Google Workspace Email Security: Gmail Security Best Practices

Google Workspace includes a robust set of email security controls that go well beyond what personal Gmail offers. Many organizations set up Workspace, add their domain, and leave most security settings at their defaults — which are designed for convenience, not security hardening. This guide walks through every meaningful security control in the Gmail and Workspace Admin Console, from email authentication to data loss prevention, organized by priority.

Email Authentication: SPF, DKIM, DMARC

These DNS records are the foundation of email security. Without them, your domain can be spoofed trivially.

SPF for Google Workspace

Publish a TXT record at your domain root including Google's mail servers:

yourcompany.com  TXT  "v=spf1 include:_spf.google.com -all"

If you send from other services, add their include directives before -all. Run dig TXT _spf.google.com to see what IP ranges this covers.

DKIM for Google Workspace

1. In the Admin Console: Apps > Google Workspace > Gmail > Authenticate email
2. Select your domain and click "Generate new record"
3. Choose a prefix (default is google, but use something like mail2026 for clarity)
4. Copy the DNS TXT record Google provides and publish it at your DNS provider
5. After DNS propagation (up to 48 hours), click "Start authentication"

Google generates 2048-bit RSA keys. The DKIM selector will be {prefix}._domainkey.yourdomain.com.

DMARC deployment

Start with monitoring mode to capture 2–4 weeks of reports before enforcing:

_dmarc.yourcompany.com  TXT  "v=DMARC1; p=none; rua=mailto:dmarc@yourcompany.com; pct=100"

Review reports, fix alignment issues for all legitimate senders, then move to p=quarantine and finally p=reject.

Gmail Security Settings in the Admin Console

Navigate to Apps > Google Workspace > Gmail > Safety in the Admin Console. These settings apply to all users in your organization.

Spoofing and authentication

Under the "Spoofing and authentication" section:

• Protect against domain spoofing based on similar domain names — Enable. This adds warnings for messages where the sender domain closely resembles your domain (e.g., yourcompany vs yourcornpany)
• Protect against spoofing of employee names — Enable. Warns users when a message display name matches an employee in your directory but the sending address is external
• Protect against inbound emails spoofing your domain — Enable. Warns when a message fails your SPF/DKIM/DMARC checks
• Protect against any unauthenticated email — Enable. Warns on any message that fails authentication, regardless of domain

For each protection, set the action to "Move to spam" or "Quarantine" rather than just showing a warning banner once you have calibrated false positive rates.

Attachments and links

• Scan linked images — Enable. Images embedded via URL can beacon to attacker infrastructure; scanning limits this
• Show warning prompts for any click on links to untrusted domains — Enable. Prompts users before navigating to domains not on Google's trusted list
• Apply future recommended settings automatically — Enable. Google adds protections over time; this ensures new controls are applied without manual review

Malware scanning

Google scans all attachments for malware using multiple detection engines. The key additional control here:

• Enhance pre-delivery message scanning — Enable this in the Spam section. This adds a slight delay for deep scanning of messages Google is uncertain about.

Advanced Protection Program for High-Risk Users

The Advanced Protection Program is Google's highest security tier for individual accounts. For organizations, it is most appropriate for executives, IT administrators, finance staff, and anyone with privileged access.

What Advanced Protection adds

• Requires hardware security keys (FIDO2/WebAuthn) as the only second factor — no SMS or authenticator app fallback
• Blocks all third-party app access to Gmail and Drive unless the app is explicitly allowlisted by your admin
• Adds extra scrutiny to downloads flagged as potentially dangerous
• Triggers enhanced account recovery processes that prevent social engineering attacks against account recovery

Enrolling users in Advanced Protection

Users enroll themselves at g.co/advancedprotection using a hardware security key (YubiKey or Google Titan Key). Admins can require Advanced Protection enrollment for specific organizational units in the Admin Console under Security > Advanced Protection program.

OAuth App Control and Third-Party Access

Uncontrolled OAuth app permissions are one of the most common ways attackers gain persistent access to Workspace environments. An employee grants a malicious or misconfigured app access to their Gmail, and the app can read, send, and delete email indefinitely.

Audit current OAuth grants

In the Admin Console: Security > API controls > App access control. Review the list of apps with access to your users' data. For each app, check what scopes it has been granted.

Run a report of all OAuth grants:

Admin Console > Reports > Apps > OAuth Token Activity

Look for apps with https://mail.google.com/ scope (full Gmail access) that you did not explicitly approve.

Restrict third-party app access

1. Admin Console > Security > API controls > App access control
2. Click "Manage Google services" and review Google service access per app
3. Set "Trust internal, domain-owned apps" under default settings
4. For unconfigured third-party apps: select "Don't allow users to access any third-party apps" or require admin approval

Requiring admin approval for new OAuth app grants is the highest-security option. Users who need a specific integration submit a request, and IT reviews the scopes before approving.

Data Loss Prevention for Gmail

Google Workspace Business Plus and Enterprise tiers include DLP rules for Gmail. DLP scans outbound messages for sensitive data patterns and can block, quarantine, or warn.

Creating a DLP rule for credit card numbers

1. Admin Console > Apps > Google Workspace > Gmail > Compliance
2. Click "Configure" under Content compliance
3. Add a condition: body contains a credit card number pattern (Google provides predefined detectors)
4. Set the action to quarantine outbound messages to external recipients that match

Common detectors to enable:

• Credit card numbers
• US Social Security Numbers
• Passport numbers
• Custom regex for your internal identifier formats (customer IDs, case numbers)

Audit Logs and Security Monitoring

Email log search

Admin Console > Reporting > Email log search lets you trace the delivery path of any message. Use it to investigate phishing reports, delivery failures, and suspicious forwarding.

Key fields to query:

• Sender address to find all mail from a specific domain
• Recipient to trace what a user received
• "Has attachment" combined with specific file types for malware investigation

Alert center

Admin Console > Security > Alert center surfaces security events including:

• Government-backed attack warnings
• Suspicious login activity
• User suspended for spam
• Phishing message reported by users
• Data export alerts

Configure alert notifications to your security team's email or ticketing system.

Gmail forwarding audit

Attackers who compromise a Workspace account often set up forwarding rules to exfiltrate email silently. Audit forwarding settings for all users:

Admin Console > Reports > User reports > Account activity, then look for the "Forwarding" column.

Alternatively, use the Admin SDK via Google Apps Script or the Reports API to export all forwarding configurations for review.

Confidential Mode and Message Expiry

Gmail's Confidential Mode prevents recipients from forwarding, copying, printing, or downloading messages. It also supports message expiry dates and SMS passcode requirements for access.

Confidential Mode is enforced by Google's servers — recipients using non-Google mail clients receive a link to view the message in a Google-hosted interface rather than receiving the raw MIME message. This is not end-to-end encryption, but it does prevent casual forwarding and provides an audit trail of access.

Enable Confidential Mode organization-wide as the default for external email:

Admin Console > Apps > Google Workspace > Gmail > User settings > Confidential mode

This is especially useful for HR, legal, and finance communications where preventing downstream forwarding is important.