Security

Why G Suite admins should enable Gmail's advanced anti-phishing and malware settings

Google recently added new G Suite safety settings to give Gmail users an added layer of protection. Learn how to warn users of harmful emails, or simply send them straight to spam with these options.

In March 2018, Google added optional G Suite Gmail safety settings that affect how the system handles potentially problematic attachments, links, and external images, as well as how it processes unauthenticated or spoofed messages. Google always guards against malware in messages, however these settings offer additional protection.

Several of the safety settings offer G Suite administrators a choice between either "keep email in inbox and show a warning" or "move email to spam." The system defaults to the first option, which makes the recipient aware of each problematic email, but they will still receive and see potentially harmful emails. The latter option—move to spam—ensures the email isn't presented. I suggest admins make users aware that they are adjusting these settings, and ask recipients to notify them if they receive a noticeable amount of emails with warnings. If they do, admins can adjust the settings to "move email to spam."

To adjust the settings, sign in to the G Suite Admin console at admin.google.com, then go to Apps > G Suite > Gmail > Safety. Here's a look at each of the optional safety settings, along with a few features to consider.

Attachments and scripts

The first two settings protect people from encrypted attachments, which Gmail can't scan, as well as attachments with scripts from untrusted senders. Unless people in your organization need to receive scripts from untrusted senders or receive encrypted attachments, you may want to choose to send both of these items directly to spam.

For all of the Safety section settings, an administrator can configure different settings for different groups of people by creating organizational units in G Suite. For example, a news organization might choose to warn reporters who receive encrypted attachments of the potential for harm, but send all email with an encrypted attachment straight to spam for everyone else.

Screenshot of Gmail > Safety > attachment settings

A G Suite administrator may choose to warn an email recipient when the person attempts to access an attached items that is encrypted or includes a script. Or, the admin may choose to classify such emails as spam.

Links and external images

The next two options protect people from malicious links in shortened URLs and malicious content from linked images. Most G Suite administrators will want to enable both of these settings. I suspect few would want people to access harmful links or images.

The last setting in this group controls how warnings work in Gmail when a person clicks on a link to an untrusted domain. When selected, a warning will show when such a link is followed. Otherwise, the warning will show only if the sender is suspicious and the link is followed. I see little harm in warning of untrusted links, so most G Suite administrators may want to check this box.

Screenshot of Gmail > Safety > Links and external images settings

The safety settings also guard against malicious links in shortened URLs or hidden malicious image content.

Spoofing and authentication

Google also gives G Suite administrators tools to protect people from spoofing. Enable the first two settings: "Protect against domain spoofing based on similar domain names" and "Protect against spoofing of employee names." For the first option—guarding against a similar domain name spoof — many administrators will want to send the email straight to spam. This would include emails that might closely resemble your domain, but actually include a character that only looks similar. For the second option—employee name spoofing—an administrator will need to go to G Suite > Apps > G Suite > Directory > Sharing settings > then select both "Enable contact sharing" and "Show all email addresses."

Enable "Protect against inbound emails spoofing your domain" to guard against any emails that purport to be sent from your domain, but fail authentication tests. However, before you enable this setting, configure both SPF (sender policy framework) and DKIM (DomainKeys identified mail) email authentication options for your domain. In most cases, a G Suite admin will want to send emails like this straight to spam.

The last option is the most restrictive: It identifies any emails that don't pass either SPF or DKIM tests. Nearly all credible email providers support these options. However, not all administrators configure SPF or DKIM settings. If you leave this setting unchecked entirely, people may receive unauthenticated email. In my case, I've chosen to select the setting, keep email in the inbox, and receive a warning. This will allow me to identify people I receive email from who lack these authentication settings. I can then choose to let people know that they have an email security improvement opportunity.

Screenshot of Gmail > Safety > Spoofing and authentication settings

Gmail safety settings also protect against inbound email from spoofed domains, spoofed employee names, or unauthenticated sources. The system relies on SPF and DKIM checks of inbound email for authentication.

Upgrade for charts

Users may see the impact of changes to safety settings, but G Suite administrators who use G Suite Basic or Business lack a way to monitor the domain-wide impact of the changes. In this way, safety settings are unlike DMARC (Domain-based message authentication, reporting and conformance) configuration. With DMARC, an administrator may choose to receive a notification and see key metadata for each item blocked, which allows a technical person to monitor the impact of DMARC settings. Only administrators who use G Suite Enterprise edition may access charts of emails affected by spoofing settings, unauthenticated emails, and emails with scripts or encrypted attachments. (Note the links in two of the above images with the phrase "Charts access requires G Suite Enterprise edition.")

Your settings and thoughts?

These safety settings may protect people not only from harmful messages, but also from phishing messages used by firms that conduct security audits—for example, the false phishing message sent to all employees, which a security firm can use to identify the percentage of people who opened the message or followed a link. With a few smart safety setting choices, these messages may be sent directly to spam.

If you are a G Suite administrator, what Safety settings have you selected? Why? And what do you think about the opportunity to upgrade to G Suite Enterprise to allow an administrator to access charts? Let me know your thoughts in the comments below or on Twitter (@awolber).

Also see

Illustration: Email, attachment, image on right, arrows pointing to stoplight (words above: "Safety setting"; lights: top-red "Spam", middle-yellow "Warning", bottom-green), with arrows pointing left to Gmail
Illustration: Andy Wolber

About Andy Wolber

Andy Wolber helps people understand and leverage technology for social impact. He resides in Ann Arbor, MI with his wife, Liz, and daughter, Katie.

Editor's Picks

Free Newsletters, In your Inbox