[Email Security] Gmail BCC setup guide (#18153)

* [Email Security] Gmail BCC setup guide

* Fix links and add more info

* Adding H3s

* Adding numbers to H3s

Author: Maddy-Cloudflare

src/assets/images/email-security/deployment/api-setup/gmail-bcc-deployment.png

@@ -0,0 +1,38 @@
+---
+title: Connect your domains
+pcx_content_type: how-to
+sidebar:
+  order: 3
+---
+
+import { GlossaryTooltip } from "~/components"
+
+On the **Set up Email Security** page:
+
+1. **Connect domains**: Select at least one domain. Then, select **Continue**.
+2. (**Optional**) **Add manual domains**: Select **Add domain name** to manually enter additional domains. Then, select **Continue**.
+3. (**Optional**) **Adjust hop count**: Enter the number of <GlossaryTooltip term="Hops">hops</GlossaryTooltip>. Then, select **Continue**.
+4. (**Optional**, select **Skip for now** to skip this step) **Move messages**: Refer to [Auto-moves](/cloudflare-one/email-security/auto-moves/) to configure auto-moves. Then, select **Continue**.
+5. **Configure service address with your third party email provider**: Copy and paste the service address into your third-party email provider to allow BCC/Journaling: `<account tag>@CF-emailsecurity.com`.
+6. **Review details**: Review your connected domains. Then, select **Go to domains.** 
+
+Your domains are now added successfully.
+
+On the **Domains** page, select the three dots > **View integration**. The dashboard will display your [domain information](/cloudflare-one/email-security/reference/domain-information/). 
+
+Under **Source**, the dashboard will display **Google integration**, along with the **Integration name**.
+
+## Add additional domains
+
+To add additional domains:
+
+1. Go to **Settings**.
+2. Select **Connect an integration** > **BCC/Journaling** > **Integrate with Google** > **Authorize**.
+3. **Connect domains**: Select the domains you want to add, then select **Next**.
+4. (Optional) Select **Add manual domains**: Enter additional domains manually, then select **Next**.
+5. (Optional) Select **Adjust hop count**: Enter the number of <GlossaryTooltip term="Hops">hops</GlossaryTooltip>.
+6. **Review details**: Review your selected domains, then use the following email to configure the service address with your third-party email provider:    
+      ```txt
+      <account tag>@CF-emailsecurity.com
+      ```
+7. Select **Save**.

src/content/docs/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/bcc-setup/gmail-bcc-setup/connect-domains.mdx

@@ -0,0 +1,13 @@
+---
+title: Enable auto-moves
+pcx_content_type: how-to
+sidebar:
+  order: 4
+---
+
+If you do not have an integration:
+
+1. Go to **Settings** > **Integrated domains** > Select **View**.
+2. Select the three dots > Select **Associate an integration**.
+3. Select **Connect an integration**. You will then be redirected to a page where you will [enable your Microsoft integration](/cloudflare-one/email-security/setup/post-delivery-deployment/api/office365-api/#enable-microsoft-integration).
+4. Once you have enabled your Microsoft integration, select **Complete Email Security set up**.

src/content/docs/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/bcc-setup/gmail-bcc-setup/enable-auto-moves.mdx

@@ -0,0 +1,87 @@
+---
+title: Enable Gmail BCC integration
+pcx_content_type: how-to
+sidebar:
+  order: 2
+---
+
+To enable Gmail BCC integration:
+
+1. Log in to [Zero Trust](https://one.dash.cloudflare.com/).
+2. Select **Zero Trust** > **Settings**.
+3. Select **SaaS Integrations**.
+4. Select **Add integration** > **Google Workspace**.
+5. Select **Select Integration**.
+
+## Create an integration
+
+Name your integration, then select **Next**.
+
+### 1. Create a Service Account in your GCP Project
+
+1. Once you have named your integration, select **Next**.
+2. On the [Google Cloud Console](https://console.cloud.google.com/welcome/new), go to the sidebar, select **APIs & Services**, then select **Credentials**.
+3. Select **CREATE CREDENTIALS** > **Service account**.
+4. Fill in the details to create a service account:
+    - **Service account name**: Enter `Message Retraction Service Account`.
+    - **Service account ID**: Enter `message-retraction-service-acc`.
+    - **Service account description**: Enter `Email Security Message Retraction`.
+    - Select **CREATE AND CONTINUE**.
+5. In **Grant this service account access to project**, select **Select a role** > Choose **Owner**. Select **CONTINUE**, then select **DONE**.
+6. Go back to **Credentials** on the sidebar, and select your service account under **Service Accounts**. In **Details**, take note of the **Unique ID**.
+7. Select **Advanced settings** > **VIEW GOOGLE WORKSPACE ADMIN CONSOLE**, then enter your password. This will redirect you to the Google admin portal.
+8. On the sidebar, select **Security** > **Access and data control** > **API controls** > Select **MANAGE DOMAIN WIDE DELEGATION**.
+9. Select **Add new** > Add a new client ID:
+    - **Client ID**: Enter the **Unique ID** you took note of in step 5.
+    - **OAuth scopes**: Enter the following URLs:
+    
+        ```txt
+        https://www.googleapis.com/auth/admin.directory.user.readonly, https://www.googleapis.com/auth/admin.directory.group.readonly, https://www.googleapis.com/auth/admin.directory.user.alias.readonly, https://www.googleapis.com/auth/gmail.labels, https://mail.google.com/
+        ```
+    - Select **AUTHORIZE**.
+
+### 2. Create a JSON Key for your Service Account
+
+On the [Google Cloud Console](https://console.cloud.google.com/welcome/new), select **Service Accounts** on the sidebar:
+    - Select the three dots, then:
+        - Select **Manage keys**.
+        - Select **ADD KEY** > **Create new key**.
+        - Select **JSON** > Select **CREATE**. This downloads a `.json` file which you will use at a later stage.
+
+### 3. Upload JSON Key
+
+On the [Zero Trust dashboard](https://one.dash.cloudflare.com/), upload the `.json` file downloaded on step 3.
+
+### 4. Enable Necessary Google Workspace APIs in GCP
+
+Enable the following APIs on the Google Cloud Console:
+    - [Enable Google Calendar API](https://console.cloud.google.com/apis/library/calendar-json.googleapis.com?project=winter-surf-439414-h1)
+    - [Enable Google Drive API](https://console.cloud.google.com/apis/library/drive.googleapis.com?project=winter-surf-439414-h1)
+    - [Enable Google Admin SDK API](https://console.cloud.google.com/apis/library/admin.googleapis.com?project=winter-surf-439414-h1)
+    - [Enable Gmail API](https://console.cloud.google.com/apis/library/gmail.googleapis.com?project=winter-surf-439414-h1)
+    - [Enable Google Service Usage API](https://console.cloud.google.com/apis/library/serviceusage.googleapis.com?project=winter-surf-439414-h1)
+
+### 5. Log in to Google Workspace Admin Console
+
+Log in to Google Workspace Admin Console: Enter your password and log in to the Google Workspace Admin Console.
+
+### 6. Create a Domain-Wide Delegation API Client
+
+1. Copy the **Client ID** and **Scopes** displayed on the Zero Trust dashboard.
+2. On Google Admin, go to **Security** > **Access and data control** > **API controls**.
+3. Select **MANAGE DOMAIN WIDE DELEGATION** > **Add new**.
+4. Use the Client ID and copy the scopes to create a new API client. Refer to [Delegate domain-wide authority to your service account](https://cloud.google.com/chronicle/docs/soar/marketplace-integrations/google-alert-center?_gl=1*skktsb*_ga*MTMxODg5NDExMy4xNzI5NjA1MzYy*_ga_WH2QY8WWF5*MTcyOTc3MDg2Ny40LjEuMTcyOTc3MDg5OC4yOS4wLjA.#delegate_domain-wide_authority_to_your_service_account). Then, select **Next**.
+
+### 7. Confirm Workspace Administrator Email
+
+Enter the email associated with the Google Workspace Administrator account. Your email must match the email associated with your Google Workspace account, or else your integration will not work.
+
+### 8. Create integration
+
+1. Select **Create integration**.
+2. Once you created your integration, you will be redirected to the **Review details** page, where you will be able to review **Integration details**. 
+3. Review your details, then select **Complete Email Security set up** > **Continue to Email Security**.
+
+## Next steps
+
+Now that you have created an integration, you will need to [connect your domains](/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/bcc-setup/gmail-bcc-setup/connect-domains/) for Email Security to start scanning your inbox.

src/content/docs/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/bcc-setup/gmail-bcc-setup/enable-gmail-integration.mdx

@@ -0,0 +1,15 @@
+---
+title: Overview
+pcx_content_type: overview
+sidebar:
+  order: 1
+---
+
+
+For customers using Gmail as their email provider, setting up Email Security is quick and easy. 
+
+You will need to [enable Gmail BCC on the Zero Trust dashboard](/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/bcc-setup/gmail-bcc-setup/enable-gmail-integration/), [create an integration](/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/bcc-setup/gmail-bcc-setup/enable-gmail-integration/), and [connect your domain(s)](/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/bcc-setup/gmail-bcc-setup/connect-domains/). You can choose to [add additional domains](/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/bcc-setup/gmail-bcc-setup/connect-domains/) at a later stage.
+
+Once you set up Gmail BCC integration, Email Security will receive a copy of your email messages. The following email flow shows how this works:
+
+![Gmail BCC deployment flow](~/assets/images/email-security/deployment/api-setup/gmail-bcc-deployment.png)

src/content/docs/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/bcc-setup/gmail-bcc-setup/gmail-bcc-setup.mdx

@@ -0,0 +1,13 @@
+---
+title: Gmail BCC setup
+pcx_content_type: navigation
+sidebar:
+  order: 1
+  group:
+    hideIndex: true
+---
+
+import { DirectoryListing } from "~/components"
+
+
+<DirectoryListing />