Requirement:

The firewall/policy has to be in Proxy-based inspection mode.

How it works:

The firewall will inject the HTTP header X-GoogApps-Allowed-Domains.

It is also possible to inject multiple domains via the X-GoogApps-Allowed-Domains header.

Firewall Configuration:

Follow the article below:

Technical Tip: Restrict Google account usage to specific domains

Once configured, the specific domains' Email on the Web-Filter.

Configuration on the CLI is injected by the firewall.

config web-proxy profile

    edit "Auto-web-proxy-profile_iwd4cg3tf"

        config headers

            edit 1

                set name "X-GoogApps-Allowed-Domains"

                set content "abc.com, xyz.com" <----- The company domain is hosted in Google Mail services.

            next

        end

    next

end

Once created, a Web-proxy profile on the CLI:

Next, it is necessary to add it to the Firewall Policy ID: XXX.

config Firewall Policy
    edit xx
        set web-proxy-profile "added name"   <----- Auto-web-proxy-profile_iwd4cg3tf.
    next

end

From the GUI, go to Security Profile -> SSL/SSH Inspection -> Customs SSL deep inspection or Customs-Deep-inspection.
 

  1. Remove all Google-related accounts under Exempt from SSL Inspection.

2. Once removed, the Google-related account is removed from SSL/SSH Inspection on Customs-deep-inspection.
   Download the CA certificate, and install it on the Client's PC under the trusted root certificate
3. Now, try to access Personal Gmail, it will restrict access, and only a Specific Domain account will have access.

Note: Specific domains Email for Zoho mail is not supported in FortiGate.

Related document: 

Restricted SaaS access