Skip to main content

Setting up Google Direct Mail Injection (DMI)

Written by Idris Hess

Google Direct Mail Injection (DMI) delivers simulated phishing emails straight into your people's Gmail inboxes using the Gmail API, rather than sending them over SMTP. This means simulations arrive reliably, without being affected by mail gateways or spam filtering.

To make this work, you grant CybSafe's service account permission to insert emails into mailboxes on your domain using Google's Domain-Wide Delegation (DWD).

Setup takes two steps:

  1. Grant domain-wide delegation to CybSafe's service account in your Google Admin console.

  2. Add your DMI integration details in the CybSafe platform.

Before you start

You'll need:

  • Super-admin access to your Google Workspace Admin console.

  • Admin access to your CybSafe platform.

Step 1: Grant domain-wide delegation to CybSafe

A Google Workspace super-admin only needs to do this once.

  1. Go to Google Admin → Security → Access and data control → API controls, or head straight to the domain-wide delegation page.

  2. Click Manage domain-wide delegation.

  3. Click Add new.

  4. Enter CybSafe's service account client ID:

    108868330755207681554
  5. Enter this OAuth scope:

    https://www.googleapis.com/auth/gmail.insert
  6. Click Authorise.

This grants CybSafe's service account permission to insert emails into mailboxes on your domain. The scope is limited to inserting emails – it doesn't allow CybSafe to read, send, or delete anything in your people's mailboxes.

Step 2: Add your integration details in CybSafe

Once delegation is in place, add the integration in the CybSafe platform. Under Integrations > Google DMI > Setup tab, you'll be asked for:

A verification email address (for example, [email protected])

Any valid email address within your Google tenant. We use this to run a health check and confirm we have the correct permissions in your Google Workspace. No email is inserted during health checks.

Your domain(s) (for example, company.com)

The email domain(s) whose people should receive simulated phishing emails via DMI. If you want DMI for multiple domains within your Google Workspace, add one integration per domain.

We use domains for routing. When a simulated phishing email is scheduled for someone, we check whether their email domain has a DMI integration. If it does, the email is delivered via DMI. If it doesn't, it falls back to standard SMTP.

How routing works after setup

Once enabled, simulated phishing emails sent to anyone whose email domain matches a DMI integration automatically go through DMI instead of SMTP. No further changes are needed.

A few things worth knowing:

  • Mixed domains. If you have people on both company.com and company.co.uk, and only company.com has a DMI integration, then company.com receives emails via DMI while company.co.uk continues to use standard SMTP.

  • DMI only applies to simulated phishing emails. Service and training emails from CybSafe are always delivered via SMTP.

Need help?

If the health check fails or you're not sure whether DMI is working, contact CybSafe support and we'll be happy to help.

Did this answer your question?