First of all we need to understand how SSL communications work.
SSL encryption prevents traffic from being intercepted and analyzed. The url is the same for both Workspace clients and gmail.com users (also called consumer), so we cannot block at the DNS level. If we intercep the trafic we also add a small lag and a new sistem to mantenain (We don’t want that when we buy a SaaS solution).
So Google is the only entity capable of blocking access only to certain accounts from one source. That or block all access to private accounts.
Therefore it is defined as the only alternative to send a special code so that Google itself is the one that allows or disallows access.
Adding the following header explicitly defines the domains to which the user can access.
X-GoogApps-Allowed-Domains: safeinbox.esThis header will only allow access to users of our safeinbox.es domain.
https://support.google.com/a/answer/1668854?hl=en: How Google Workspace prevent Gmail.com