Monitor the health of your Gmail settings

Setting Automatic email forwarding—Allows users to automatically forward incoming messages to another address.

Status Specifies the number of organizational units where this setting is turned on.

Recommendation

Turn off the automatic email forwarding option to reduce your risk of data exfiltration through email forwarding, which is a common technique employed by attackers. For details, go to Disable automatic forwarding.

Effect on your users

If you turn off this setting, users won’t see the forwarding option in their Gmail settings. Any existing forwarding rules or filters they created will no longer work. However, any forwarding rules created by you or other admins will still apply.

Setting Add spam headers setting to all default routing rules—Adds header to messages to indicate spam and phishing status of message.

Status Specifies whether or not the spam header is included for default routing rules.

Recommendation

Include the spam header in all default routing rules that you have defined (if any). This action reduces the risk of spoofing and phishing or whaling. Other servers that get messages from your organization can use this information to determine how to treat those messages: Reject, admin quarantine, send to spam, and so on.

For more details and instructions, see Set up Default routing for your organization.

Tip: If you're adding or updating routing settings for a large organization, we recommend you try out the new rules with a small set of users. For more information, go to Best practices for faster rules testing.

Effect on your users When you check the Add X-Gm-Spam and X-Gm-Phishy headers box, it reduces the risk of spoofing and phishing or whaling.

Setting

Comprehensive mail storage—Ensures that a copy of all sent or received messages in your domain is stored in the associated users' Gmail mailboxes. This setting reduces your risk of data deletion.

Status Specifies the number of organizational units where this setting is turned off.

Recommendation

Turn this setting on:

• If you have a non-Gmail system that uses the SMTP relay service to route messages on behalf of your users and you want to display the messages in your users’ Gmail mailboxes.
  Examples: Ticket-tracking systems, bug databases, or automated notification systems
• If you store messages in Google Vault for users who turn on SMTP relay.
• If you send email with Google Workspace services other than Gmail.

For details, go to Set up comprehensive mail storage.

Effect on your users If you turn on this setting, your users can see all email that is sent by non-Gmail systems through Google SMTP relay services. Designated administrators can also access these emails in Vault. The setting also allows users to see product-generated notifications in their inboxes.

Setting MTA-STS configuration—Requires authentication checks and encryption for email sent to your domain and provides information about external server connections to your domain.

Status Specifies whether or not a domain has missing or misconfigured records for

Mail Transfer Agent-Strict Transport Security (MTA-STS).

Recommendation Configure your domain to support MTA-STS as an extra layer of security for your outbound communications by enforcing mail encryption. For details and instructions, go to About MTA-STS and TLS reporting.

Effect on your users By configuring MTA-STS policies, you reduce the risk of someone intercepting your users' email.

Setting DKIM—Adds a digital signature to outgoing message headers.

Status Specifies whether DomainKeys Identified Mail (DKIM) is configured for your domain or if it's missing or misconfigured.

Note: The security health tool performs lookups based only on the default Google DKIM selector (google._domainkey).

Recommendation

Configure DKIM for your domain by adding a digital signature to outgoing message headers using the DKIM standard. This action reduces spoofing and phishing or whaling risks. Mail servers receiving email from your domain can authenticate that your domain sent this email.

For details and instructions, go to Set up DKIM.

Effect on your users Configuring DKIM means your users are less likely to be spoofed because email sent from your domain is signed cryptographically using DKIM.

Setting SPF record—Identifies which mail servers are permitted to send email on behalf of your domain.

Status

Specifies whether a Sender Policy Framework (SPF) record is configured for your domain or if it's missing or misconfigured.

Recommendation

Configure an SPF record for your domain to help authorize email sent through your domain. This action reduces the risk of spoofing and phishing or whaling.

For better protection, use SPF and DKIM to help validate the domain that’s sending the email.

For details and instructions, go to Set up SPF.

Effect on your users If you configure the SPF record setting, your users are less likely to be spoofed because only designated mail servers are authorized to send email on their behalf.

Setting DMARC—Used with SPF and DKIM to detect and prevent email spoofing.

Status

Specifies whether a Domain-based Message Authentication, Reporting, and Conformance (DMARC) record is configured for your domain or if it's missing or misconfigured.

Recommendation

After you configure SPF and DKIM, configure a DMARC record for your domain. This action reduces the risk of spoofing and phishing or whaling.

For details and instructions, go to Set up DMARC.

Effect on your users

If you add a DMARC record, your users are less likely to be spoofed. In some cases, your users may experience challenges with mailing lists if they are not properly configured to operate with DMARC. Current versions of LISTSERV or MailMan can interoperate with DMARC senders. For more information, go to Set up DMARC.

Setting

Bypass spam filters for messages received from internal senders

Status Specifies the number of organizational units where bypassing spam filters for internal senders is turned on.

Recommendation Turn off Bypass spam filters for messages received from internal senders for all organizational units. Turning this setting off makes sure all of your users’ email is filtered for spam, including mail from internal senders. This action reduces the risk of spoofing and phishing or whaling.

How to turn off this setting

Configure a new Spam setting or edit an existing Spam setting.

For details and instructions, see Add a custom spam filter in Add custom spam filters to Gmail.

Effect on your users Your users are better protected if you filter their email for spam. It minimizes the chance for spoofing and phishing or whaling attacks.

Setting Attachment safety—Additional settings that reduce the risk of malware infection from encrypted attachments and attachments with scripts from untrusted senders, and unusual file types in emails.

Status Specifies whether or not all the attachment safety sub-settings are enabled in your domain.

Recommendation

Enable additional Gmail attachment safety settings to reduce your risk of malware infection. For details and instructions, go to Turn on attachment protection.

Important: Google scans all messages to protect against malware, even if the additional malicious attachment protection settings are not enabled. Using these settings helps you catch additional email previously unidentified as malicious.

Effect on your users For each attachment security setting, you can select the actions you want to apply to incoming email:

• Keep email in inbox and show warning (default)
• Move email to spam

Setting Links and external images safety—Additional settings that detect links to hidden malicious content and external images and warn users about untrusted domains.

Status Specifies whether or not all the Links and external images safety sub-settings are enabled in your domain or domains.

Recommendation

Enable additional Gmail Safety settings to reduce your risk of email phishing due to links and external images. For details and instructions, go to Turn on external images and links protection.

Important: Google scans all messages to protect against phishing, even if these additional links and external images safety settings are not enabled. These settings help Gmail to catch additional email previously unidentified as phishing.

Effect on your users

• If you enable the settings Identify links behind shortened URLs and Scan linked images, you can improve the quality of phishing detection. In turn, potentially more malicious emails will have warnings or will be moved to spam folders.
• If you enable the Show warning for any click on links to untrusted domains setting, when your users click a link in Gmail messages to untrusted domains, they get a warning. They can then choose to continue opening the link or cancel.

Setting Spoofing and authentication safety—Additional settings for spoofing and authentication, including protection against similar domain and employee names and messages not authenticated with SPF or DKIM.

Status Specifies whether or not additional settings are turned on for your domain.

Recommendation

Turn on additional safety settings to reduce your risk of spoofing. For details and instructions, go to Turn on spoofing and authentication protection.

Important: Google scans all messages to protect against spoofing even if these additional spoofing protection settings are not enabled.

Effect on your users For each additional safety setting, you can select an option for users’ incoming emails:

• Keep email in inbox and show warning (default)
• Move email to spam
• Quarantine

Setting Approved senders without authentication—You can customize the spam filter setting with an option that lets you accept unauthenticated messages from senders that you specify (trusted senders).

Status Specifies whether or not you have turned on the setting for your domain.

Recommendation

Require sender authentication for all approved senders to reduce the risk of spoofing and phishing or whaling. We don’t recommend using this option because it bypasses the spam folder for approved senders that don't have authentication, such as SPF or DKIM, configured.

For details, go to Add custom spam filters to Gmail.

Effect on your users Email from unauthenticated senders isn't filtered for spam. In turn, your users might be subject to spoofing and phishing or whaling attacks and compromised accounts.

Setting Email allowlist IPs—A list of IP addresses from which your users expect to receive legitimate mail. Mail sent from these IP addresses generally isn’t marked as spam.

Status Specifies the number of organizational units where you have configured email allowlist IPs.

Recommendation

To reduce the risk of spoofing and phishing or whaling, do not configure email allowlist IPs.

If you have mail servers that are forwarding email to Gmail: To take full advantage of the Gmail spam filtering service and for best spam classification results, set their IP addresses as Inbound mail gateways and do not add them to an IP allowlist. For details, go to Set up an inbound mail gateway.

How to remove email allowlist IPs

1. Sign in with an administrator account to the Google Admin console.

   If you aren’t using an administrator account, you can’t access the Admin console.

2. Go to Menu and then Apps > Google Workspace > Gmail > Spam, Phishing and Malware.

   Requires having the Gmail Settings administrator privilege.

3. Point to Email allowlist and click Edit.
4. Remove any IP addresses and click Save.

For more details and instructions, go to Add IP addresses to allowlists in Gmail.

Effect on your users If you remove IPs from an email allowlist, your users are better protected from the risk of spoofing and phishing or whaling.

Setting MX record configuration—Helps Google filter your email for spam and malware and reduces the risk of lost email.

Status Specifies whether or not you have configured the MX records for your domain to point to Google’s mail servers as the highest priority record

Recommendation

Configure the MX records to point to Google’s mail servers as the highest priority record to ensure correct mail flow to your Google Workspace domain users. This action reduces the risk of data deletion (through lost email) and malware threats.

For details and instructions, go to Activate Gmail for Google Workspace and ​Google Workspace​ MX record values.

Effect on your users Properly configured MX records protect your users from malware and spam and the risk of lost email.

Setting POP and IMAP access—Lets users access their email using third-party clients, such as Mozilla Thunderbird or Microsoft Outlook.

Status Specifies the number of organizational units where POP and IMAP access is turned on.

Recommendation Turn off POP and IMAP access for all organizational units. This action reduces data leak, data deletion, and data exfiltration risks. For details, go to Turn POP & IMAP on or off for users.

Effect on your users Turning off POP and IMAP prevents your users from using third-party email clients that can create risks to your organization’s data.