Use settings to improve security

This article describes settings in your Google Admin console you can use to improve the security and privacy of your information. Each item briefly explains a setting and recommends a best practice for how to use that setting. For each item, there’s also a link to more information and detailed instructions for the setting. Note that not all settings and features are available in all G Suite editions or Cloud Identity editions.

Best practices Instructions and more information

Require 2-Step Verification (2SV) for users

2-Step Verification helps protect a user's account from unauthorized access should someone manage to obtain their password.

Add 2-Step Verification

2-Step Enforcement

Use security keys, at least for administrators and other high-value accounts.

Security keys are small hardware devices used when signing in that provide second factor authentication that resists phishing.

Security keys

Help prevent phishing attacks with Password Alert

Implement the Password Alert Chrome extension to help your users avoid phishing attacks.

Prevent phishing attacks on your users

Add user login challenges

You can set up login challenges for suspicious login attempts. Users must enter a verification code that Google sends to their recovery phone number or recovery email address (an email address outside of your organization). Or, they must answer a challenge that only the account owner can solve.

Verify a user’s identity with a login challenge

Add employee ID as a login challenge

Review activity reports and alerts

See activity reports for account status, admin status, and 2-Step Verification enrollment details.

Account activity reports

Set up administrator email alerts

You can set up email alerts for certain events, such as suspicious sign-in attempts, compromised mobile devices, or setting changes by another admin.

Administrator email alerts

Secure compromised accounts

If you suspect an account may be compromised, examine the account and take action if necessary.

Identify and secure compromised accounts

Assign appropriate administrator roles

Use the model of least privilege, in which each user has access to only the resources and tools needed for their typical tasks.

Administrator roles

Add account recovery options to your administrator account

If you were granted administrator privileges to your account by another administrator, be sure to add a recovery phone number and email address to your account. 

Add recovery options to your administrator account 

Gmail (G Suite only)
Best practices Instructions and more information

Disable IMAP/POP access

Disable POP and IMAP access for any users who don't explicitly need this access.

Turn IMAP and POP on and off for users

Take care when overriding spam filters

Advanced Gmail settings provide detailed control of message delivery and filtering. To avoid an increase in spam, exercise thought and care if you use these settings to override Gmail’s default spam filters. 

  • If you add a domain or an email address to the approved senders list, use caution with the “Do not require sender authentication” option, as this may result in bypassing Gmail’s spam filters for senders with no authentication.
  • You can bypass the spam filters for messages sent from specific IP addresses by adding these IP addresses to the email whitelist. Be cautious while whitelisting IP addresses, particularly if you whitelist large ranges of IP addresses via a CIDR notation.
  • If you are forwarding messages to your G Suite domain via an inbound gateway, add the IP addresses of your inbound gateway to the inbound gateway settings and not the email whitelist.
  • Monitor and tune compliance rules to help prevent spam and phishing.

Advanced Gmail settings for an organization

List your inbound email gateways

If you use an email gateway to route incoming email, make sure it’s configured properly for Sender Policy Framework (SPF),  to improve spam handling.

Set up an inbound mail gateway

Set up SPF, DKIM, and DMARC

SPF, DKIM, and DMARC establish an email validation system that uses DNS settings to authenticate, digitally sign, and help prevent spoofing of your domain.

Spammers sometimes forge the "From" address on email messages so they appear to come from a user in your domain. To prevent this, you can configure SPF and DKIM on all outbound email streams. 
Once SPF and DKIM are in place, you can configure a DMARC record to define how Google and other receivers should treat unauthenticated emails purporting to come from your domain.

Help prevent spoofing with SPF, DKIM, and DMARC

Enforce TLS with your partner domains

You can require mail to be transmitted using TLS to ensure a secure connection.

Require a secure (TLS) connection

Disable automatic forwarding

Mail forwarding can be enabled at the domain or organizational unit (OU) level to allow users to forward email externally to other email accounts. You can use this setting to prevent users from forwarding emails to other accounts.

Disable automatic forwarding

Enable comprehensive mail storage

The comprehensive mail storage setting ensures that a copy of all sent and received mail in your domain—including mail sent or received by non-Gmail mailboxes—is stored in the associated users' Gmail mailboxes. Enable this setting to ensure mail is stored in Google Vault for all users who enable SMTP relay. Note: Google Vault is available in certain G Suite editions.

Set up comprehensive mail storage

Disable Bypass spam filters for internal senders

Disable this setting, as any external addresses added to groups will be treated as internal. Enabling this setting bypasses spam filters for messages received from internal senders (users in the same organization). 

Customize spam filter settings

Use Default routing and Add X-Gm-Spam and X-Gm-Phishy headers for routing rules

If you're using Default routing or Receiving routing rules, you should apply Add X-Gm-Spam and X-Gm-Phishy headers. This allows downstream on-prem servers (which can receive relayed mail via Default routing / Receiving routing rules) to act on Google spam and phishing markings.

Configure default routing

Enable Do not deliver spam to this recipient for routing rules

This setting filters spam before routing emails to recipients. This prevents relaying email marked by Google as likely spam or phishing.


Disable the Do not require sender authentication setting for spam policies

Disable this setting to always require authentication for approved senders. 

Customize spam filter settings

Enable Enhanced pre-delivery message scanning 

When Gmail identifies that an email message may be phishing, this setting enables Gmail to perform additional checks on the message.

Use enhanced pre-delivery message scanning

Enable external recipient warnings

Gmail detects if an external recipient in an email response is not someone a user interacts with regularly, or is not present in a user’s Contacts. When you configure this setting, your users receive a warning and an option to dismiss.

Configure an external recipient warning

Calendar (G Suite only)
Best practices Instructions and more information

Limit external calendar sharing

Use this setting to restrict external calendar sharing to free/busy information only.

Set calendar sharing options

Chrome OS
Best practices Instructions and more information

Set up and manage Chrome OS and Chrome Browser policies

Set up Chrome OS and Chrome Browser policies according to your organization’s policies. Recommended policies include Allow auto update settings, Allow password manager policy, Enable safe browsing, Prevent users from proceeding to malicious sites, and Allow users to show passwords in password manager.

Set Chrome policies for users

Chrome Browser
Best practices Instructions and more information

Set a desktop browser policy

Set Chrome Browser as the default browser, and use Legacy Browser Support to support applications that require a legacy browser.

Chrome legacy browser support

Set up and manage Chrome OS and Chrome Browser policies

Set up Chrome OS and Chrome Browser policies according to your organization’s policies. Recommended policies include Allow auto update settings, Allow password manager policy, Enable safe browsing, Prevent users from proceeding to malicious sites, and Allow users to show passwords in password manager.

Set Chrome policies for users

Control Chrome extensions via policy

Use this setting to have Chrome extensions installed via browser policy.

Install Chrome extensions via group policy

Enable auto-update for Chrome

Ensure that Chrome receives the latest security updates by enabling auto-update.

Manage Chrome browser auto-updates

Classic Hangouts (G Suite only)
Best practices Instructions and more information

Warn users when chatting outside their domain

Use this setting to show users a warning when chatting outside their domain. When this setting is enabled, group chat conversations will be split when the first person from outside the domain is added to the discussion. This will prevent external users from seeing previous internal discussions.

Classic Hangouts Chat settings

Set a chat invitation policy

Use this setting to set a chat invitation policy based on your organization’s policy on collaboration.

Classic Hangouts Chat settings

Contacts (G Suite only)
Best practices Instructions and more information

Don’t automatically share contact information

Disable the option to automatically share contact information.


Drive (G Suite only)
Best practices Instructions and more information

Set sharing options for your domain

Users can share and collaborate on documents internally and externally. Use the settings to set the default visibility to Private and allow users to share outside your organization, but warn users when they do so.

Set file sharing permissions

Set default link sharing options

You can set the default link sharing settings for a newly created file. Set the default to Off to give only the owner access until the file is shared.

Set file sharing permissions

Default settings for G Suite Business

This setting allows for unlimited storage and Vault for all users. For best results, separate users and apply a least-privileges sharing model. Configure domain whitelists and only allow your users to share with approved external domains.

G Suite Business

Google+ (G Suite only)
Best practices Instructions and more information

Restrict new posts by default

Use this setting to make new posts restricted to your domain by default. Note that users can change a post to restricted or unrestricted before sharing.

Set a default sharing restriction for Google+ content

Disable profile visibility

Use this setting to disable the ability to find user profiles from public searches.

Set the default for profile discoverability

Consider disabling Hangouts On Air

Use this setting to limit the ability to broadcast Hangouts on Air to appropriate users only.

Enable or disable Hangouts On Air

Automatically create Google+ profiles

Use this setting to disable automatic creation of public Google+ profiles for users in your organization.

Manage Google+ profiles

(See Create Google+ profiles for all users in an organizational unit.)

Allow apps to access Google+ APIs

Third-party apps can use Google+ APIs to act on behalf of users, performing actions such as reading posts, writing restricted posts, or managing circles. Enable this setting if you plan to programmatically access the Google+ APIs; disable it otherwise.

Enable or disable Google+ APIs

Best practices Instructions and more information

Set up private access to your groups 

Select the Private setting to limit access to only members of your domain.

Set sharing options

Limit group creation to admins only

Use this setting to allow only admins to create groups.

Set sharing options

Customize your group access settings

Use these settings to allow or disable  members and messages from outside your domain, set up message moderation, set visibility of groups, and perform other actions, according to your company policies.

Set who can view, post, & moderate

Disable Public access, Also allow anyone on the Internet to post messages, and Also grant this access to anyone on the Internet 

These settings allow anyone on the Internet to join the group, send messages, and view the discussion archives. For best results, disable these settings for all internal Groups.

Assign access levels to a group

Enable spam moderation for your groups

You can have messages sent to the moderation queue with or without notifying moderators, immediately reject spam messages, or allow the messages to be posted without moderation.

Approve or block new posts

Best practices Instructions and more information

Enable mobile device management to help control over your corporate data

Consider how to implement your organization’s mobile device requirements and mobile device management policies. At a minimum, enable Basic Mobile Management to gain visibility and control over corporate data on iOS and Android.

Get started with Google Mobile Management

Enforce the use of Android work profiles

Work profiles allow you to separate your organization's apps from personal apps, keeping personal and corporate data separate. By using integrated device management within G Suite to enforce the use of work profiles, you can whitelist applications that access corporate data and block installation of apps from unknown sources.

Set up Android work profiles

Sites (G Suite only)
Best practices Instructions and more information

Warn when sharing sites outside your domain

Use this setting to display a warning when users share sites outside your domain.

Set sharing options

Vault (Vault only)
Best practices Instructions and more information

Control, audit, and secure Vault accounts

Use these settings to make sure accounts with Vault access are carefully controlled and audited.

Vault administrators

Treat accounts with Vault access as sensitive

Vault accounts should be treated as elevated access accounts, similar to super administrator accounts. Accounts with Vault access should be carefully controlled and audited and should have two-step verification (2SV) enforced.

Vault administrators

Best practices Instructions and more information

Consider disabling the ability to download data

Use this setting to prevent user account data from being downloaded if the account is compromised or the user leaves the company.

Turn Takeout on or off for user

Disable Location History

Disable the Location History service to prevent users’ location history from being saved.

Turn additional Google services on or off

Whitelist connected apps (G Suite only)

Use G Suite settings to create whitelists that define which specific apps can access blocked scopes.

Whitelist connected apps

Was this article helpful?
How can we improve it?