Google Workspace Email Security: Setup and Best Practices

Google Workspace email security is strong by default but not complete out of the box. Google’s AI-powered filters block over 99.9% of spam, phishing, and malware across more than 3 billion Gmail accounts in real time. However, DMARC is absent on most new tenants, critical admin settings are disabled at setup, and sophisticated BEC attacks can still bypass even Google’s ML-based detection.

Most organizations discover this only after an incident. They assume Gmail handles everything and never open the Admin console. A phishing email gets through. A BEC transfer request succeeds. An alert that would have flagged suspicious login activity was never configured. This guide covers every step needed to make Google Workspace email security work at full capacity.

Is Google Workspace Email Secure by Default?

Google scans every Gmail message using machine learning models trained across over 3 billion accounts globally. The Google Transparency Report confirms the platform blocks over 99.9% of spam, phishing, and malware before delivery. Compared to Microsoft 365 Exchange Online Protection alone, Google’s baseline protection is genuinely stronger from day one.

Several critical settings are off by default on every new tenant, however, and most administrators never receive any notification to enable them. What is not active at setup includes:

• DKIM signing: must be generated in Admin Console and published to DNS manually
• DMARC: absent on almost every new tenant, requiring a separate DNS TXT record
• Enhanced pre-delivery scanning: disabled by default in Gmail spam and phishing settings
• Security sandbox: available on Business Plus and Enterprise tiers only, requires manual enablement even on those plans
• Admin alert policies: unconfigured by default, leaving IT teams blind to suspicious login activity and bulk email sending from compromised accounts

Understanding exactly which protections are active at setup and which require deliberate action is the difference between a fully protected Google Workspace environment and one that only appears secure. The Google Workspace Admin Console contains the controls to close every one of these gaps.

What Email Security Features Does Google Workspace Include?

Google Workspace includes a broad range of built-in email security features across all plan tiers.

Standard features on all plans include ML-based Gmail spam and phishing filters updated continuously in real time, Google Safe Browsing for URL scanning and malicious link detection, automatic attachment scanning for malware before delivery, suspicious link warnings that alert users before clicking, and external email banners that visually flag messages arriving from outside the organization.

Higher-tier features include security sandbox on Business Plus and Enterprise plans for behavioral malware detection, S/MIME encryption for end-to-end message protection, Gmail Confidential Mode to restrict forwarding and copying of sensitive messages, and full Google Workspace audit logs tracking all admin and user email activity.

The Google Advanced Protection Programme provides the strongest available account security for high-risk users such as executives and finance staff, requiring physical security keys and applying the most restrictive authentication policies available on the platform.

How Do You Configure SPF, DKIM and DMARC for Google Workspace?

Email authentication for Google Workspace requires DNS changes and one Admin Console action. Follow these five steps in order.

Step 1: Configure SPF for Google Workspace Add include:_spf.google.com to your DNS TXT record. Include all other authorized sending services (CRMs, marketing platforms, billing tools) in the same record before the enforcement qualifier.

Step 2: Generate DKIM in Google Admin Console Go to Apps, Google Workspace, Gmail, Authenticate Email. Select your domain and generate a DKIM key.

Step 3: Add DKIM TXT record to DNS and enable signing Copy the generated record into your DNS management console. Return to Admin Console and click Start Authentication. Allow 24 hours for DNS propagation.

Step 4: Create a DMARC TXT record starting at p=none Create: v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com

Step 5: Review DMARC reports and progress to enforcement After two to four weeks of reviewing aggregate reports, move to p=quarantine once all legitimate senders pass. Progress to p=reject after confirming no false rejections.

For the full technical explanation, see our guide on SPF, DKIM and DMARC Explained.

How Does Google Workspace Protect Against Phishing and Malware?

Google Workspace applies multiple protection layers between the public internet and the inbox.

Enhanced pre-delivery message scanning runs additional checks above the standard spam filter pass before a message is accepted for delivery. Suspicious email warning banners appear on messages that exhibit phishing indicators. Authentication warnings flag messages failing SPF or DKIM checks so users see the verification status before opening.

External email banners identify messages arriving from outside the organization, reducing the effectiveness of impersonation attacks that rely on users not noticing the sender is external.

Security sandbox, available on Business Plus and Enterprise plans, detonates suspicious attachments in an isolated environment and monitors behavior before releasing them to the inbox. The User Report Phishing option lets users flag suspicious messages directly from Gmail, feeding detection signals back into Google’s models in real time.

How Does AI Improve Email Security in Google Workspace?

Google’s AI email security works differently from rule-based filtering tools, and this difference is what most competitor content on this topic fails to explain.

Traditional rule-based secure email gateways compare incoming messages against databases of known threat signatures, flagged URLs, and malicious file hashes. When a new phishing campaign launches, it takes hours or days before the database updates and the threat becomes detectable.

Google’s TensorFlow-based machine learning models train continuously on real-time signals from over 3 billion Gmail accounts simultaneously. When a phishing campaign reaches one Gmail user, the behavioral signal feeds back into the detection model in real time and updates across all accounts simultaneously. Novel phishing campaigns get detected and blocked hours before signature-based tools identify them.

Natural language processing adds a second layer specifically targeting business email compromise. BEC emails typically carry no malicious links or attachments. NLP analyzes the linguistic content of the message: unusual urgency, fund transfer requests, impersonation of authority figures, and deviations from a sender’s normal communication style. These content signals allow Google to flag BEC candidates that contain nothing technically malicious.

The critical limitation no competitor covers honestly: Google’s AI is exceptional against mass phishing campaigns but faces the same fundamental challenge as all technical controls against sophisticated targeted BEC. A carefully crafted email from a convincing domain, referencing real internal context, written to mimic the target’s actual communication patterns, reduces the NLP signals that would otherwise trigger detection. AI is a strong layer. It is not a complete barrier against patient, well-researched social engineering.

What Are the Google Workspace Email Security Best Practices?

The most important Google Workspace email security best practices require specific actions, not general awareness.

Enforce 2-Step Verification for all users through Admin Console as a mandatory policy. Enrol executives, finance staff, and IT administrators in the Google Advanced Protection Programme for the strongest available authentication requirements. Configure DMARC at p=quarantine minimum, enable enhanced pre-delivery scanning, and activate security sandbox on eligible plans.

The practice almost no competitor guide covers is restricting OAuth app permissions. This is a direct email security vulnerability that most Google Workspace organizations leave entirely open.

Malicious or compromised OAuth apps can request permission to read, send, and manage Gmail on behalf of any user who grants them access. Once authorized, they operate with full mailbox access completely outside the email filtering layer. A spam filter cannot stop an authorized OAuth app from reading every message in an inbox or sending phishing from a legitimate business account to external contacts.

In Google Admin Console under Security, API Controls, App Access Control: set the policy to restrict third-party app access, require admin approval for any new app requesting Gmail permissions, and review all existing app authorizations. Revoke permissions for any app that is unused, unidentifiable, or unnecessary. This configuration step closes an attack surface that conventional email filtering cannot protect against and that most Google Workspace environments leave completely open.

Enable Context-Aware Access to restrict Gmail access from unmanaged or non-compliant devices. Configure admin alerts in the Google Workspace Alert Centre for suspicious login locations and bulk email sending activity.

How Do You Set Up Advanced Email Security Settings in Google Workspace?

Beyond standard filtering, the Google Workspace Admin Console contains advanced controls that significantly strengthen email security posture when configured.

The most impactful are: inbound gateway configuration to restrict which IP ranges can deliver email to your domain, requiring TLS for communication with specific partner domains, email routing rules for compliance quarantine workflows, and DLP content rules that inspect outbound messages for sensitive data before delivery.

Setting	Admin Console Location	Default State	Recommended State
DKIM Signing	Apps > Workspace > Gmail > Authenticate Email	Disabled	Enabled
Enhanced Pre-Delivery Scanning	Apps > Workspace > Gmail > Spam, Phishing	Disabled	Enabled
Security Sandbox	Apps > Workspace > Gmail > Spam, Phishing	Disabled (Business Plus+)	Enabled
DMARC (DNS TXT)	DNS registrar	Not configured	p=quarantine minimum
2-Step Verification	Account > Security	Optional	Enforced for all users
User Report Phishing	Apps > Workspace > Gmail > User Settings	Disabled	Enabled
Admin Alerts	Account > Alert Centre	Default only	Custom suspicious activity alerts
DLP Rules	Apps > Workspace > Gmail > Compliance	None	Rules for sensitive data types
OAuth App Access	Security > API Controls	Unrestricted	Trusted apps list with admin approval
Context-Aware Access	Security > Access and Data Control	Disabled	Enabled for Gmail access

When Should You Add Third-Party Email Security to Google Workspace?

Google Workspace handles commodity threats effectively without additional tools. Three scenarios justify adding third-party tools.

Advanced BEC detection through API-based email security tools that connect via the Google Workspace API and access historical mailbox data to detect behavioral anomalies beyond what NLP filtering provides. For deployment options, see API-Based Email Security vs SEG: Which Is Better? and What Is a Secure Email Gateway (SEG)?

Regulated-industry compliance where healthcare, finance, and legal organizations need email archiving and eDiscovery capabilities beyond what Google Vault provides. Third-party archiving tools meet the more granular retention and chain-of-custody requirements of these sectors.

Phishing simulation training, since Google provides no native simulation platform. Third-party tools complement technical controls by reducing the human-element risk that all filtering layers leave exposed.

Feature	Google Workspace	Microsoft 365
AI Threat Detection	Real-time ML across 3B+ accounts, strong baseline	Defender Plan 1/2 required, ML with rule-based elements
SPF/DKIM/DMARC defaults	SPF basic only; DKIM and DMARC require manual setup	SPF basic only; DKIM and DMARC require manual setup
Attachment Sandboxing	Business Plus+ required, manual enable	Defender Plan 1 Safe Attachments (paid add-on)
DLP for Email	Available from Business Starter, requires configuration	Defender Plan 1+ configuration required
Email Archiving	Google Vault (included, limited for regulated sectors)	Microsoft Purview (stronger for regulated industries)
Phishing Simulation	Not native, third-party required	Attack Simulator in Defender Plan 2 and Business Premium
Pricing for Full Protection	Business Plus minimum for sandbox	Business Premium minimum for Defender Plan 1

How Do You Monitor Email Security in Google Workspace?

Use the Google Admin Console Security Dashboard as your primary monitoring interface for an overview of tenant-level security metrics. Email Log Search lets you trace the delivery path, spam classification, and phishing detection status of any message for any user or domain.

Gmail Security Reports show trends in spam, phishing, and malware detections over time, giving you visibility into whether detection rates are changing in ways that signal a new attack pattern targeting your organization.

Configure real-time alerting in the Google Workspace Alert Centre for suspicious login from new locations, bulk email sending, and admin privilege changes. For detailed incident investigation, Google Workspace Audit and Investigation provides event-level data.

For SIEM-level analysis, Google Chronicle ingests Workspace security events and correlates them with data from other sources. Cyber Security Solutions Ltd recommends starting with Alert Centre configuration and the Gmail Security Reports before building a Chronicle integration. For a broader email security framework, see Email Security Best Practices: The Definitive 2026 Checklist.

Conclusion

Google Workspace email security is genuinely strong at baseline but only fully effective when critical Admin Console settings are configured, DMARC is enforced, and the OAuth access layer is locked down. Most organizations run Google Workspace for years with preventable gaps still open. To find out which gaps your current setup has, visit cybersecuritysolutionsltd.com for a free email security configuration review.