When attempting to configure Gmail with Cloud Service for Email in reflect mode, email messages are rejected by the CDS with a "554 5.4.4 Tenant Not Assigned" message and the email is not delivered to the recipient(s).

DLP Cloud Service for Email using Gmail in reflect mode

In this particular case, the issue was being caused by an incorrect configuration in the Google Workspace Admin center. Specifically the following chain of events was occurring:

1. Email sent from Gmail to Cloud Service for Email with the correct "X-DetectorId" header.

2. Cloud service for email would correctly perform detection, generate an incident, remove the "X-DetectorId" header and add the "X-DetectorID-Processed" header.

3. Cloud service for email would reflect the email back to Gmail.

4. Gmail would incorrectly send the email back to Cloud Service for Email, this time without the "X-DetectorId" because it was correctly removed by Cloud Service for email when it passed through the first time.

5. Cloud Service for Email would then reject the email message with the following error, "554 5.4.4 Tenant Not Assigned".

6. The email would fail and not be sent to the recipient(s).

Follow the steps exactly as outlined in the following TechDoc page to configure Cloud Service for Email with Gmail in reflect mode:

Set up Google Workspace Gmail for Email Deliver(Reflect Mode)