Google Workspace Mail Management

Preamble:
This space will be utilized to synthesize my notes and help improve my learning process while I study for the Google Workspace Professional Administrator certification. I will be doing a similar process for other certifications I work on in the future. Please follow along for Google Workspace notes and feel free to ask any questions or, if I get something wrong, offer suggestions to correct any mistakes.

Google Workspace and DNS

When setting up and using Google Workspace you will need to configure your DNS settings for your domain with your DNS provider. Below I will go through some basic DNS settings you should be aware of when configuring Google Workspace.

What is DNS?

DNS, or Domain Name System, is like using a phonebook for the internet. It is used to convert IP addresses into a human readable format. For example, if you wanted to access the Google homepage to perform some web searches, instead of typing out the IP Address you can simply type in www.google.com. DNS then would translate that web address into its IP address and fetch the website which will then appear in your web browser.

DNS has quite a few important records that you will need to add and configure in your DNS host. Some of these DNS records are:

MX: Mail Exchange. This record direct a domains email to the proper mail servers hosting the domain’s users accounts. You will need to configure an MX record and direct mail to Googles email servers.

TXT: Text Record. TXT records provide text information to sources outside of your domain and can be used for multiple reasons. Working with Google Workspace, a TXT record will be needed in order to verify domain ownership, as well as setting up email security records like SPF, DKIM and DMARC.

CNAME: Canonical Name. These records link and alias to another domain name. A great example of this would be to link www.domain.com to domain.com. With regards to Google Workspace, you can add CNAME records so you can have custom addresses that will lead your users to Gmail or other Google Services. An example of this will be to use mail.domain.com for your users to access their Google Workspace Gmail account.

A: Address or Host record. These records link a domain to a physical IP address of a computer hosting the domains services.

NS: Name Server record. These records determine which servers will communicate DNS information for your domain. You can have primary and secondary NS records for your domain. This is important incase your primary NS server goes unresponsive for any reason. You may also consider changing your NS Server host to help provide you with better resolution times of your domain name.

TTL: Time to Live. This isn’t a DNS record, but is still important. TTL determines the number of seconds before changes to your record can go into effect. Every record that you create will have its own TTL.

All of the records above will be hosted on your Domain Host and not by Google. Google no longer has a Domain Host business as it was sold off to Squarespace several years ago. Popular hosting platforms include:

1. GoDaddy
2. Wix
3. Squarespace
4. Namecheap

NOTE Proper research into your domain host provider is important. I would suggest not to pick one simply because its popular. Each domain host will provide different options for hosting your DNS as well as other services like Website hosting.

NOTE: When switching from one mail host to another, always create accounts in Google Workspace before switch MX records. This will ensure that no mail gets lost when migration occurs. Google also recommends when changing your MX record from your old mail provider to Google is to keep your old MX record active, but to lower its priority in your DNS settings. This must be maintained until all users have completed migrating from your legacy mail server.

Once you think you have successfully completed all of your DNS settings for Google Workspace, a great place to check your status is the Google Admin Toolbox and its Check MX analysis. Simply type in your domain name and run the check.

Email Security: SPF, DKIM and DMARC Records

Sender Policy Framework (SPF) is a form of email security that prevents spammers from sending unauthorized emails from your domain. This is not setup initially with your Google Workspace tenant and will need to be configured on your DNS provider by adding a TXT record. This record will tell receiving mail servers which domains/servers are allowed to send messages on behalf of your domain. Messages that are sent from servers that are not in your SPF record may be marked as spam. In some cases, mail servers may REQUIRE SPF to be enabled in order for mail to flow. Without your SPF record your mail may end up being marked as spam or may bounce from the receiving mail server.

To enable SPF for your domain with Google Workspace follow the steps below:

1. Sign into your DNS registrar
2. Locate your DNS records
3. Add the following record:
   1. Name: Blank or @
   2. Record Type: TXT
   3. Value: v=spf1 include:_spf.google.com ~all

NOTE Having multiple SPF records for a domain can cause problems. Each domain should only have 1 SPF record. You can add additional items to your SPF record, just do not have multiple TXT records marked as SPF.

Authenticate with DomainKeys Identified Mail (DKIM)

DKIM is and email security method which helps prevent email spoofing for outgoing messages. DKIM adds an encrypted signature to the email header of all outgoing messages. Emails servers that receive messages use DKIM to decrypt the message header to verify the message was not altered after it was sent.

Just like SPF, some mail servers require DKIM to be enabled in order to receive any messages. Otherwise, your mail may be marked as spam or rejected. You can find your DKIM status and setup another DKIM key by following these steps:

1. Go to admin.google.com
2. Go to Apps> Google Workspace> Gmail> Authenticate Email
3. Click Generate new record if a new DKIM record is required.

Authenticate with DomainKeys Identified Mail (DKIM)

Manage Spam with Domain-based Message Authentication, Reporting and Conformance (DMARC)

Google Workspace supports DMARC for Gmail as a way to protect you from people spoofing your email domain and forging the From Address in an email. Forging the From Address will make it appear that mail originated from somewhere else. DMARC tells other mail servers how to handle message that seem to be sent from your domain but are actually spam.

Before you can utilize DMARC you must finish configuring SPF and DKIM as DMARC uses these previous 2 security settings in order to verify that messages are authentic. Messages that do not pass SPF or DKIM can trigger your DMARC policy. When DMARC is triggered, 1 of three things can happen depending on how you configure it:

1. Take no action on the message and log it in a daily report
2. Mark the message as spam
3. Have the message be rejected by the receiving mail server.

When first configuring DMARC, it is recommended to start with option one until you are confident that you have your SPF, DKIM and DMARC policies properly configured.

To configure DMARC for your domain you will have to add another TXT record to your DNS registrar. You DMARC TXT record will look something like the follow:

1. Name: _dmarc:yourdomain
2. Record Type: TXT
3. Value: v=DMARC1; p=none; rua=mailto:admin-email-address@yourdomain

The example record above will tell receiving servers what to do if DMARC is triggered. Specifically, the p=none portion of the record tells the receiving server to pass the message along if SPF and DKIM fail.

Configure email safety

Gmail by default will always display warnings and move untrustworthy messages to spam. As a Super Admin, you can change these settings if needed. To access these settings go to:

Apps> Google Workspace> Gmail> Safety

This will bring you to the Safety page for Gmail. Here you can configure:

1. Attachments: Policies to help protect again malware
2. You will then need to add the DKIM record to your Domain host. Once the TXT record is added you can then click on the Authenticate button in the Admin Console. The TXT record will look something like this: i. Name: google._domainkey ii. Record Type: TXT iii. Value: v=DKIM1; k=rsa p=DKIM KEY CREATED IN PREVIOUS STEP
3. IMAP view time protections: Malicious link protection for IMAP users
4. Links and external images: This will help prevent phishing attacks
5. Spoofing and authentication: Reduce phishing due to spoofing and unauthenticated email

You can alter these settings as are required for your organization.

Configure end user access

Google Workspace allows you to control what kind of access your users have for their Gmail account. This includes configuring whether or not your users can use:

1. POP3/IMAP: This setting allows users to use their favorite desktop client if turned on.
   NOTE POP3 client will contact the mail server, download the mail and then delete it from the server. With IMAP messages are not downloaded until you click a message.

2. Google Workspace Sync for Microsoft Outlook (GWSMO): A plugin for Outlook that provides email, calendar and contacts sync with Google Workspace. GWSMO uses APIs to sync data. This can be installed by an individual user or enterprise deployed.

3. Automatic Forwarding: By default users can setup a rule to automatically forward incoming message to another email address. If you disable this feature, any existing email forwarding rules will no longer work and users will not see this option in their Gmail settings.

4. Image URL proxy allowlist: By default Gmail uses Google’s secure proxy servers to serve images to users in their messages. This protects your users against image-based security attacks. However, sometimes this service can cause images to break as they need access to some kind of internal IP. To fix this issue you can add servers/IPs to an allowlist to bypass the Google proxy servers. This is not recommended as this can leave your users vulnerable to attacks.
   NOTE This setting can only be turned on or off for your entire organization and not per OU or group like the other settings.

To access these settings go to:

Apps> Google Workspace> Gmail> End User Access

NOTE These settings can be applied either for the entire organization by applying it to the top OU, or more granular by applying to sub-OUs or Groups.

Create an email allowlist and a blocked sender list

If you notice legitimate email from specific contacts are being marked as spam you can add the contacts IP address to an email allowlist. Messages that originate from an allowlist will no longer be marked as spam. You can also setup a blocked sender list of email addresses you want to block from sending mail to your domain. As a Super Admin you can block either specific addresses or entire domains.

To find these settings in the Admin Console go to:

Apps> Google Workspace> Gmail> Spam, Phishing and Malware

Below is a screenshot of the Email Allowlist section:

Below is a screenshot of the Blocked Senders configuration screen:

NOTE You will have to configure this settings by creating a new list. The setting will then block messages from any user you add to the user list.

Create an approved sender list

You can also create an approved sender list in Google Workspace. The difference between an Approved Sender list and an allowlist is an Approved Sender list can utilize email addresses and domains instead of just IP addresses.

To access the Approved Sender list go to:

Apps> Google Workspace> Gmail> Spam, Phishing and Malware

Scroll down to the Spam section and click configure. Enter a description like “Approved Senders” and then enable any spam settings. These settings are:

1. Be More Aggressive when filtering spam: Disabled by default. If enabled it’s likely that more messages will be marked as spam.
2. Bypass spam filters for messages received from internal senders: Internal mail will not be checked for spam.
3. Bypass spam filters for messages from senders or domains in selected lists: Messages from selected mail lists will not be checked for spam. Be careful with this setting because if your selected outside domain becomes compromised spam filtering will not be applied and sent directly to your users inbox.
4. Put spam in administrative quarantine: Spam messages will be directed to users spam folders.

For creating an Approved senders list, select the Bypass spam filters for messages from senders or domains in selected lists option, create a list and input the domains you wish to bypass the spam filter.

Create a content compliance rule

As a Google Workspace Administrator you can setup rules to handle messages that have content that matches an expression. This type of advanced email filtering is called Content Compliance. Some examples of content compliance include:

1. Rejecting outgoing messages that might contain sensitive company or personal data.
2. Re-route messages that contain content that matches specific text strings

To locate these setting go to:

Apps> Google Workspace> Gmail> Compliance> Content Compliance> Configure

From here you will need to enter a short description and then configure your rule. You can affect the following type of mail:

1. Inbound
2. Outbound
3. Internal - Sending
4. Internal - Receiving

If you are wanting to reroute mail that contains a specific word like a codeword for your project click:

1. ADD button in the Expressions box
2. change the expression type to Simple Content Match to Advanced Content Match
3. Set Location to Body
4. Set Match type to Contains Text
5. Enter “secret project "codeword” in the content field and click save
6. Go back and add another expression type, this will be Advanced again.
7. Set location to Subject
8. Set match type to Contains Text
9. Enter “secret project "codeword” in the content field and click save

Next you will want to change what happens if the expression matches. Set the action to modify message. This will allow you to change what will happen to the message itself. In this example we can select to change the Envelope Recipient. This will alter where the message is being sent to.

You can also add exception rules within this content compliance rule by scrolling further down and selecting:

More Options> Use Address List to bypass or control application of this setting

You can then make a new list and input users who would be exempt from this rule such as executives discussing the secret codeword project.

NOTE After completing your compliance rule it is always a good practice to test it to make sure it is functioning as intended. This can be done by trying to send a message that would activate the compliance rule with a test account.

Create an objectionable content rule

As a Super Admin for your Google Workspace tenant you can create rules that tell Gmail how to handle messages with certain words that you specify. These rules can apply to both incoming, outgoing to both type of mail. These rules can tell Gmail to reject or quarantine messages or modify the messages before delivering to a users inbox. To access these settings go to:

Apps> Google Workspace> Gmail> Compliance> Objectionable Content> Configure

These settings are very similar to creating a content compliance rule like we looked at earlier. The same settings can be used for the “If the above expressions match, do the following” section and options. The only difference is you can make a custom objectionable words list.

Configure split delivery

Split delivery is when you configure inbound mail to be delivered to multiple places. This can be important especially when working on migrating users from your legacy email system to Google Workspace. There are 2 forms of split delivery that can be used:

1. Dual Delivery: This will deliver messages to both your Google Workspace domain as well as your legacy domain. This is useful if you are currently trialing Google Workspace.
2. Split Delivery: Routes incoming messages to Google Workspace for users who have migrated over to Gmail while the remaining users will still have mail delivered to their legacy inbox. This is often used during a migration period to Google Workspace.

In order to setup Split Delivery or Dual Delivery you will need to add your legacy email server to Google Workspace. This can be done by going to:

Apps> Google Workspace> Gmail> Hosts> Add Route

You must then enter the name of your legacy email service and specify its public hostname or IP.

Now that the host information has been configured we can now setup a routing rule by going to:

Apps> Google Workspace> Gmail> Routing> Configure

Now complete the following steps:

1. Enter a short description. In this example I am using Split Delivery as my description
2. Select Inbound and Outbound messages to affect
3. Select the Change Route option under Route and select the email route. I used “Legacy Email System” in my example.
4. Scroll down to Show Options and under “Account types to affect” uncheck Users and check Unrecognized/Catch-all box. Click Save.

Split delivery is now configured for your Google Workspace tenant. This will allow your Workspace users and your legacy users to continue to receive email.

And with that this concludes Google Workspace Mail Management portion of the Workspace Professional Administrator exam. Thanks for coming on the journey with me. As mentioned above, if you have any questions for me or if I made a mistake, please leave me a comment and I would love to correct it or answer your question.