Google Suite: Use GAM to get a list of all users forwarding addresses

A few days ago I wrote a blog post on what domain names to use in Google, to forward email to Office 365. In that article I explained the differences between the user-level forwarding, set by the Google administrator, and the forwarding set at the account settings level, by each user or by you with an automation tool (such as GAM or the BitTitan Management Console).

If you read the article and you agree with me, that setting the forwarding address at the account settings level through automation, is the best option, then read on this one because I am about to explain you how do you, as a Google Administrator, can extract a report to have visibility across the entire Google tenant, on all forwarding addresses that are set per user.

Step 1: If not already, download, install and configure the GAM tool

The GAM tool is a command line tool that allows you, Google Suite administrator, to manage your tenant.

On the GAM tool main page you find instructions on how to download it, install it and configure it, with all the appropriate permissions into your Google tenant.

Step 2: Export the forwarding addresses

Once you have the GAM tool installed you can use it to print the forwarding addresses.

With the command prompt open (and the GAM tool installed and configured of course), do the following.

You can print one user by running:

gam user <Username> print forwardingaddresses

GAM1

Or you can print for all users by running:

gam all users print forwardingaddresses

GAM2

As you can see, it’s a simple process. It will export the user, the forwarding email and the verification status of that forwarding.

To get the results exported you have two options.

Export directly to CSV from the command prompt:

gam all users print forwardingaddresses > C:\GAM\MyUsers.csv

GAM3

Export the result to Google Drive from where you can download as an Excel file:

gam all users print forwardingaddresses todrive

GAM4

Note: Follow the link to the Google Drive, provided on the command line. Once you have the document open, go to File > Download > Excel (xlsx)

Step 3: Export the forward configurations

Once you have all of the addresses, you should also think about exporting the forward configurations, which are the options you can select when you set the forward, to what happens to the message on Google (keep|archive|delete|markread).

I won’t go over the export options again, as they are the same as in step 2 of this post. Check below the commands to export for one or all of the users.

You can print one user by running:

gam user <Username> print forward

GAM5

Or you can print for all users by running:

gam all users print forward

GAM6

Note: As you can see above the option names don’t match (i.e keep=leaveInInbox and trash=delete) but they are very self explanatory. 

And that’s it, you now know exactly which per user setting, in terms of forwarding, each one of your users has configured.

Thank you for visiting my blog!

 

 

 

Advertisements

Google Suite to Office 365: Forwarding email address options

When migrating your email from Google Suite to Office 365, or simply having mail flow coexistence between the two systems, I am usually asked the same question: Which email domains can I use as forwarding addresses in Google, to forward email to Office 365?

The answer is not very straightforward, and first and foremost it’s important to understand that in Google, per user email forwarding can be done in two ways:

For more information you can check the Google Suite Forwarding options article.

Now lets cover both options and what domains can be used.

Forwarding domain options: User Level Routing

Basically, with this option, the administrator can select whatever domain he wants to be the forwarding address. A very common scenario is to choose the onmicrosoft.com address, as the example below.

Google1

Above you can see the forwarding in the Google Admin portal, to the address user10@myexchlab22.onmicrosoft.com. The SMTP envelope will remain intact and no copy will be saved in the Google mailbox.

Google2

And the user primary SMTP address on Google.

Google3

The list of SMTP addresses in Office 365, for User10.

Google4.JPG

And the email sent to User10@myexchlab.com, that was forwarded to Office 365.

Google5

Finally a quick look at the email headers. Some considerations on that:

  • you can see that the email is initially received by Google, coming from Office 365 (the sender is from a completely independent 365 tenant)
  • You can then see that the email is forwarded to User10 in my Office 365 test tenant. You will see it’s received in 365, coming from Google.
  • Finally a quick note on the SPF failure. It’s a soft fail and one that you can’t control. What it basically says is that Google is not a permitted sender for the senders domain.

Summary:

The summary of this method is that it has no limitations, but, the catch is, stamping forwarding addresses in the Google admin console is not something that you can automate, to make it scale, i.e there’s no good method (to the best of my knowledge) to stamp addresses in 1000+ users, which is a huge manual task.

Forwarding domain options: Forward email to another account via mailbox settings

The second option can be done by the end user, but can also be automated. With this option you’re a bit more limited in terms of what domain names you can use for forwarding. Why? Let me show you.

google6

Above you can see a forwarding set, in the tab “Forwarding and POP/IMAP” of the mailbox settings. To set the forwarding all I needed to do was add a forwarding address and select the “Forward a copy…” option. But my forwarding above is done to the O365.myexchlab.com domain, which is a sub-domain of a domain that my Google tenant owns. What does that mean exactly? That Google knows for a fact that if I own the domain myexchlab.com I also own the forwarding domain O365.myexchlab.com, and therefore does not ask me for any validation.

Makes sense? Now lets see when I try to forward to a domain that is not on Google, nor it’s a sub-domain of one that it is.

google7

As you can see Google is going to send a confirmation code to the destination address, in order for you to prove ownership.

google8

And the address won’t be available until you confirm it.

Now what’s the biggest problem with this? It doesn’t scale. Which means that with this method you will need to use the sub-domain method. Automation tools to add those addresses, like the GAM tool or the BitTitan SDK, won’t work in such scenario with those forwarding email domains.

Summary:

This is by far my preferred method. The only drawback with this, in my opinion, is that administrators have no visibility to the forwarding configurations, via the UI. But they can export them via the GAM tool.

Bottom line

If you are planning to configure mail flow coexistence between Google and Office 365, I’d recommend that you create a sub-domain in Office 365 (i.e O365.mydomain.com – mydomain.com must be valid in Google), don’t forget to add all DNS records such as MX and SPF, and use that sub-domain in your forwarding addresses.

If you want to automate the configuration (and you should), you can either use the GAM tool, or even much better, use the BitTitan Management Console, part of the BitTitan SDK that comes with an option to manage forwarding addresses on Google, and you won’t have to bother learning how to use the GAM tool, that believe me it’s not easy.

I will soon be writing a blog post on how to use the GAM tool to get a list of forwarding addresses from Google.

As always if you have questions let me know.