Gmail settings

This feature is only available with G Suite Enterprise and G Suite Enterprise for Education.

From the security health page, you can monitor the configuration of the following advanced Gmail settings:

Automatic email forwarding

Automatic email forwarding allows users to automatically forward incoming mail to another address.

For more details, see the table below.

Setting Automatic email forwarding
Status Specifies the number of organizational units where this setting is turned on.
Recommendation Disable the automatic email forwarding option to prevent users from setting up automatic forwarding. This reduces your risk of data exfiltration through email forwarding, which is a common technique employed by attackers.
How to disable this setting In the Google Admin console, go to Apps > G Suite > Gmail > Advanced settings, and uncheck Allow users to automatically forward incoming email to another address. For more details and instructions, see Disable automatic forwarding.
Effect on your users Users won’t see the forwarding option in their Gmail settings, and any existing user-created forwarding rules or filters no longer result in forwarded messages. Admin created forwarding rules would still apply to those users.

Comprehensive mail storage

Turning on the Comprehensive mail storage setting ensures that a copy of all sent or received messages in your domain—including messages sent or received by non-Gmail mailboxes and in-product notifications (for example, Calendar invites and Drive file sharing invites)—is stored in the associated users' Gmail mailboxes.

For more details, see the table below.

Setting Comprehensive mail storage
Status Specifies the number of organizational units where this setting is disabled

Recommendation

Turn this setting on if you have a non-Gmail system that uses the SMTP relay service to route messages on behalf of your users—for example, for ticket tracking systems, bug databases, or automated notification systems—and if you want to display the messages in your users’ Gmail mailboxes.

This reduces your risk of data deletion by ensuring that a copy of all sent or received messages in your domain—including messages sent or received by non-Gmail mailboxes—is stored in the associated users' Gmail mailboxes.

This is also critical for storing messages in Google Vault for all users who enable SMTP relay. Enabling this setting will also make sure that your users will see product generated notifications (for example, calendar meeting invites or file share invites).

How to enable this setting In the Google Admin console, go to Apps > G Suite > Gmail > Advanced settings, and check Ensure that a copy of all sent and received mail is stored in associated users' mailboxes. For more details and instructions, see Set up comprehensive mail storage.
Effect on your users Your users will be able to see all email that is sent via non-Gmail SMTP relay services and the designated administrators will be able to access these emails via Vault. Users will also be able to see product generated notifications in their inboxes.

Bypassing spam filters for internal senders

You can configure your advanced Gmail settings to bypass, or not bypass, spam filters for messages received from internal senders.

For more details, see the table below.

Setting Bypassing spam filters for internal senders
Status Specifies the number of organizational units where bypassing spam filters for internal senders is turned on
Recommendation Turn off Bypass spam filters for messages received from internal senders for all organizational units. By turning this setting off, you can make sure all of your users’ email is filtered for spam, including mail from internal senders. This reduces the risk of spoofing and phishing/whaling.

How to turn off Bypass spam filters for messages received from internal senders 

To turn off the bypassing of spam filters for internal senders, you can configure a new Spam setting or edit an existing Spam setting.

To configure a new Spam setting:

  1. In the Google Admin console, go to Apps > G Suite > Gmail > Advanced settings.
  2. In the Spam section, scroll over Spam, and click Configure on the right side of the page (the Add setting dialog box is displayed).
  3. Uncheck Bypass spam filters for messages received from internal senders.
  4. Add a short description for your new setting at the top of the dialog box--for example, Bypass spam filters for internal senders.
  5. Click ADD SETTING.
  6. Click SAVE.

To edit an existing Spam setting:

  1. In the Google Admin console, go to Apps > G Suite > Gmail > Advanced settings.
  2. In the Spam section, scroll over the Spam setting, and click EDIT (the Edit setting dialog box is displayed).
  3. Uncheck Bypass spam filters for messages received from internal senders.
  4. Click SAVE (and click SAVE again at the bottom of the page).

For more details and instructions, see Customize spam filter settings.

Effect on your users Your users will be better protected by filtering their email for spam and minimizing the chances for spoofing and phishing/whaling attacks.

POP and IMAP access for users

If your G Suite users want to use desktop clients such as Thunderbird or Outlook Express to access their G Suite mail, you might decide to enable IMAP and POP access in your Google Admin console. Or, for security reasons you might decide to disable access. You can enable or disable access for everyone in your account or only for users in specific organizational units.

For more details, see the table below.

Setting POP and IMAP access for users
Status Specifies the number of organizational units where POP and IMAP access is turned on
Recommendation Turn off POP and IMAP access for all organizational units. This reduces data leak, data deletion, and data exfiltration risks.

How to turn off POP and IMAP access

In the Google Admin console, go to Apps > G Suite > Gmail > Advanced settings, and check the Disable POP and IMAP access for all users box.

For more details and instructions, see Turn IMAP and POP on and off for users.

Effect on your users Disabling POP and IMAP access prevents your users from using IMAP/POP email clients.

DKIM

You can help prevent spoofing by adding a digital signature to outgoing message headers using the  DomainKeys Identified Mail (DKIM) standard. This involves using a private domain key to encrypt your domain's outgoing mail headers, and adding a public version of the key to the domain's DNS records. Recipient servers can then retrieve the public key to decrypt incoming headers and verify that the message really comes from your domain and hasn't been changed along the way.

Important: Updates to DNS records on a customer's domain host are not immediately reflected in the security health page; there is a propagation delay while DNS servers clear and update their caches. For example, GoDaddy only guarantees consistency after 48 hours.

For more details, see the table below.

Setting DKIM
Status Specifies whether DKIM is configured for your domain(s), or whether it's missing or misconfigured.

Note: The security health tool performs lookups based specifically on the google DKIM selector.
Recommendation Configure DKIM for your domain(s) by adding a digital signature to outgoing message headers using the DomainKeys Identified Mail (DKIM) standard. This reduces spoofing and phishing/whaling risks. Mail servers receiving emails from your domain can authenticate that your domain is the sender of these emails.
How to configure DKIM For details and instructions, see Authenticate email with DKIM.
Effect on your users If DKIM is enforced, your users are less likely to be spoofed since emails sent from your domain are signed cryptographically using DKIM.

SPF record

A Sender Policy Framework (SPF) record is a type of Domain Name Service (DNS) record that identifies which mail servers are permitted to send email on behalf of your domain.

The purpose of an SPF record is to prevent spammers from sending messages with forged From addresses at your domain. Recipients can refer to the SPF record to determine whether a message purporting to be from your domain comes from an authorized mail server.

Important: Updates to DNS records on a customer's domain host are not immediately reflected in the security health page; there is a propagation delay while DNS servers clear and update their caches. For example, GoDaddy only guarantees consistency after 48 hours.

For more details, see the table below.

Setting SPF record

Status

Specifies whether an SPF record is configured for your domain(s), or whether it's missing or misconfigured

Recommendation

Configure SPF records for your domain(s) to help authorize email sent through your domain(s). This reduces the risk of spoofing and phishing/whaling.

For better protection, use a combination of SPF and DKIM to help validate the domain that’s sending the email.

How to configure SPF For details and instructions, see Help prevent email spoofing with SPF records.
Effect on your users With SPF enforced, your users are less likely to be spoofed since only designated mail servers are authorized to send email on behalf of your users.

DMARC

DMARC is an email-validation system designed to detect and prevent email spoofing. It is intended to combat certain techniques often used in phishing and email spam, such as emails with forged sender addresses that appear to originate from legitimate organizations. DMARC is built on top of SPF and DKIM. It allows the administrative owner of a domain to publish a policy that determines which mechanism (DKIM, SPF or both) is employed when sending email from that domain and how the receiver should deal with failures.

Important: Updates to DNS records on a customer's domain host are not immediately reflected in the security health page; there is a propagation delay while DNS servers clear and update their caches. For example, GoDaddy only guarantees consistency after 48 hours.

For more details, see the table below.

Setting DMARC

Status

Specifies whether a DMARC record is configured for your domain(s), or whether it's missing or misconfigured

Recommendation Once you’ve configured SPF and DKIM, configure a DMARC record for your domain(s). This reduces the risk of spoofing and phishing/whaling.
How to configure DMARC For details and instructions, see Add a DMARC record.
Effect on your users With DMARC enforced, your users are less likely to be spoofed. In some cases, your users may experience challenges with mailing lists if they are not properly configured to operate with DMARC. Current versions of LISTSERV or MailMan can inter-operate with DMARC senders. For more information, see these DMARC FAQs.

Approved senders without authentication

When customizing the Spam setting for your domain in the Google Admin console, you have the option to not require sender authentication. You can use the security health page to observe how many of your domains have this option enabled (we recommend that you not use this option, and instead require sender authentication for all approved senders).

For more details, see the table below.

Setting Approved senders without authentication
Status

Specifies whether or not you have enabled the Do not require sender authentication option for your domain(s)

Recommendation Require sender authentication for all approved senders (check the Require sender authentication box). This reduces the risk of spoofing and phishing/whaling. If you have a business reason to not require authentication, do so with caution. This option bypasses the spam folder for approved senders that don't have authentication, such as SPF or DKIM, enabled. Learn more about sender authentication.

How to require sender authentication for all approved senders

In the Google Admin console, go to Apps > G Suite  > Gmail  > Advanced settings, and open the Spam setting.

If you configured approved senders, and if you checked the Bypass spam filters for messages received from addresses or domains within these approved senders lists box, be sure to uncheck the Do not require sender authentication box.

For more details and instructions, see Customize spam filter settings.

Effect on your users Email received from unauthenticated whitelisted domains will not be filtered for spam. This might result in spoofing and phishing/whaling attacks leading to account hijacking from your users.

Approved domain senders

When customizing the Spam setting in the Google Admin console, you have the option to include domains in your approved sender list. This is not recommended, as mail sent from these domain addresses will not be filtered for spam, and it increases the risk of spoofing.

For more details, see the table below.

Setting Approved domain senders
Status Specifies whether or not your domain(s) are included on your approved sender list
Recommendation Do not include domains on your approved sender list. This reduces the risk of spoofing and phishing/whaling.

How to remove domains from your approved senders list

In the Google Admin console, go to Apps > G Suite  > Gmail  > Advanced settings, and open the Spam setting.

If you configured approved senders, and if you checked the Bypass spam filters for messages received from addresses or domains within these approved senders lists box, remove any domains from your approved sender list.

For more details and instructions, see Customize spam filter settings.

Effect on your users By not including domains in your approved sender list, your users are at less risk of spoofing and phishing/whaling.

Email whitelist IPs

An email whitelist is a list of IP addresses from which your users expect to receive legitimate mail. When you add an IP address to your email whitelist, mail sent from this IP address will generally not be marked as spam.

For more details, see the table below.

Setting Email whitelist IPs
Status Specifies the number of organizational units where you have configured email whitelist IPs.

Recommendation

To reduce the risk of spoofing and phishing/whaling, do not configure email whitelist IPs.

Note: To take full advantage of the Gmail spam filtering service and for best spam classification results, IP addresses of your mail servers that are forwarding email to Gmail should be added to Inbound mail gateway and not an IP whitelist.

How to remove email whitelist IPs

In the Google Admin console, go to Apps > G Suite  > Gmail  > Advanced settings. Go to the Email whitelist IPs setting, and remove any IPs that are listed.

For more details and instructions, see Email whitelist IPs.

Effect on your users By removing IPs from an email whitelist, your users will be better protected from the risk of spoofing and phishing/whaling.

Add spam headers setting to all default routing rules

Adding the spam headers setting to all default routing rules helps maximize the filtering capacity of email servers downstream to reduce the risks of spoofing and phishing/whaling. While Gmail messages are automatically filtered for spam and phishing, checking the Add X-Gm-Spam and X-Gm-Phishy headers box adds these headers to indicate the spam and phishing status of the message. For example, an administrator at a downstream server can use this information to set up rules that handle spam and phishing differently from clean mail.

For more details, see the table below.

Setting Add spam headers setting to all default routing rules
Status Specifies whether or not the spam header is enabled in your domain(s) for the default routing rules
Recommendation Include the spam header in all default routing rules that you have defined (if any). This reduces the risk of spoofing and phishing/whaling.

How to include the spam header in all default routing rules

In the Google Admin console, go to Apps > G Suite  > Gmail  > Advanced settings, and click Default routing. When adding or editing a setting, check the Add X-Gm-Spam and X-Gm-Phishy headers box.

  • X-Gm-Spam: 0 indicates the message isn't spam.
  • X-Gm-Spam: 1 indicates the message is spam.
  • X-Gm-Phishy: 0 indicates the message is not phishing.
  • X-Gm-Phishy: 1 indicates the message is phishing.

Any message marked phishy is automatically marked spam as well.

For more details and instructions, see Default routing setting.

Effect on your users Checking the Add X-Gm-Spam and X-Gm-Phishy headers box reduces the risk of spoofing and phishing/whaling.

Tip: We recommend that you test new rules to make sure they work correctly for your organization. For more information, see Best practices for faster rules testing.

MX record configuration

Make sure your MX records are pointed to Google’s mail servers as the highest priority record. This helps ensure that Google is filtering your email for spam and malware, and reduces the risk of lost emails.

Important: Updates to DNS records on a customer's domain host are not immediately reflected in the security health page; there is a propagation delay while DNS servers clear and update their caches. For example, GoDaddy only guarantees consistency after 48 hours.

For more details, see the table below.

Setting MX record configuration
Status Specifies whether or not you have configured the MX records for your domain(s) to point to Google’s mail servers as the highest priority record
Recommendation Configure the MX records to point to Google’s mail servers as the highest priority record to ensure correct mail flow to your G Suite domain users. This reduces the risk of data deletion (through lost email) and malware threats.
How to set up MX records For details and instructions, see Set up MX records for G Suite and Gmail and G Suite MX record values.
Effect on your users With properly configured MX records, your users will benefit from Google’s malware and spam protection, and their risk of lost email is reduced.

Attachment safety

You can reduce the risk of malware infection by protecting against encrypted attachments and scripts from untrusted senders and choosing what action to take based on the type of threat.

Note: Google scans all messages to protect against malware, even if the additional malicious attachment protections settings are not enabled. But using these settings means you can catch additional emails previously unidentified as malicious.

For more details, see the table below.

Setting Attachment safety includes these sub-settings:
  • Protect against encrypted attachments from untrusted senders. Attackers can use encrypted attachments that can't be scanned for malware. Enable this setting to protect against senders with no prior Gmail history or those with a low sender reputation.
  • Protect against attachment with scripts from untrusted senders. Certain documents contain malicious scripts that can harm your devices. Enable this setting to protect against senders with no prior Gmail history or those with a low sender reputation.
Status Specifies whether or not all the Attachment safety sub-settings are enabled in your domain or domains.
Recommendation Enable additional Gmail attachment safety settings. This reduces your risk of malware infection.

How to turn on Gmail attachment safety settings

For details and instructions, see Turn on attachment protection in Advanced phishing and malware protection.

Effect on your users For each attachment security setting, you can select the actions you want to apply to incoming emails:
  • Keep email in inbox and show warning (default)
  • Move email to spam

Links and external images safety

You can reduce the risk of email phishing by letting Gmail identify links behind shortened URLs and scan linked images. You can also decide to show a warning prompt to users that click on links to untrusted domains.

Note: Google scans all messages to protect against phishing, even if these additional links and external images safety settings are not enabled. These settings enable Gmail and you to catch additional emails previously unidentified as phishing.

For more details, see the table below.

Setting Links and external images safety includes these sub-settings:
  • Identify links behind shortened URLs. Gmail can detect malicious links hidden behind shortened URLs. 
  • Scan linked images. Gmail can scan images referenced by links to find hidden malicious content.
  • Show warning prompt for any click on links to untrusted domains. When you enable this setting, Gmail clients display a warning when users click on any link to untrusted domains in emails. This option does not function on IMAP/POP email clients. If it is disabled, warnings only appear for clicks to untrusted domains from suspicious emails.
Status Specifies whether or not all the Links and external images safety sub-settings are enabled in your domain or domains.
Recommendation Enable additional Gmail Safety settings to reduce your risk of email phishing due to links and external images.

How to turn on links and external images protection settings

For details and instructions, see Turn on links and external images protection in Advanced phishing and malware protection.

Effect on your users If you enable the settings Identify links behind shortened URLs and Scan linked images, you can improve the quality of phishing detection. So potentially more malicious emails will have warnings or will be moved to spam folders.
If you enable the setting Show warning for any click on links to untrusted domains, Gmail clients display a warning when users click on any link in emails to untrusted domains. The user can then choose to continue opening the link or cancel.

Spoofing and authentication safety

You can enable additional protection against spoofing attacks based on similar domain names or employee names and choose what action to take based on the type of threat.

Note: Google scans all messages to protect against spoofing even if these additional spoofing protections settings are not enabled.

For more details, see the table below.

Setting Spoofing and authentication safety includes these sub-settings:
  • Protect against domain spoofing based on similar domain names. Protect against incoming messages from domains that appear visually similar to your company's domains or domain aliases. 
  • Protect against spoofing of employee names. Protect against messages where the sender's name is a name in your G Suite directory, but the email is not from your company’s domains or domain aliases.
  • Protect against inbound emails spoofing your domain. Protect against potential Business Email Compromise (BEC) messages not authenticated using SPF or DKIM pretending to be from your domain.
  • Protect against any unauthenticated emails. Protect against any message not authenticated using SPF or DKIM by any domain. This setting is not required to get the green mark status for the Spoofing and authentication safety setting.
Status Specifies whether or not the following sub-settings are enabled in your domain or domains:
  • Protect against domain spoofing based on similar domain names.
  • Protect against spoofing of employee names.
  • Protect against inbound emails spoofing your domain.
  • Protect against any unauthenticated emails.
Recommendation Enable additional Gmail spoofing safety settings to reduce your risk of spoofing based on similar domain names or employee names.

How to turn on spoofing and authentication safety settings

For details and instructions, see Turn on spoofing and authentication protection in Advanced phishing and malware protection.

Effect on your users For each Spoofing and authentication safety security setting, you can select which actions to apply to incoming emails:
  • Keep email in inbox and show warning
  • Move email to spam
  • No action

MTA-STS configuration

Turning on MTA Strict Transport Security (MTA-STS) for your domain improves Gmail security by requiring authentication checks and encryption for email sent to your domain. Use Transport Layer Security (TLS) reporting to get information about external server connections to your domain.

For more details, see the table below.

Setting MTA-STS and TLS reporting
Status Specifies whether or not a domain has missing or misconfigured records for MTA-STS.
Recommendation Configure your domain(s) to support MTA-STS protocol as an extra layer of security for your outbound communications by enforcing mail encryption. 

How to configure your domain(s) to support SMTP MTA-STS protocol

For details and instructions, see About MTA-STS and TLS Reporting.

Effect on your users By configuring MTA-STS policies, you reduce the risk of someone intercepting your users' email communications.
Was this helpful?
How can we improve it?