Google Workspace / Gmail Retraction Integration Guide

Email Logic Flow

In this article, you will learn how to set up Email retraction for Google Workspace / Gmail. For SorbSecurity Cloud Email Security(SCES) to be able to retract emails from Gmail mailboxes, you need to create a service account in the Google Cloud Platform(GCP) under project,

Configure project and service account in Google Cloud Platform

  • Fill out the Project Name “Sorb-SCES-Protection”, choose the Organization and Location, then click CREATE button to start the new project.
  • Once the new project has been created, the GCP console will automatically redirect you to the Project dashboard. If not, you can use the Project List at the top of the page to change to SCES project you just created.
  • In the Getting Started portion, select Explore and enable APIs to access the APIs and services configuration console.
  • Select ENABLE APIS AND SERVICES to open the API Library.
  • You will need to enable the Gmail API. On the API Library, locate the Google Workspace section. Then, select the Gmail API.
  • Select ENABLE to activate the Gmail API
  • You now have to create a service account to use the API. From the Gmail API console, select Credentials on the left menu, then click CREATE CREDENTIALS, choose Service Account.
  • In Service account details, provide the following information:
    • Service account name: SorbSecurity SCES Email Retraction Service Account
    • Service account ID: sorb-sces-service-account #This value can be automatically generated
    • Service account description: For example, SorbSecurity SCES Email Retraction
  • In Grant this service account access to project, select the Select a role drop-down menu. Then, select Project on the left column by scrolling the list down, and Owner on the right column. Then, click CONTINUE.
  • Once the role is assigned, select DONE to complete the setup.
  • Once the role assignment has been saved, you will return to the API credential configuration console. In Service Accounts, click the newly-created service account to configure the domain-wide delegation.
  • In Details, take note of the Unique ID. Then, select SHOW ADVANCED SETTINGS, then click VIEW GOOGLE WORKSPACE ADMIN CONSOLE button.
  • It will open a new page for you, then go to Security > Access and data control > API controls. Find the Domain wide delegation section, and select MANAGE DOMAIN WIDE DELEGATION.
  • Select Add new to add a new client ID
  • In Add a new client ID, enter the following information, then select AUTHORIZE when you are finished.
    • Client ID: Enter your client ID. This is the Unique ID value you saved earlier
    • OAuth scopes: Enter the following information (the input field accepts comma separated values):,,,, 
  • Verify if the result looks like the screenshot below,
  • Return to the Google Cloud Platform (GCP) console, and select Service Accounts to return to the service account screen. You need to create an API key in the Service account configuration panel. Select the three dots button under Actions to open the menu. Then, select Manage keys.
  • In the Keys configuration panel, select ADD KEY > Create new key.
  • In Key type select JSON as the format to create the private key. Then, select CREATE. Your browser will download a private key in JSON format to your local computer.

Now, keep the JSON secured and configure it on Sorb SCES Admin Portal.

1. Login to SCES Admin Portal and go to Administration -> Threat Remediation.

2. Page the content of JSON to the form and click update icon.

You are done configuration. Now, you are able to do the additional action on the delivered emails at Message Trace -> Mail Query page.

Note: Retract is a paid feature. Please reach out to