How to set up Message Injection in Google Workspace

Deliver simulation emails seamlessly to mailboxes in Google Workspace.


Message Injection allows you to bypass regular email delivery and put emails directly into your users' mailboxes, increasing the delivery success rate and removing the requirement for allow-listing.


Here's how to configure Message Injection in Google Workspace.


Setting up a Service Account

You'll first need to ensure that you have a service account, which the Google Message Injection integration requires for authentication. If you have already set up a service account you wish to use, you can skip to Configuring the Service Account.


Creating a Google Cloud Project

You will need a Google Cloud project to create a service account. You can skip this part if you already have a project you can use.

  1. Open the Manage Resources page in the Google Cloud Console
  2. Click Create Project
  3. Enter a Project name and then click Create

The project will take a few moments to provision, and the console will notify you once it's ready. It should appear under Manage Resources if you refresh the page.


Failing that, clicking Google Cloud at the top of the page will take you to your welcome page. A dropdown should appear where you can select your new project.


You will need to enable the Gmail API on this project to use it with the sync.

  1. Go to APIs and Services > Enable APIs and Services and then click Enable APIs and Services at the top of the page.
  2. Enter "Gmail API" into the search field and select Gmail API from the results.
  3. Click Enable to enable this API on the project.

Creating a Service Account

Next, you will need to create a service account if you do not have one already.

  1. Go to IAM and Admin > Service Accounts
  2. Click Create Service Account at the top
  3. Enter a Service Account Name and then click Create and Continue
  4. Click Done to complete the process

Make a note of the service account's Unique ID, you'll need it later on.

A key is required to set up the sync's service account authentication. You can create one by:

  1. Select the service account you wish to use
  2. Click on the Keys tab
  3. Click Add Key and select Create new key
  4. Select JSON and click Create
  5. This will save a JSON to your computer containing your service account. You will need this later on.

Please ensure you have sufficient access rights when creating the service account and the service account key.

If you cannot create the service account or the service account key, you might need to check the Organization Policies. Please ensure the Disable service account creation and/or Disable service account key creation policies are not enforced for this Project.


Setting Up Domain-wide Delegation

The service account will need domain-wide delegation of authority for the scopes covered by the sync, so it can use the service account to access the Google Directory API.

  1. Open the Google Admin Console
  2. Go to Security > Access and Data Control > API Controls
  3. Scroll to the Domain-wide delegation section and click Manage Domain-wide delegation
  4. Click Add new next to API Clients
  5. Enter the Client ID for your service account - This is the service account's Unique ID, you will need to get it from the Google Cloud Console
  6. Add the scopes listed below under OAuth Scopes and click Authorize

oAuth Scopes Required

https://www.googleapis.com/auth/gmail.insert

Configuring the Service Account

Completing this process will grant the platform permission to insert emails into the mailbox of any user on the Google Workspace associated with your chosen service account.


Note: We only use this permission to deliver simulated phishing emails, no other communications will be sent via this integration.


Go to Settings > SMPhish > Message Injection and scroll down to Google Workspace. Click Configure Service Account

Upload the JSON key for the service account you wish to use with the Message Injection integration and click Continue.


Message Injection via Google Workspace is now available on your account. You should use the test message injection feature to confirm that it works as expected.


Advanced Options

You can re-authorize the Message Injection using the Configure Service Account button on the Message Injection settings page.

Here you can replace the service account key credentials. This is useful if message injection emails are failing due to authentication issues or you wish to change the service account used for authentication.


You can use the Revoke Authentication option if you wish to disable Message Injection. This deletes the Google Cloud service account credentials we hold.

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.