Enable Gmail BCC integration
To use Email Security, you will need to have:
- A Cloudflare account ↗
- A Zero Trust organization
- A domain to protect
- Log in to Zero Trust ↗.
- Select Email Security.
- Select Overview. Select one of the following options:
- If you have not purchased Email Security, select Contact sales.
- If you have not associated any integration:
- Select Set up, then choose BCC/Journaling.
- Select Integrate with Google > Authorize.
- Name your integration, then select Next.
- Go to step 1 to continue the process of associating an integration.
 
- If you have associated an integration, but have not connected a domain:
- Select Connect a domain.
- Choose BCC/Journaling > Integrate with Google.
- Refer to Connect your domains to connect your domain(s).
 
- Once you have named your integration, select Next.
- On the Google Cloud Console ↗, go to the sidebar, select APIs & Services, then select Credentials.
- Select CREATE CREDENTIALS > Service account.
- Fill in the details to create a service account:
- Service account name: Enter Cloudflare Google Integration.
- Service account ID: Enter cloudflare-google-integration.
- Service account description: Enter Cloudflare Google Integration.
- Select CREATE AND CONTINUE.
 
- Service account name: Enter 
On the Google Cloud Console ↗:
- On the sidebar, select IAM & Admim > Service Accounts.
- Locate your email, select the three dots, then select Manage keys.
- Select Add key > Create new key.
- Select JSON > Select CREATE. This downloads a .jsonfile which you will use when uploading a JSON key.
On the Zero Trust dashboard ↗, upload the .json file downloaded on step 3.
Enable the following APIs on the Google Cloud Console:
- Google Calendar API ↗
- Google Drive API ↗
- Google Admin SDK API ↗
- Gmail API ↗
- Google Service Usage API ↗
Log in to Google Workspace Admin Console: Enter your password and log in to the Google Workspace Admin Console.
- Copy the Client ID and Scopes displayed on the Zero Trust dashboard.
- On Google Admin, go to Security > Access and data control > API controls.
- Select MANAGE DOMAIN WIDE DELEGATION > Add new.
- Use the Client ID and copy the scopes to create a new API client. Refer to Delegate domain-wide authority to your service account ↗. Then, select Next.
Enter the email associated with the Google Workspace Administrator account. Your email must match the email associated with your Google Workspace account, or else your integration will not work.
- Select Create integration.
- Once you created your integration, you will be redirected to the Review details page, where you will be able to review Integration details.
- Review your details, then select Complete Email Security set up > Continue to Email Security.
To verify that the integration has been successful:
- In Zero Trust ↗, go to Email Security.
- Go to Settings (the gear icon) > SaaS integrations.
- Go to your integration, and ensure that the integration displays CASB+EMAIL under Type.
Now that you have created an integration:
- Connect your domains for Email Security to start scanning your inbox.
- Enable logs to send detection data to an endpoint of your choice.
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Directory
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- © 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark