Serving Vancouver, Washington and remote U.S. businesses

Google Workspace Security

Google Workspace Gmail Security for Small Businesses

A practical implementation guide for protecting Google Workspace Gmail from phishing, spoofing, malicious attachments, harmful links, unauthorized forwarding, and compromised accounts.

Google Workspace Gmail security should combine Google Admin settings, domain authentication, routing review, user reporting, monitoring, and a documented response process.

Email Remains a Primary Attack Path

Attackers use phishing, fake sign-in pages, invoice fraud, executive impersonation, vendor impersonation, malicious attachments, and account takeover to target small businesses.

Gmail includes strong built-in filtering, but the organization still needs correct domain authentication, administrator configuration, employee reporting, monitoring, and incident response.

Inventory Every Authorized Sender

List Google Workspace, websites, contact forms, marketing platforms, customer relationship management systems, ticketing systems, payroll services, scanners, applications, and vendors that send email using the company's domains.

Record the owner, sending address, domain, provider, authentication method, expected volume, and business purpose. This inventory is necessary before applying strict SPF, DKIM, DMARC, routing, or spoofing controls.

Know every system that sends as your domain

An unknown website form or former marketing vendor can create delivery failures and make spoofed mail harder to identify.

Configure SPF

Sender Policy Framework identifies the servers authorized to send email for a domain. Publish one valid SPF record for each sending domain and include only approved services.

Review duplicate records, retired vendors, nested include statements, and the DNS lookup limit. An overly broad record can authorize senders the business no longer uses.

Enable DKIM

DomainKeys Identified Mail adds a cryptographic signature to outgoing mail. Receiving systems can verify that an authorized service signed the message and that protected content was not altered.

Generate the DKIM record in the Google Admin console for each custom sending domain, publish the DNS record, start authentication, and verify message headers after activation.

Deploy DMARC Gradually

Domain-based Message Authentication, Reporting, and Conformance uses SPF or DKIM alignment and tells receiving systems how to handle messages that fail authentication.

Begin with monitoring, review aggregate reports, correct legitimate senders, then increase the policy gradually. Do not publish a strict reject policy before every approved sender is authenticated and aligned.

DMARC can block legitimate business mail when sender inventory is incomplete

Marketing platforms, websites, payroll systems, and vendors must be included in the authentication plan before enforcement increases.

Review Gmail Safety Settings

Google Workspace provides Gmail safety settings for attachments, links and external images, spoofing and authentication, and other threats. Review the settings available in the current Admin console and the organization's edition.

Apply the settings through documented organizational units or groups and verify policy inheritance.

Protect Against Spoofing

Review protections for messages that appear to come from the organization's domain, similar domain names, employee names, and unauthenticated senders.

Test legitimate vendors and assistants who send on behalf of employees. Correct authentication and routing rather than creating a broad bypass.

Review Attachment Protection

Configure protections for encrypted attachments from untrusted senders, scripts, unusual file types, and messages with potentially malicious attachments according to current Google settings.

Create an approved secure file-transfer process for business files that should not travel through ordinary email.

Review Link and External Image Protection

Malicious links can direct users to fake Google sign-in pages or malware. Review Gmail protections for suspicious links and external images.

Train employees to inspect unexpected sign-in pages and report suspicious messages rather than entering credentials.

Use External Sender Indicators

External sender warnings can help employees recognize that a message originated outside the organization. Configure indicators in a way that supports awareness without teaching employees to ignore constant warnings.

Explain that an external label does not mean a message is malicious and the absence of a label does not prove safety.

Review Spam and Compliance Settings

Review spam handling, blocked senders, approved senders, content compliance, attachment compliance, and other Gmail settings. Document why each exception exists.

A broad approved-sender list can weaken filtering. Use the narrowest correction and verify the sender's authentication.

Review Routing and Default Routing

Gmail routing can redirect, split, reject, archive, or modify mail flow. Document every routing rule, default route, recipient map, gateway, and compliance rule.

Remove obsolete vendor routes, old migration settings, and rules without an active business owner.

Review Inbound Gateways

An inbound gateway tells Google to trust mail arriving through selected systems. Incorrect settings can weaken spoofing and spam evaluation.

Confirm internet addresses, authentication, header behavior, vendor ownership, and the ongoing need for every gateway.

Control Automatic Forwarding

Automatic forwarding can expose data and allow an attacker to receive messages without maintaining an active sign-in. Restrict forwarding unless the business has an approved requirement.

Review user forwarding, filters, routing rules, delegated access, and third-party applications that read or send Gmail.

Review Delegated Gmail Access

Delegation can allow one user to read and send another user's mail. Record the owner, delegate, business reason, approval, and expiration.

Review delegation during role changes, executive-assistant changes, leave, and offboarding.

Configure Quarantine Procedures

Google Workspace supports administrative quarantine for selected Gmail rules and compliance actions. Define who reviews quarantined messages and which events require escalation.

Review sender authentication, message headers, links, attachments, routing, and business context before release.

Enable User Reporting

Train employees to use Gmail's phishing and spam reporting features and to contact support for suspected fraud, credential theft, or unusual payment requests.

Assign someone to review reported messages, search for additional recipients, and communicate the result.

Protect High-Risk Users

Executives, finance, payroll, human resources, administrators, purchasing, and public-facing employees are common targets for impersonation and business email compromise.

Apply stronger 2-Step Verification, security keys or passkeys where appropriate, stricter email review, and clear payment-verification procedures.

Monitor Email Log Search

Email Log Search can help administrators trace message delivery, routing, rejection, and status according to edition and retention. Use it to investigate missing messages, suspicious sending, and routing problems.

Correlate mail activity with login events, OAuth applications, forwarding changes, and administrator actions.

Respond to a Compromised Account

  1. Suspend or contain the account.
  2. Reset credentials and revoke active sessions.
  3. Review 2-Step Verification methods and backup codes.
  4. Review forwarding, filters, delegates, and routing.
  5. Review OAuth applications and tokens.
  6. Search for malicious messages sent or received.
  7. Notify affected employees, customers, or vendors.
  8. Preserve evidence and document corrective actions.

Test the Complete System

Review SPF, DKIM, DMARC, safety settings, routing, gateways, forwarding, delegation, quarantine, user reporting, Email Log Search, and incident response.

Use controlled simulations and approved test messages. Do not send actual malicious files or links to employees.

Gmail Security Checklist

  • Inventory every authorized sender.
  • Configure and verify SPF.
  • Enable DKIM for every sending domain.
  • Deploy DMARC in stages.
  • Review attachment, link, image, and spoofing protections.
  • Use external sender indicators.
  • Review spam, compliance, and approved-sender settings.
  • Document routing, gateways, and recipient maps.
  • Control forwarding and delegated access.
  • Define quarantine and user-reporting procedures.
  • Protect high-risk users.
  • Test compromised-account response.

Frequently Asked Questions

Does Gmail automatically block every phishing message?

No. Built-in protections reduce risk, but administrators must configure the domain, review settings, monitor activity, and respond to reports.

Should DMARC begin with reject?

No. Begin with monitoring, identify legitimate senders, correct authentication, and increase enforcement gradually.

Is SPF alone enough?

No. Use SPF, DKIM, and DMARC together with Gmail security settings and monitoring.

When Professional Support Helps

Professional support can inventory senders, configure SPF, DKIM, and DMARC, review Gmail safety and routing settings, control forwarding, and document incident response.

Need help applying this?

Implement Google Workspace security with confidence.

J3 Systems Group LLC can implement 2-Step Verification, Context-Aware Access, Gmail protection, super admin recovery, audit monitoring, OAuth controls, and supporting security procedures.

Book a Free Consultation