Service

Google Mail

Secure Cloud Business Applications (SCuBA)

Description

Secure Cloud Business Applications Minimum Viable Secure Configuration Baselines


CISA GOOGLE WORKSPACE SECURITY CONFIGURATION BASELINE FOR GMAIL

Gmail is the Google Workspace offering for sending and receiving email. Users can upload attachments to emails and send them to a given email address. Additional Gmail features include integrating with other Google applications, such as Meet and Chat. This Secure Configuration Baseline (SCB) provides specific policies to strengthen Gmail security.

The Secure Cloud Business Applications (SCuBA) project provides guidance and capabilities to secure agencies' cloud business application environments and protect federal information that is created, accessed, shared, and stored in those environments. The SCuBA Secure Configuration Baselines (SCB) for Google Workspace (GWS) will help secure federal civilian executive branch (FCEB) information assets stored within GWS cloud environments through consistent, effective, modern, and manageable security configurations.

The CISA SCuBA SCBs for GWS help secure federal information assets stored within GWS cloud business application environments through consistent, effective, and manageable security configurations. CISA created baselines tailored to the federal government's threats and risk tolerance with the knowledge that every organization has different threat models and risk tolerance. Non-governmental organizations may also find value in applying these baselines to reduce risks.

The information in this document is being provided "as is" for INFORMATIONAL PURPOSES ONLY. CISA does not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial entities or commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoritism by CISA.

This baseline is based on Google documentation available at the Gmail Google Workspace Admin Help Center and addresses the following:

  • Mail Delegation
  • Domain Keys Identified Mail
  • Sender Policy Framework
  • Domain Based Message Authentication, Reporting, and Conformance
  • Attachment Protections
  • Links and External Images Protections
  • Spoofing and Authentication Protection
  • User Email Uploads
  • POP and IMAP Access
  • Workspace Sync
  • Automatic Forwarding
  • Per User Outbound Gateways
  • Unintended External Reply Warning
  • Email Allowlist
  • Enhanced Pre-Delivery Message Scanning
  • Security Sandbox
  • Comprehensive Mail Storage
  • Content Compliance Filtering
  • Spam Filtering

Within Google Workspace, settings can be assigned to users through organizational units, configuration groups, or individually. Before changing a setting, the user can select the organizational unit, configuration group, or individual users to which they want to apply changes.

ASSUMPTIONS

This document assumes the organization is using GWS Enterprise Plus.

This document does not address, ensure compliance with, or supersede any law, regulation, or other authority. Entities are responsible for complying with any recordkeeping, privacy, and other laws that may apply to the use of technology. This document is not intended to, and does not, create any right or benefit for anyone against the United States, its departments, agencies, or entities, its officers, employees, or agents, or any other person.

KEY TERMINOLOGY

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119.

 

BASELINE POLICIES


1. Mail Delegation

This section determines whether users can delegate access to their mailbox to others within the same domain. This delegation includes access to read, send, and delete messages on the account owner's behalf. This delegation can be done via a command line tool (GAM) if enabled in the admin console. 

POLICIES

GWS.GMAIL.1.1v0.2

Mail Delegation SHOULD be disabled.

  • Rationale: Granting mail delegation can inadvertently lead to disclosure of sensitive information, impersonation of delegated accounts, or malicious alteration or deletion of emails. By controlling mail delegation, these risks can be significantly reduced, improving the security and integrity of email communications.
  • Last modified: October 4, 2023
  • Note: Exceptions should be limited to individuals authorized by existing Agency policy, such as SES or Politically Appointed staff. Other considerations include ensuring that delegated accounts require Phishing-Resistant Multi-Factor Authentication (MFA), limiting delegated account permissions (ex. allowing view/reply but not delete), monitoring delegated accounts regularly, and disabling them if no longer required.
  • MITRE ATT&CK TTP Mapping

RESOURCES

PREREQUISITES

  • None

IMPLEMENTATION

GWS.GMAIL.1.1v0.2 Instructions

To configure the settings for Mail Delegation:

  1. Sign in to the Google Admin Console.
  2. Select Apps -> Google Workspace -> Gmail.
  3. Select User Settings -> Mail delegation.
  4. Ensure that the Let users delegate access to their mailbox to other users in the domain checkbox is unchecked.
  5. Select Save.

 

2. DomainKeys Identified Mail

This section enables DomainKeys Identified Mail (DKIM) to help prevent spoofing on outgoing messages sent from a specific domain. DKIM allows digital signatures to be added to email messages in the message header, providing a layer of both authenticity and integrity to emails. Without DKIM, messages that are sent from a specific domain are more likely to be marked as spam by receiving mail servers. DKIM relies on Domain Name System (DNS) records, thus, its deployment depends on how an agency manages its DNS.

POLICIES

GWS.GMAIL.2.1v0.2

DKIM SHOULD be enabled for agencies’ mail enabled domain.

RESOURCES

PREREQUISITES

  • None

IMPLEMENTATION

GWS.GMAIL.2.1v0.2 Instructions

To configure the settings for DKIM:

  1. Sign in to the Google Admin Console.
  2. Select Apps -> Google Workspace -> Gmail.
  3. Select Authenticate email -> DKIM authentication.
  4. Select a domain listed in the Selected domain drop-down menu.
  5. Select START AUTHENTICATION.
  6. Select Save.
  7. Add the DNS TXT record listed in Admin Console to the domain, via the domain provider's DNS settings page. Note that it can take up to 48 hours for DNS changes to fully propagate.

Note that step 7 requires action taken outside of the Google Admin Console, dependent on the agency's domain provider. Thus, the exact final step needed to set up DKIM varies from agency to agency. See Turn on DKIM for your domain for more details.

To test your DKIM configuration, consider using a web-based tool, such as the Google Admin Toolbox.

 

3. Sender Policy Framework

The Sender Policy Framework (SPF) is a mechanism that allows administrators to specify which IP addresses are explicitly approved to send email on behalf of the domain, facilitating detection of spoofed emails. SPF isn't configured through the Google Admin Console, but rather via DNS records hosted by the agency's domain. Thus, the exact steps needed to set up SPF varies from agency to agency, but Google's documentation provides some helpful starting points.

POLICIES

GWS.GMAIL.3.1v0.2

An SPF policy SHALL be published for each domain that fails all non-approved senders.

RESOURCES

PREREQUISITES

  • A list of approved IP addresses for sending mail must be maintained. Failing to maintain an accurate list of authorized IP addresses may result in spoofed email messages or failure to deliver legitimate messages when SPF is enabled. Maintaining such a list helps ensure that unauthorized servers sending spoofed messages can be detected, and permits message delivery from legitimate senders.

IMPLEMENTATION

GWS.GMAIL.3.1v0.2 Instructions

First, identify any approved senders specific to your agency (see Identify all email senders for your organization for tips). SPF allows you to indicate approved senders by IP address or CIDR range. However, note that SPF allows you to include the IP addresses indicated by a separate SPF policy, refered to by domain name. See Define your SPF record—Basic setup for inclusions required for Google to send email on behalf of your domain.

SPF is not configured through the Google Workspace admin center, but rather via DNS records hosted by the agency's domain. Thus, the exact steps needed to set up SPF varies from agency to agency. See Add your SPF record at your domain provider for more details.

To test your SPF configuration, consider using a web-based tool, such as the Google Admin Toolbox. Additionally, SPF records can be requested using the command line tool dig. For example:

dig example.com txt

 

If SPF is configured, a response resembling v=spf1 include:_spf.google.com -all will be returned; though by necessity, the contents of the SPF policy may vary by agency. In this example, the SPF policy indicates the IP addresses listed by the policy for "_spf.google.com" are the only approved senders for "example.com." These IPs can be determined via additional SPF lookups, starting with "_spf.google.com."

Ensure the IP addresses listed as approved senders for your domains are correct. Additionally, ensure that each policy either ends in -all or redirects to one that does; this directive indicates that all IPs that don't match the policy should fail. See Define your SPF record—Advanced setup for a more in-depth discussion of SPF record syntax.

 

4. Domain-based Message Authentication, Reporting, and Conformance

Domain-based Message Authentication, Reporting, and Conformance (DMARC) works with SPF and DKIM to authenticate mail senders and ensure that destination email systems can validate messages sent from your domain. DMARC helps receiving mail systems determine what to do with messages sent from your domain that fail SPF or DKIM checks.

GWS.GMAIL.4.1v0.2

A DMARC policy SHALL be published for every second-level domain.

  • Rationale: Without proper authentication and a DMARC policy available for each domain, recipients may improperly handle SPF and DKIM failures, possibly enabling adversaries to send deceptive emails that appear to be from your domain. Publishing a DMARC policy for every second-level domain further reduces the risk posed by authentication failures.
  • Last modified: November 13, 2023
  • MITRE ATT&CK TTP Mapping
    • None

GWS.GMAIL.4.2v0.2

The DMARC message rejection option SHALL be p=reject.


GWS.GMAIL.4.3v0.2

The DMARC point of contact for aggregate reports SHALL include reports@dmarc.cyber.dhs.gov.

  • Rationale: Without a centralized point of contact for DMARC aggregate reports, potential email security issues may go unnoticed, increasing the risk of phishing attacks. As required by BOD 18-01 for federal, executive branch, departments and agencies, set reports@dmarc.cyber.dhs.gov as the DMARC aggregate report recipient, which allows CISA to monitor and address email authentication issues.
  • Last modified: November 13, 2023
  • Note: Only federal, executive branch, departments and agencies should include this email address in their DMARC record.
  • MITRE ATT&CK TTP Mapping
    • None

GWS.GMAIL.4.4v0.2

An agency point of contact SHOULD be included for aggregate and failure reports.

  • Rationale: Without a designated agency point of contact for DMARC aggregate and failure reports, potential email security issues may not be promptly addressed, increasing the risk of phishing attacks. By including an agency point of contact, this risk can be reduced as it facilitates a timely response to email authentication issues, enhancing overall email security.
  • Last modified: November 13, 2023
  • MITRE ATT&CK TTP Mapping
    • None

RESOURCES

PREREQUISITES

  • DKIM or SPF must be enabled

IMPLEMENTATION

GWS.GMAIL.4.1v0.2 Instructions

DMARC is not configured through the Google Admin Console, but rather via DNS records hosted by the agency's domain(s). As such, implementation varies depending on how an agency manages its DNS records. See Add your DMARC record for Google guidance.

Note, a DMARC record published at the second-level domain will protect all subdomains. In other words, a DMARC record published for example.com will protect both a.example.com and b.example.com, but a separate record would need to be published for c.example.gov.

To test your DMARC configuration, consider using one of many publicly available web-based tools, such as the Google Admin Toolbox. Additionally, DMARC records can be requested using the command line tool dig. For example:

dig _dmarc.example.com txt

 

If DMARC is configured, a response resembling v=DMARC1; p=reject; pct=100; rua=mailto:reports@dmarc.cyber.dhs.gov, mailto:reports@example.com; ruf=mailto:reports@example.com will be returned, though by necessity, the contents of the record will vary by agency. In this example, the policy indicates all emails failing the SPF/DKIM checks are to be rejected and aggregate reports sent to reports@dmarc.cyber.dhs.gov and reports@example.com. Failure reports will be sent to reports@example.com.


GWS.GMAIL.4.2v0.2 Instructions

See GWS.GMAIL.4.1v0.2 instructions for an overview of how to publish and check a DMARC record. Ensure the record published includes p=reject.


GWS.GMAIL.4.3v0.2 Instructions

See GWS.GMAIL.4.1v0.2 instructions for an overview of how to publish and check a DMARC record. Ensure the record published includes reports@dmarc.cyber.dhs.gov as one of the emails for the rua field.


GWS.GMAIL.4.4v0.2 Instructions

See GWS.GMAIL.4.1v0.2 instructions for an overview of how to publish and check a DMARC record. Ensure the record published includes a point of contact specific to your agency, in addition to reports@dmarc.cyber.dhs.gov, as one of the emails for the rua field and one or more agency-defined points of contact for the ruf field.

 

5. ATTACHMENT PROTECTIONS

This section enables protections against suspicious attachments and scripts from untrusted senders, to include encrypted attachments, documents with malicious scripts, and attachment file types that are uncommon and/or archaic. Through these attachments malware can be spread. These messages can be kept in the inbox with a warning label (default), moved to spam, or quarantined.

A Google Workspace solution is not strictly required to satisfy this baseline control, but the solution selected by an agency should offer services comparable to those offered by Google.

POLICIES

GWS.GMAIL.5.1v0.2

Protect against encrypted attachments from untrusted senders SHALL be enabled.


GWS.GMAIL.5.2v0.2

Protect against attachments with scripts from untrusted senders SHALL be enabled.


GWS.GMAIL.5.3v0.2

Protect against anomalous attachment types in emails SHALL be enabled.


GWS.GMAIL.5.4v0.2

Google SHOULD be allowed to automatically apply future recommended settings for attachments.

  • Rationale: By enabling this feature, the system can automatically stay updated with the latest security measures recommended by Google, reducing the risk of security breaches.
  • Last modified: July 10, 2023
  • MITRE ATT&CK TTP Mapping
    • None

GWS.GMAIL.5.5v0.2

Emails flagged by the above attachment protection controls SHALL NOT be kept in inbox.


GWS.GMAIL.5.6v0.2

Any third-party or outside application selected for attachment protection SHOULD offer services comparable to those offered by Google Workspace.

  • Rationale: Using third-party or outside applications for attachment protection that do not offer services comparable to those offered by Google Workspace could potentially expose users to security risks. Using applications that offer comparable services reduces this risk, enhancing the safety and integrity of user data and systems.
  • Last modified: July 10, 2023
  • MITRE ATT&CK TTP Mapping
    • None

RESOURCES

PREREQUISITES

  • None

IMPLEMENTATION

To configure the settings for Attachment Protections:

Policies Group 5 common Instructions

  1. Sign in to the Google Admin Console.
  2. Select Apps -> Google Workspace -> Gmail.
  3. Select Safety -> Attachments.
  4. Follow implementation for each individual policy
  5. Select Save.
GWS.GMAIL.5.1v0.2 Instructions
  1. Check the Protect against encrypted attachments from untrusted senders checkbox.

GWS.GMAIL.5.2v0.2 Instructions
  1. Check the Protect against attachments with scripts from untrusted senders checkbox.

GWS.GMAIL.5.3v0.2 Instructions

1Ok. Check the Protect against anomalous attachment types in emails checkbox


GWS.GMAIL.5.4v0.2 Instructions
  1. Check the Apply future recommended settings automatically checkbox.

GWS.GMAIL.5.5v0.2 Instructions
  1. Under the setting for Policy 5.1 through Policy 5.3, ensure either "Move email to spam" or "Quarantine" is selected.

GWS.GMAIL.5.6v0.2 Instructions
  1. No implementation steps for this policy

 

6. LINKS AND EXTERNAL IMAGES PROTECTION

This section enables extra protections to prevent email phishing due to links and external images. Specific settings for this control include identifying hidden malicious links behind shortened URLs, scanning linked images to find hidden malicious content, showing a warning prompt when clicking links to untrusted domains, and applying future recommended settings automatically.

A Google Workspace solution is not strictly required to satisfy this baseline control, but the solution selected by an agency should offer services comparable to those offered by Google.

POLICIES

GWS.GMAIL.6.1v0.2

Identify links behind shortened URLs SHALL be enabled.


GWS.GMAIL.6.2v0.2

Scan linked images SHALL be enabled.


GWS.GMAIL.6.3v0.2

Show warning prompt for any click on links to untrusted domains SHALL be enabled.


GWS.GMAIL.6.4v0.2

Google SHALL be allowed to automatically apply future recommended settings for links and external images.

  • Rationale: By enabling this feature, the system can automatically stay updated with the latest recommended security measures from Google, reducing the risk of security breaches and enhancing the safety and integrity of user data and systems.
  • Last modified: July 10, 2023
  • MITRE ATT&CK TTP Mapping
    • None

GWS.GMAIL.6.5v0.2
 

Any third-party or outside application selected for links and external images protection SHOULD offer services comparable to those offered by Google Workspace.

  • Rationale: Using third-party or outside applications for links and external images protection that do not offer services comparable to those offered by Google Workspace could potentially expose users to security risks. Using applications that offer comparable services enhances the safety and integrity of user data and systems.
  • Last modified: July 10, 2023
  • MITRE ATT&CK TTP Mapping
    • None

RESOURCES

PREREQUISITES

  • None

IMPLEMENTATION

To configure the settings for Links and External Images Protection:

Policies Group 6 common Instructions

  1. Sign in to the Google Admin Console.
  2. Select Apps -> Google Workspace -> Gmail.
  3. Select Safety -> Links and external images.
  4. Follow implementation for each individual policy.
  5. Select Save
GWS.GMAIL.6.1v0.2 Instructions
  1. Check the Identify links behind shortened URLs checkbox.

GWS.GMAIL.6.2v0.2 Instructions
  1. Check the Scan linked images checkbox.

GWS.GMAIL.6.3v0.2 Instructions
  1. Check the Show warning prompt for any click on links to untrusted domains checkbox.

GWS.GMAIL.6.4v0.2 Instructions
  1. Check the Apply future recommended settings automatically checkbox.

GWS.GMAIL.6.5v0.2 Instructions
  1. No implementation steps for this policy

 

7. SPOOFING AND AUTHENTICATION PROTECTION

This control enables extra protections to prevent spoofing of a domain name, employee names, email pretending to be from a specific domain, and unauthenticated email from any domain. These messages can be kept in the inbox with a warning label (default), moved to spam, or quarantined.

A Google Workspace solution is not strictly required to satisfy this baseline control, but the solution selected by an agency should offer services comparable to those offered by Google.

POLICIES

GWS.GMAIL.7.1v0.2

Protect against domain spoofing based on similar domain names SHALL be enabled.


GWS.GMAIL.7.2v0.2

Protect against spoofing of employee names SHALL be enabled.


GWS.GMAIL.7.3v0.2

Protect against inbound emails spoofing your domain SHALL be enabled.


GWS.GMAIL.7.4v0.2

Protect against any unauthenticated emails SHALL be enabled.


GWS.GMAIL.7.5v0.2

Protect your Groups from inbound emails spoofing your domain SHALL be enabled.


GWS.GMAIL.7.6v0.2

Emails flagged by the above spoofing and authentication controls SHALL NOT be kept in inbox.


GWS.GMAIL.7.7v0.2

Google SHALL be allowed to automatically apply future recommended settings for spoofing and authentication.


GWS.GMAIL.7.8v0.2

Any third-party or outside application selected for spoofing and authentication protection SHOULD offer services comparable to those offered by Google Workspace.

RESOURCES

PREREQUISITES

  • None

IMPLEMENTATION

To configure the settings for Spoofing and Authentication Protection:

Policies Group 7 common Instructions
  1. Sign in to the Google Admin Console.
  2. Select Apps -> Google Workspace -> Gmail.
  3. Select Safety -> Spoofing and authentication.
  4. Follow steps for individual policies below.
  5. Select Save
GWS.GMAIL.7.1v0.2 Instructions
  1. Check the Protect against domain spoofing based on similar domain names checkbox.

GWS.GMAIL.7.2v0.2 Instructions
  1. Check the Protect against spoofing of employee names checkbox.

GWS.GMAIL.7.3v0.2 Instructions
  1. Check the Protect against inbound emails spoofing your domain checkbox.

GWS.GMAIL.7.4v0.2 Instructions
  1. Check the Protect against any unauthenticated emails checkbox.

GWS.GMAIL.7.5v0.2 Instructions
  1. Check the Protect your groups from inbound emails spoofing your domain checkbox.

GWS.GMAIL.7.6v0.2 Instructions
  1. Under each setting from Policy 7.1 through Policy 7.5, make sure either "Move email to spam" or "Quarantine" is selected.

GWS.GMAIL.7.7v0.2 Instructions
  1. Check the Apply future recommended settings automatically checkbox.

GWS.GMAIL.7.8v0.2 Instructions
  1. There is no implementation for this policy.

 

8. USER EMAIL UPLOADS

This section addresses a feature that enables users to import their email and contacts from non-Google webmail accounts such as Yahoo!, Hotmail, or AOL.

POLICIES

GWS.GMAIL.8.1v0.2

User email uploads SHALL be disabled to protect against unauthorized files being introduced into the secured environment.

RESOURCES

PREREQUISITES

  • None

IMPLEMENTATION

To configure the settings for User Email Uploads:

GWS.GMAIL.8.1v0.2 Instructions
  1. Sign in to the Google Admin Console.
  2. Select Apps -> Google Workspace -> Gmail.
  3. Select Setup -> User email uploads.
  4. Uncheck the Show users the option to import mail and contacts from Yahoo!, Hotmail, AOL, or other webmail or POP3 accounts from the Gmail settings page checkbox.
  5. Select Save.

 

9. POP AND IMAP ACCESS FOR USERS

This section determines whether users have POP3 and IMAP access. Doing so allows the user to access Gmail emails from outside the context of protected/hardened environments and from older versions of Gmail applications or other third-party mail applications.

POLICIES

GWS.GMAIL.9.1v0.2

POP and IMAP access SHALL be disabled to protect sensitive agency or organization emails from being accessed through legacy applications or other third-party mail clients.

RESOURCES

PREREQUISITES

  • None

IMPLEMENTATION

To configure the settings for POP and IMAP access:

GWS.GMAIL.9.1v0.2 Instructions
  1. Sign in to the Google Admin Console.
  2. Select Apps -> Google Workspace -> Gmail.
  3. Select End User Access -> POP and IMAP access.
  4. Uncheck the Enable IMAP access for all users checkbox.
  5. Uncheck the Enable POP access for all users checkbox.
  6. Select Save.

 

10. GOOGLE WORKSPACE SYNC

This section determines whether Google Workspace Sync allows data synchronization between Google Workspace and Microsoft Outlook. The data includes email, calendar, and contacts. Data synchronizes each time users start Outlook. This is an additional plugin that must be downloaded.

POLICIES

GWS.GMAIL.10.1v0.2

Google Workspace Sync SHOULD be disabled.


GWS.GMAIL.10.2v0.2

Google Workspace Sync MAY be enabled on a per-user basis as needed.

RESOURCES

PREREQUISITES

  • None

IMPLEMENTATION

To configure the settings for Google Workspace Sync:

Policy Group 10 Common Instructions
  1. Sign in to the Google Admin Console.
  2. Select Apps -> Google Workspace -> Gmail.
  3. Select End User Access -> Google Workspace Sync.
GWS.GMAIL.10.1v0.2 Instructions
  1. Uncheck the Enable Google Workspace Sync for Microsoft Outlook for my users checkbox.
  2. Select Save.

GWS.GMAIL.10.2v0.2 Instructions
  1. There is no implementation steps for this policy.
  2. Select Save.

 

11. AUTOMATIC FORWARDING

This section determines whether emails can be automatically forwarded from a user's inbox to another of their choosing, possibly to external domains.

POLICIES

GWS.GMAIL.11.1v0.2

Automatic forwarding SHOULD be disabled, especially to external domains.

  • Rationale: By enabling automatic forwarding, especially to external domains, adversaries could gain persistent access to a victim's email, potentially exposing sensitive agency or organization emails to unauthorized access or loss. By disabling automatic forwarding, this risk can be reduced, enhancing the safety and integrity of user data and systems.
  • Last modified: July 10, 2023
  • MITRE ATT&CK TTP Mapping

RESOURCES

PREREQUISITES

  • None

IMPLEMENTATION

To configure the settings for Automatic Forwarding:

GWS.GMAIL.11.1v0.2 Instructions
  1. Sign in to the Google Admin Console.
  2. Select Apps -> Google Workspace -> Gmail.
  3. Select End User Access -> Automatic forwarding.
  4. Uncheck the Allow users to automatically forward incoming email to another address checkbox.
  5. Select Save.

 

12. Per-user Outbound Gateways

This section determines whether outgoing mail is delivered only through the Google Workspace mail servers or another specified external SMTP server. With this setting, a user can choose which email address displays in the "From" field.

POLICIES

GWS.GMAIL.12.1v0.2

Using a per-user outbound gateway that is a mail server other than the Google Workspace mail servers SHALL be disabled.

RESOURCES

PREREQUISITES

  • None

IMPLEMENTATION

To configure the settings for Per-user Outbound Gateways:

GWS.GMAIL.12.1v0.2 Instructions
  1. Sign in to the Google Admin Console.
  2. Select Apps -> Google Workspace -> Gmail.
  3. Select End User Access -> Allow per-user outbound gateways.
  4. Uncheck the Allow users to send mail through an external SMTP server when configuring a "from" address hosted outside your email domain checkbox.
  5. Select Save.

 

13. Unintended External Reply Warning

This section determines whether users are prompted with a warning for messages that include external recipients (users with emails addresses that are outside of your organization). However, the warning is not shown if the external recipient is in the organization's Directory, personal Contacts, or other Contacts; or if a secondary domain or domain alias address is used.

POLICIES

GWS.GMAIL.13.1v0.2

Unintended external reply warnings SHALL be enabled.

RESOURCES

PREREQUISITES

  • None

IMPLEMENTATION

To configure the settings to warn users of external recipients:

GWS.GMAIL.13.1v0.2 Instructions
  1. Sign in to the Google Admin Console.
  2. Select Apps -> Google Workspace -> Gmail.
  3. Select End User Access -> Warn for external recipients.
  4. Check the Highlight any external recipients in a conversation. Warn users before they reply to email with external recipients who aren't in their contacts checkbox.
  5. Select Save.

 

14. Email Allowlist

This section determines whether an email allowlist allows for messages from certain IP addresses to not be marked as spam by Gmail. However, if implemented, emails from these senders will bypass important security mechanisms, such as SPF, DKIM, and DMARC.

POLICIES

GWS.GMAIL.14.1v0.2

An email allowlist SHOULD not be implemented.

RESOURCES

PREREQUISITES

  • None

IMPLEMENTATION

To configure the settings for Email Allowlists:

GWS.GMAIL.14.1v0.2 Instructions
  1. Sign in to the Google Admin Console.
  2. Select Apps -> Google Workspace -> Gmail.
  3. Select Spam, phishing, and malware -> Email allowlist.
  4. Under the Enter the IP addresses for your email allowlist field, ensure no IP addresses are listed.
  5. Select Save.

GWS.GMAIL.14.2v0.2 Instructions

There is no implementation steps for this policy

 

15. Enhanced Pre-Delivery Message Scanning

This section determines whether Gmail can screen and identify suspicious content that may be phishing attempts. In doing so, Google can either show a warning or move the email to Spam, but email delivery will experience a short delay due to the additional checks.

A Google Workspace solution is not strictly required to satisfy this baseline control, but the solution selected by an agency should offer services comparable to those offered by Google.

POLICIES

GWS.GMAIL.15.1v0.2

Enhanced pre-delivery message scanning SHALL be enabled to prevent phishing.


GWS.GMAIL.15.2v0.2

Any third-party or outside application selected for enhanced pre-delivery message scanning SHOULD offer services comparable to those offered by Google Workspace.

  • Rationale: Using third-party or outside applications for enhanced pre-delivery message scanning that do not offer services comparable to those offered by Google Workspace could potentially expose users to security risks. Using applications that offer comparable services reduces this risk, enhancing the safety and integrity of user data and systems.
  • Last modified: July 10, 2023
  • MITRE ATT&CK TTP Mapping
    • None

RESOURCES

PREREQUISITES

  • None

IMPLEMENTATION

To configure the settings for Enhanced Pre-Delivery Message Scanning:

GWS.GMAIL.15.1v0.2 Instructions
  1. Sign in to the Google Admin Console.
  2. Select Apps -> Google Workspace -> Gmail.
  3. Select Spam, phishing, and malware -> Enhanced pre-delivery message scanning.
  4. Check the Enables improved detection of suspicious content prior to delivery checkbox.
  5. Select Save.

GWS.GMAIL.15.2v0.2 Instructions

There is no implementation steps for this policy

 

16. Security Sandbox

This section determines whether certain messages and their associated attachments are executed in a sandbox environment for protection against malware, ransomware, and zero-day threats. Malicious software may be missed by traditional antivirus programs. However, this may cause some messages to get delayed before final delivery. Some of the file types scanned include Microsoft executables, Microsoft Office, PDF, and archives (zip, rar).

A Google Workspace solution is not strictly required to satisfy this baseline control, but the solution selected by an agency should offer services comparable to those offered by Google.

POLICIES

GWS.GMAIL.16.1v0.2

Security sandbox SHOULD be enabled to provide additional protections for their email messages.

  • Rationale: Without a security sandbox, emails with malicious content could potentially interact directly with the users' systems, posing a risk. By enabling the security sandbox, additional protections are provided for email messages, reducing this risk and enhancing the safety and integrity of user data and systems.
  • Last modified: July 10, 2023
  • MITRE ATT&CK TTP Mapping

GWS.GMAIL.16.2v0.2

Any third-party or outside application selected for security sandbox SHOULD offer services comparable to those offered by Google Workspace.

  • Rationale: Using third-party or outside applications for security sandbox that do not offer services comparable to those offered by Google Workspace could potentially expose users to security risks. Using applications that offer comparable services reduces this risk, enhancing the safety and integrity of user data and systems.
  • Last modified: July 10, 2023
  • MITRE ATT&CK TTP Mapping
    • None

RESOURCES

PREREQUISITES

  • None

IMPLEMENTATION

To configure the settings for Security sandbox or Security sandbox rules:

GWS.GMAIL.16.1v0.2 Instructions
  1. Sign in to the Google Admin Console.
  2. Select Apps -> Google Workspace -> Gmail.
  3. Select Spam, phishing, and malware -> Security sandbox.
  4. Check the Enable virtual execution of attachments in a sandbox environment for all the users of the Organizational Unit for protection against malware, ransomware, and zero-day threats checkbox.
  5. Either Security sandbox or Security sandbox rules may be enabled but enabling Security sandbox takes precedence.
  6. If Security sandbox rules are enabled, then the configuration needs to be completed and consists of the following fields :
    1. A short description.
    2. Email messages to affect.
    3. Expressions to describe the content to search for in each message.
    4. Action to take if expressions match.
  7. Select Save.

GWS.GMAIL.16.2v0.2 Instructions

There is no implementation steps for this policy.

 

17. Comprehensive Mail Storage

This section allows for email messages sent through other Google Workspace applications, (i.e., Calendar, Drive, Docs, Sheets, Slides, Drawings, Forms, and Keep) to be stored in the associated users' Gmail mailboxes. This includes a copy of all sent or received messages within a specified domain (including messages sent or received by non-Gmail mailboxes).

POLICIES

GWS.GMAIL.17.1v0.2

Comprehensive mail storage SHOULD be enabled to allow tracking of information across applications.

  • Rationale: Without comprehensive mail storage, tracking of information across applications could be compromised, posing a potential security risk. Enabling comprehensive mail storage can reduce this risk, enhancing the safety and integrity of user data and systems.
  • Last modified: November 14, 2023
  • MITRE ATT&CK TTP Mapping
    • None

RESOURCES

PREREQUISITES

  • None

IMPLEMENTATION

To configure the settings for Comprehensive Mail Storage:

GWS.GMAIL.17.1v0.2 Instructions
  1. Sign in to the Google Admin Console.
  2. Select Apps -> Google Workspace -> Gmail.
  3. Select Compliance -> Comprehensive mail storage.
  4. Check the Ensure that a copy of all sent and received mail is stored in associated users' mailboxes checkbox.
  5. Select Save.

 

18. Content Compliance Filtering

This section determines whether Gmail content is filtered based upon specified expressions, such as keyword, strings or patterns, and metadata. The compliance actions based upon the word lists are reject, quarantine, or deliver with modifications.

A Google Workspace solution is not strictly required to satisfy this baseline control, but the solution selected by an agency should offer services comparable to those offered by Google.

POLICIES

GWS.GMAIL.18.1v0.2

Content filtering SHOULD be enabled within Gmail messages.

  • Rationale: Without content filtering, Gmail messages could potentially contain sensitive or private content, posing a security risk. By enabling content filtering, this risk can be reduced, enhancing the safety and integrity of user data and systems.
  • Last modified: July 10, 2023
  • MITRE ATT&CK TTP Mapping

GWS.GMAIL.18.2v0.2

Any third-party or outside application selected for advanced email content filtering SHOULD offer services comparable to those offered by Google Workspace.

  • Rationale: Using third-party or outside applications for advanced email content filtering that do not offer services comparable to those offered by Google Workspace could potentially expose users to security risks. Using applications that offer comparable services can reduce this risk, enhancing the safety and integrity of user data and systems.
  • Last modified: July 10, 2023
  • MITRE ATT&CK TTP Mapping
    • None

GWS.GMAIL.18.3v0.2

Gmail or third-party applications SHALL be configured to protect PII and sensitive information as defined by the agency. At a minimum, credit card numbers, taxpayer Identification Numbers (TIN), and Social Security Numbers (SSN) SHALL be blocked.

RESOURCES

PREREQUISITES

  • None

IMPLEMENTATION

To configure the settings for spam protection:

GWS.GMAIL.18.1v0.2 Instructions
  1. Sign in to the Google Admin Console.
  2. Select Apps -> Google Workspace -> Gmail.
  3. Select Compliance -> Content Compliance.
  4. If Content compliance filtering is enabled, then the configuration needs to be completed and consists of the following fields:
    1. A short description.
    2. Email messages to affect.
    3. Expressions for content to search for in messages.
    4. Compliance action options.
  5. Select Save.

GWS.GMAIL.18.2v0.2 Instructions

There is no implementation steps for this policy.


GWS.GMAIL.18.3v0.2 Instructions

There is no implementation steps for this policy.

 

19. Spam Filtering

This section covers the settings relating to bypassing spam filters.

POLICIES

GWS.GMAIL.19.1v0.2

Domains SHALL NOT be added to lists that bypass spam filters.


GWS.GMAIL.19.2v0.2

Domains SHALL NOT be added to lists that bypass spam filters and hide warnings.


GWS.GMAIL.19.3v0.2

Bypass spam filters and hide warnings for all messages from internal and external senders SHALL NOT be enabled.

RESOURCES

PREREQUISITES

  • None

IMPLEMENTATION

To configure the settings for spam filtering:

Policy Group 19 Common Instructions
  1. Sign in to the Google Admin Console.
  2. Select Apps -> Google Workspace -> Gmail.
  3. Select Spam, Phishing, and Malware.
GWS.GMAIL.19.1v0.2 Instructions

For each rule listed under Spam:

  1. Ensure that either:
    • Bypass spam filters for messages from senders or domains in selected lists is not selected, or
    • None of the lists shown under Bypass spam filters for messages from senders or domains in selected lists contain an entire domain. For example, the entire domain "example.com" is not acceptable, but the specific address, john.doe@example.com, would be.
  2. Modify the rule or lists associated with the rule as needed, then select Save.

GWS.GMAIL.19.2v0.2 Instructions

For each rule listed under Spam:

  1. Ensure that either:
    • Bypass spam filters and hide warnings for messages from senders or domains in selected lists is not selected, or
    • None of the lists shown under Bypass spam filters and hide warnings for messages from senders or domains in selected lists contain an entire domain. For example, the entire domain "example.com" is not acceptable, but the specific address, john.doe@example.com, would be.
  2. Modify the rule or lists associated with the rule as needed, then select Save.

GWS.GMAIL.19.3v0.2 Instructions

For each rule listed under Spam:

  1. Ensure that *Bypass spam filters and hide warnings for all messages from internal and external sender is not selected.
  2. Select Save.