Most of this lives in one place: admin.google.com → Apps → Google Workspace → Gmail. We'll work mostly within Gmail's Safety and End User Access settings, plus a few DNS records. You can apply settings to your whole organization or scope them to an organizational unit (OU).

1. Require MFA first

No email setting matters as much as a second factor on every account. If you haven't already, do that first—see our companion guide, How to Secure Google Workspace with MFA—then come back here.

2. Authenticate your mail: SPF, DKIM, DMARC

These three DNS records prove your mail is really from you and stop scammers spoofing your domain to your own staff and customers.

  1. SPF — add a TXT record at your DNS host: v=spf1 include:_spf.google.com ~all
  2. DKIM — go to Apps → Google Workspace → Gmail → Authenticate email, generate the key (use 2048-bit), add the TXT record Google gives you, then click Start authentication.
  3. DMARC — publish a TXT record at _dmarc.yourdomain.com. Start in monitor mode: v=DMARC1; p=none; rua=mailto:[email protected], then tighten to p=quarantine and eventually p=reject once the reports look clean.

Set up SPF and DKIM before moving DMARC past p=none, or you risk sending your own legitimate mail to spam.

3. Turn on spoofing & authentication protection

These catch the impersonation tricks that fool people—look-alike domains and forged employee names.

Go to Apps → Google Workspace → Gmail → Safety → Spoofing and authentication and turn on every option:

  • Protect against domain spoofing based on similar domain names
  • Protect against spoofing of employee names
  • Protect against inbound emails spoofing your domain
  • Protect against any unauthenticated emails
  • Protect your Groups from inbound emails spoofing your domain

For each, set the action to Quarantine (or at least "Move to spam") rather than just showing a warning.

4. Turn on attachment & link protection

Still under Gmail → Safety, open Attachments and Links and external images and enable the protections:

  • Attachments: protect against encrypted attachments and attachments with scripts from untrusted senders, and against anomalous attachment types. Quarantine the riskiest.
  • Links and external images: identify links behind shortened URLs, scan linked images, and show a warning for clicking links to untrusted domains.

On Enterprise editions, Security Sandbox detonates attachments in isolation before delivery—turn it on if you have it.

5. Warn on external senders & replies

Gmail can flag mail from outside your organization and catch accidental external replies—exactly when impersonation and data leaks happen.

  • Gmail automatically shows an external sender banner on messages from unknown outside addresses; confirm it's enabled for your domain.
  • Keep the unintended external reply warning on, so staff get a heads-up before replying to someone outside the company.

6. Stop external auto-forwarding

A favorite business-email-compromise move is a quiet rule forwarding a mailbox to an outside address. Shut the door org-wide:

  1. Go to Apps → Google Workspace → Gmail → End User Access.
  2. Under Automatic forwarding, uncheck Allow users to automatically forward incoming email to another address.
  3. Review existing filters and forwarding for anything unexpected.

7. Turn off unused POP & IMAP

If your team uses the Gmail web app and the mobile app—and most small businesses do—you rarely need POP or IMAP, and turning them off removes a common path that sidesteps modern protections.

Go to Apps → Google Workspace → Gmail → End User Access → POP and IMAP access and disable them (for the whole org or just the OUs that don't need them).

8. Watch the quarantine & alerts

  • Decide who reviews the admin quarantine (where the protections above send suspicious mail) so legitimate messages aren't stuck for long: Apps → Google Workspace → Gmail → Manage quarantines.
  • Use the Alert center and security rules to get notified about suspicious activity and phishing: admin.google.com → Security → Alert center.

Your Google Workspace email checklist

  • MFA enforced for every account
  • SPF, DKIM, and DMARC published (DMARC moving past p=none)
  • All spoofing & authentication protections on, set to quarantine
  • Attachment and link protections on (Security Sandbox if available)
  • External-sender banner and external-reply warning on
  • External auto-forwarding disabled
  • Unused POP / IMAP turned off
  • Quarantine reviewer assigned and alerts configured

Google relabels and moves these settings from time to time, so a menu may sit a click from where it's described here—the bold names are stable search terms. Running Microsoft too? See How to Lock Down Microsoft 365 Email.