Spoofing report

Supported editions for this feature: Enterprise Plus; Education Standard and Education Plus; Enterprise Essentials Plus. Compare your edition

In the security dashboard, you can use the spoofing report to display the number of messages that show evidence of potential spoofing.

View the spoofing report

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Securityand thenSecurity centerand thenDashboard.
  3. In the bottom-right corner of the Spoofing panel, click View Report.

Spoofing graph

This graph shows messages broken down by Similar domain, Display name, and Domain name:

  • Similar domain—Number of incoming messages from domains that look visually similar to trusted domains
  • Display name—Number of messages where the message sender's name is a name in your Google Workspace directory, but the mail is not from your company's domains or domain aliases  
  • Domain name—Number of unauthenticated messages (SPF or DKIM) pretending to be from your domain 

Note: You can hide lines in the graph by clicking on the legend. For example, click Display name to hide data related to display-name spoofing. This is especially useful if one line overlaps another.

Using the drop-down menus above the graph, you also customize the graph to provide details only about certain types of messages:

Filter Description

Classification: All, Clean, Spam, Phishing, Malware, Suspicious

All—Include all messages.
Clean—Include only messages marked as clean by the Google spam filter.
Spam—Include only messages marked as spam by the Google spam filter.
Malware--Include only messages marked as malware.
Phishing—Include only messages marked as phishing.
Suspicious—Include only messages marked as suspicious.

Note: The entire message is scanned for malware—not just attachments. For example, a message without attachments that includes a link to a website that might contain malware (even if the link is in text format) might be classified as malware.

Domain Choose the domain for your report.
Date range

Customize the report to view data from Today, Yesterday, This week, Last week, This month, Last month, or Days ago (up to 180 days); or enter a Start date and End date. Click Apply after you set the date range.

Note: For this report, data is displayed only for the last 31 days. For example, if you set the parameters for up to 60 days, the data in the report is cut off at 31 days.

To generate a spreadsheet with the graph’s data, click Export Sheet. A spreadsheet corresponding to the data in the graph will be generated and saved to your My Drive folder.

Compare current and historical data

To compare the current data to historical data, in the top right, from the Statistical analysis menu, select Percentile (not available for all Security dashboard charts). You’ll see an overlay on the chart to show the 10th, 50th, and 90th percentile of historical data (180 days for most data and 30 days for Gmail data). Then, to change the analysis, at the top right of the chart, use the menu to change the overlay line.

Spoofing table

To view more details about spoofing on specific dates, click any data point in the graph. For example, you can view data for this report by Subject, Recipient, Sender, IP address, and more.

Was this helpful?

How can we improve it?
Clear search
Close search
Google apps
Main menu