Message Injection allows you to bypass regular email delivery and put emails directly into your users' mailboxes, increasing the delivery success rate and removing the requirement for allow-listing.
Here's how to configure Message Injection in Google Workspace.
Setting up a Service Account
You'll first need to ensure that you have a service account, which the Google Message Injection integration requires for authentication. If you have already set up a service account you wish to use, you can skip to Configuring the Service Account.
Creating a Google Cloud Project
You will need a Google Cloud project to create a service account. You can skip this part if you already have a project you can use.
Open the Manage Resources page in the Google Cloud Console
Click Create Project
Enter a Project name and then click Create
The project will take a few moments to provision, and the console will notify you once it's ready. It should appear under Manage Resources if you refresh the page. Failing that, clicking Google Cloud at the top of page will take you to your welcome page. A dropdown should appear where you can select your new project.
You will need to enable the Gmail API on this project to use it with the sync.
Go to APIs and Services > Enable APIs and Services and then click Enable APIs and Services at the top of the page.
Enter "Gmail API" into the search field and select Gmail API from the results.
Click Enable to enable this API on the project.
Creating a Service Account
Next, you will need to create a service account if you do not have one already.
Go to IAM and Admin > Service Accounts
Click Create Service Account at the top
Enter a Service Account Name and then click Create and Continue
Click Done to complete the process
Make a note of the service account's Unique ID, you'll need it later on.
A key is required to set up the sync's service account authentication. You can create one by:
Select the service account you wish to use
Click on the Keys tab
Click Add Key and select Create new key
Select JSON and click Create
This will save a JSON to your computer containing your service account. You will need this later on.
Setting Up Domain-wide Delegation
The service account will need domain-wide delegation of authority for the scopes covered by the sync, so it can use the service account to access the Google Directory API.
Open the Google Admin Console
Go to Security > Access and Data Control > API Controls
Scroll to the Domain-wide delegation section and click Manage Domain-wide delegation
Click Add new next to API Clients
Enter the Client ID for your service account - This is the service account's Unique ID, you will need to get it from the Google Cloud Console
Add the scopes listed below under OAuth Scopes and click Authorise
oAuth Scopes Required
https://www.googleapis.com/auth/gmail.insert
Configuring the Service Account
Completing this process will grant the platform permission to insert emails into the mailbox of any user on the Google Workspace associated with your chosen service account.
Note: We only use this permission to deliver simulated phishing emails, no other communications will be sent via this integration.
Go to Settings > uPhish > Message Injection and scroll down to Google Workspace. Click Configure Service Account
Upload the JSON key for the service account you wish to use with the Message Injection integration and click Continue.
Message Injection via Google Workspace is now available on your account. You should use the test message injection feature to confirm that it works as expected.
Advanced Options
You can re-authorise the Message Injection using the Configure Service Account button on the Message Injection settings page. Here you can replace the service account key credentials. This is useful if message injection emails are failing due to authentication issues or you wish to change the service account used for authentication.
You can use the Revoke Authentication option if you wish to disable Message Injection. This deletes the Google Cloud service account credentials we hold.