Supported editions for this feature: Enterprise Plus; Education Standard and Education Plus; Enterprise Essentials Plus. Compare your edition
From the security health page, you can monitor the configuration of advanced Gmail settings in your Google Admin console.
Before you begin
For the steps to get to the security health page in the Admin console, go to Get started with the security health page.
Important: Updates to DNS records at your domain host might take up to 48 hours to appear on the security health page, depending on your domain provider.
Email routing
Expand section | Collapse all & go to top
Automatic email forwarding| Setting | Automatic email forwarding—Allows users to automatically forward incoming messages to another address. |
| Status | Specifies the number of organizational units where this setting is turned on. |
| Recommendation |
Turn off the automatic email forwarding option to reduce your risk of data exfiltration through email forwarding, which is a common technique employed by attackers. For details, go to Disable automatic forwarding. |
| Effect on your users |
If you turn off this setting, users won’t see the forwarding option in their Gmail settings. Any existing forwarding rules or filters they created will no longer work. However, any forwarding rules created by you or other admins will still apply. |
| Setting | Add spam headers setting to all default routing rules—Adds header to messages to indicate spam and phishing status of message. |
| Status | Specifies whether or not the spam header is included for default routing rules. |
| Recommendation |
Include the spam header in all default routing rules that you have defined (if any). This action reduces the risk of spoofing and phishing or whaling. Other servers that get messages from your organization can use this information to determine how to treat those messages: Reject, admin quarantine, send to spam, and so on. For more details and instructions, see Set up Default routing for your organization. Tip: If you're adding or updating routing settings for a large organization, we recommend you try out the new rules with a small set of users. For more information, go to Best practices for faster rules testing. |
| Effect on your users | When you check the Add X-Gm-Spam and X-Gm-Phishy headers box, it reduces the risk of spoofing and phishing or whaling. |
Filtering content & protecting data
Expand section | Collapse all & go to top
Comprehensive mail storage| Setting |
Comprehensive mail storage—Ensures that a copy of all sent or received messages in your domain is stored in the associated users' Gmail mailboxes. This setting reduces your risk of data deletion. |
| Status | Specifies the number of organizational units where this setting is turned off. |
|
Recommendation |
Turn this setting on:
For details, go to Set up comprehensive mail storage. |
| Effect on your users | If you turn on this setting, your users can see all email that is sent by non-Gmail systems through Google SMTP relay services. Designated administrators can also access these emails in Vault. The setting also allows users to see product-generated notifications in their inboxes. |
| Setting | MTA-STS configuration—Requires authentication checks and encryption for email sent to your domain and provides information about external server connections to your domain. |
| Status | Specifies whether or not a domain has missing or misconfigured records for
Mail Transfer Agent-Strict Transport Security (MTA-STS). |
| Recommendation | Configure your domain to support MTA-STS as an extra layer of security for your outbound communications by enforcing mail encryption. For details and instructions, go to About MTA-STS and TLS reporting. |
| Effect on your users | By configuring MTA-STS policies, you reduce the risk of someone intercepting your users' email. |
Preventing spoofing, phishing & spam
Expand section | Collapse all & go to top
DKIM| Setting | DKIM—Adds a digital signature to outgoing message headers. |
| Status | Specifies whether DomainKeys Identified Mail (DKIM) is configured for your domain or if it's missing or misconfigured. Note: The security health tool performs lookups based only on the default Google DKIM selector (google._domainkey). |
| Recommendation |
Configure DKIM for your domain by adding a digital signature to outgoing message headers using the DKIM standard. This action reduces spoofing and phishing or whaling risks. Mail servers receiving email from your domain can authenticate that your domain sent this email. For details and instructions, go to Set up DKIM. |
| Effect on your users | Configuring DKIM means your users are less likely to be spoofed because email sent from your domain is signed cryptographically using DKIM. |
| Setting | SPF record—Identifies which mail servers are permitted to send email on behalf of your domain. |
|
Status |
Specifies whether a Sender Policy Framework (SPF) record is configured for your domain or if it's missing or misconfigured. |
|
Recommendation |
Configure an SPF record for your domain to help authorize email sent through your domain. This action reduces the risk of spoofing and phishing or whaling. For better protection, use SPF and DKIM to help validate the domain that’s sending the email. For details and instructions, go to Set up SPF. |
| Effect on your users | If you configure the SPF record setting, your users are less likely to be spoofed because only designated mail servers are authorized to send email on their behalf. |
| Setting | DMARC—Used with SPF and DKIM to detect and prevent email spoofing. |
|
Status |
Specifies whether a Domain-based Message Authentication, Reporting, and Conformance (DMARC) record is configured for your domain or if it's missing or misconfigured. |
| Recommendation |
After you configure SPF and DKIM, configure a DMARC record for your domain. This action reduces the risk of spoofing and phishing or whaling. For details and instructions, go to Set up DMARC. |
| Effect on your users |
If you add a DMARC record, your users are less likely to be spoofed. In some cases, your users may experience challenges with mailing lists if they are not properly configured to operate with DMARC. Current versions of LISTSERV or MailMan can interoperate with DMARC senders. For more information, go to Set up DMARC. |
| Setting |
Bypass spam filters for messages received from internal senders |
| Status | Specifies the number of organizational units where bypassing spam filters for internal senders is turned on. |
| Recommendation | Turn off Bypass spam filters for messages received from internal senders for all organizational units. Turning this setting off makes sure all of your users’ email is filtered for spam, including mail from internal senders. This action reduces the risk of spoofing and phishing or whaling. |
|
How to turn off this setting |
Configure a new Spam setting or edit an existing Spam setting. For details and instructions, see Add a custom spam filter in Add custom spam filters to Gmail. |
| Effect on your users | Your users are better protected if you filter their email for spam. It minimizes the chance for spoofing and phishing or whaling attacks. |
Using advanced phishing & malware protection
Expand section | Collapse all & go to top
Attachment safety| Setting | Attachment safety—Additional settings that reduce the risk of malware infection from encrypted attachments and attachments with scripts from untrusted senders, and unusual file types in emails. |
| Status | Specifies whether or not all the attachment safety sub-settings are enabled in your domain. |
| Recommendation |
Enable additional Gmail attachment safety settings to reduce your risk of malware infection. For details and instructions, go to Turn on attachment protection. Important: Google scans all messages to protect against malware, even if the additional malicious attachment protection settings are not enabled. Using these settings helps you catch additional email previously unidentified as malicious. |
| Effect on your users | For each attachment security setting, you can select the actions you want to apply to incoming email:
|
| Setting | Links and external images safety—Additional settings that detect links to hidden malicious content and external images and warn users about untrusted domains. |
| Status | Specifies whether or not all the Links and external images safety sub-settings are enabled in your domain or domains. |
| Recommendation |
Enable additional Gmail Safety settings to reduce your risk of email phishing due to links and external images. For details and instructions, go to Turn on external images and links protection. Important: Google scans all messages to protect against phishing, even if these additional links and external images safety settings are not enabled. These settings help Gmail to catch additional email previously unidentified as phishing. |
| Effect on your users |
|
| Setting | Spoofing and authentication safety—Additional settings for spoofing and authentication, including protection against similar domain and employee names and messages not authenticated with SPF or DKIM. |
| Status | Specifies whether or not additional settings are turned on for your domain. |
| Recommendation |
Turn on additional safety settings to reduce your risk of spoofing. For details and instructions, go to Turn on spoofing and authentication protection. Important: Google scans all messages to protect against spoofing even if these additional spoofing protection settings are not enabled. |
| Effect on your users | For each additional safety setting, you can select an option for users’ incoming emails:
|
Managing spam & allowlists
Expand section | Collapse all & go to top
Approved senders without authentication| Setting | Approved senders without authentication—You can customize the spam filter setting with an option that lets you accept unauthenticated messages from senders that you specify (trusted senders). |
| Status | Specifies whether or not you have turned on the setting for your domain. |
| Recommendation |
Require sender authentication for all approved senders to reduce the risk of spoofing and phishing or whaling. We don’t recommend using this option because it bypasses the spam folder for approved senders that don't have authentication, such as SPF or DKIM, configured. For details, go to Add custom spam filters to Gmail. |
| Effect on your users | Email from unauthenticated senders isn't filtered for spam. In turn, your users might be subject to spoofing and phishing or whaling attacks and compromised accounts. |
| Setting | Approved domain senders—Lets you include domains in your approved sender list. |
| Status | Specifies whether or not any domain is included in the approved sender list. |
| Recommendation | Do not include domains in your approved sender list. Mail sent from these domain addresses is not filtered for spam, which increases the risk of spoofing. For details, go to Add custom spam filters to Gmail. |
| Effect on your users | By not including domains in your approved sender list, your users are at less risk of spoofing and phishing or whaling. |
| Setting | Email allowlist IPs—A list of IP addresses from which your users expect to receive legitimate mail. Mail sent from these IP addresses generally isn’t marked as spam. |
| Status | Specifies the number of organizational units where you have configured email allowlist IPs. |
|
Recommendation |
To reduce the risk of spoofing and phishing or whaling, do not configure email allowlist IPs. If you have mail servers that are forwarding email to Gmail: To take full advantage of the Gmail spam filtering service and for best spam classification results, set their IP addresses as Inbound mail gateways and do not add them to an IP allowlist. For details, go to Set up an inbound mail gateway.
|
|
How to remove email allowlist IPs |
For more details and instructions, go to Add IP addresses to allowlists in Gmail. |
| Effect on your users | If you remove IPs from an email allowlist, your users are better protected from the risk of spoofing and phishing or whaling. |
Setting up Gmail
Expand section | Collapse all & go to top
MX record configuration
| Setting | MX record configuration—Helps Google filter your email for spam and malware and reduces the risk of lost email. |
| Status | Specifies whether or not you have configured the MX records for your domain to point to Google’s mail servers as the highest priority record |
| Recommendation |
Configure the MX records to point to Google’s mail servers as the highest priority record to ensure correct mail flow to your Google Workspace domain users. This action reduces the risk of data deletion (through lost email) and malware threats. For details and instructions, go to Activate Gmail for Google Workspace and Google Workspace MX record values. |
| Effect on your users | Properly configured MX records protect your users from malware and spam and the risk of lost email. |
Using third-party email clients
Expand section | Collapse all & go to top
POP and IMAP access| Setting | POP and IMAP access—Lets users access their email using third-party clients, such as Mozilla Thunderbird or Microsoft Outlook. |
| Status | Specifies the number of organizational units where POP and IMAP access is turned on. |
| Recommendation | Turn off POP and IMAP access for all organizational units. This action reduces data leak, data deletion, and data exfiltration risks. For details, go to Turn POP & IMAP on or off for users. |
| Effect on your users | Turning off POP and IMAP prevents your users from using third-party email clients that can create risks to your organization’s data. |
Related topics
Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.
