-DLP) requires you set up routing from Gmail to the Enterprise DLP Email DLP Host to allow Gmail to forward emails to Enterprise DLP for inspection and verdict rendering to prevent exfiltration of sensitive data.
    1. Log in to the Google Admin portal.
    2. In the Dashboard, select AppsGoogle WorkspaceGmailHosts and Add Route.
    3. Configure the Email DLP host.
      1. Enter a descriptive Name.
      2. In Specify email server, select Single host if not already selected.
      3. Enter the host name and port.
        Enterprise DLP requires adding the Email DLP host name for positive identification of the Enterprise DLP cloud service. The CA issuer FQDN you add must match the email routing FQDN you added in the previous step.
        • APAC
          mail.asia-southeast1.email.dlp.paloaltonetworks.com
        • Australia
          mail.australia-southeast1.email.dlp.paloaltonetworks.com
        • Europe
          mail.europe-west3.email.dlp.paloaltonetworks.com
        • India
          mail.asia-south1.email.dlp.paloaltonetworks.com
        • Japan
          mail.asia-northeast1.email.dlp.paloaltonetworks.com
        • United Kingdom
          mail.europe-west2.email.dlp.paloaltonetworks.com
        • United States
          mail.us-west1.email.dlp.paloaltonetworks.com
      4. For the Options, enable the following settings if not already enabled.
        • Require mail to be transmitted via a secure (TLS) connection
        • Require CA signed certificate
        • Validate certificate hostname
      5. Test TLS connection to verify Gmail can successfully connect to Enterprise DLP.
      6. Save.
    4. Back in the Hosts page, verify that you successfully created the Email DLP host.
    5. Set Up a Proofpoint Server for Email Encryption.
      Enterprise DLP requires this setting to encrypt inspected emails inspected that match your encryption Email DLP policy rule.
      Skip this step if you already configured routing to your Proofpoint server.
    6. Create Gmail Transport Rules.
      After you successfully set up the Email DLP host on Gmail, you must create the Gmail transports rule to instruct Gmail to forward emails to Enterprise DLP and establish the actions Gmail takes based on verdicts rendered by Enterprise DLP.
      Email DLP does not require a transport rule for emails that match your Email DLP policy when you configure the action to Monitor. In this case, Enterprise DLP adds x-panw-action - monitor to the email header, creates a DLP incident, and sends the email continues to the intended recipient.

    © 2026 Palo Alto Networks, Inc. All rights reserved.