
Gmail Baseline Report
Customer Domain | Report Date | Baseline Version | Tool Version |
---|---|---|---|
example.org | 02/10/2025 09:39:56 Pacific Daylight Time | v0.4 | v0.4.0 |
GMAIL-1 Mail Delegation
Control ID | Requirement | Result | Criticality | Details |
---|---|---|---|---|
GWS.GMAIL.1.1v0.4 | Mail Delegation SHOULD be disabled. | Warning | Should | The following OUs are non-compliant:
|
GMAIL-2 DomainKeys Identified Mail
Control ID | Requirement | Result | Criticality | Details |
---|---|---|---|---|
GWS.GMAIL.2.1v0.4 | DKIM SHOULD be enabled for all domains. | Warning | Should | 1 of 2 agency domain(s) found in violation: Matthew Wilson. |
GMAIL-3 Sender Policy Framework
Control ID | Requirement | Result | Criticality | Details |
---|---|---|---|---|
GWS.GMAIL.3.1v0.4 | An SPF policy SHALL be published for each domain that fails all non-approved senders. | Fail | Shall | 2 of 2 agency domain(s) found in violation: example.org, Matthew Wilson. |
GMAIL-4 Domain-based Message Authentication, Reporting, and Conformance
Control ID | Requirement | Result | Criticality | Details |
---|---|---|---|---|
GWS.GMAIL.4.1v0.4 | A DMARC policy SHALL be published for every second-level domain. | Fail | Shall | 1 of 2 agency domain(s) found in violation: example.org. |
GWS.GMAIL.4.2v0.4 | The DMARC message rejection option SHALL be p=reject. | Fail | Shall | 1 of 2 agency domain(s) found in violation: example.org. |
GWS.GMAIL.4.3v0.4 | The DMARC point of contact for aggregate reports SHALL include `reports@dmarc.cyber.dhs.gov`. | Fail | Shall | 1 of 2 agency domain(s) found in violation: example.org. |
GWS.GMAIL.4.4v0.4 | An agency point of contact SHOULD be included for aggregate and failure reports. | Warning | Should | 1 of 2 agency domain(s) found in violation: example.org. |
GMAIL-5 Attachment Protections
Control ID | Requirement | Result | Criticality | Details |
---|---|---|---|---|
GWS.GMAIL.5.1v0.4 | Protect against encrypted attachments from untrusted senders SHALL be enabled. | Pass | Shall | Requirement met in all OUs and groups. |
GWS.GMAIL.5.2v0.4 | Protect against attachments with scripts from untrusted senders SHALL be enabled. | Pass | Shall | Requirement met in all OUs and groups. |
GWS.GMAIL.5.3v0.4 | Protect against anomalous attachment types in emails SHALL be enabled. | Pass | Shall | Requirement met in all OUs and groups. |
GWS.GMAIL.5.4v0.4 | Google SHOULD be allowed to automatically apply future recommended settings for attachments. | Pass | Should | Requirement met in all OUs and groups. |
GWS.GMAIL.5.5v0.4 | Emails flagged by the above attachment protection controls SHALL NOT be kept in inbox. | Pass | Shall | Requirement met in all OUs and groups. |
GWS.GMAIL.5.6v0.4 | Any third-party or outside application selected for attachment protection SHOULD offer services comparable to those offered by Google Workspace. | N/A | Should/Not-Implemented | Currently not able to be tested automatically; please check manually. |
GMAIL-6 Links and External Images Protection
Control ID | Requirement | Result | Criticality | Details |
---|---|---|---|---|
GWS.GMAIL.6.1v0.4 | Identify links behind shortened URLs SHALL be enabled. | Pass | Shall | Requirement met in all OUs and groups. |
GWS.GMAIL.6.2v0.4 | Scan linked images SHALL be enabled. | Pass | Shall | Requirement met in all OUs and groups. |
GWS.GMAIL.6.3v0.4 | Show warning prompt for any click on links to untrusted domains SHALL be enabled. | Pass | Shall | Requirement met in all OUs and groups. |
GWS.GMAIL.6.4v0.4 | Google SHALL be allowed to automatically apply future recommended settings for links and external images. | Pass | Should | Requirement met in all OUs and groups. |
GWS.GMAIL.6.5v0.4 | Any third-party or outside application selected for links and external images protection SHOULD offer services comparable to those offered by Google Workspace. | N/A | Should/Not-Implemented | Currently not able to be tested automatically; please manually check. |
GMAIL-7 Spoofing and Authentication Protection
Control ID | Requirement | Result | Criticality | Details |
---|---|---|---|---|
GWS.GMAIL.7.1v0.4 | Protect against domain spoofing based on similar domain names SHALL be enabled. | Pass | Shall | Requirement met in all OUs and groups. |
GWS.GMAIL.7.2v0.4 | Protect against spoofing of employee names SHALL be enabled. | Pass | Shall | Requirement met in all OUs and groups. |
GWS.GMAIL.7.3v0.4 | Protect against inbound emails spoofing your domain SHALL be enabled. | Pass | Shall | Requirement met in all OUs and groups. |
GWS.GMAIL.7.4v0.4 | Protect against any unauthenticated emails SHALL be enabled. | Pass | Shall | Requirement met in all OUs and groups. |
GWS.GMAIL.7.5v0.4 | Protect your Groups from inbound emails spoofing your domain SHALL be enabled. | Pass | Shall | Requirement met in all OUs and groups. |
GWS.GMAIL.7.6v0.4 | Emails flagged by the above spoofing and authentication controls SHALL NOT be kept in inbox. | Pass | Shall | Requirement met in all OUs and groups. |
GWS.GMAIL.7.7v0.4 | Google SHALL be allowed to automatically apply future recommended settings for spoofing and authentication. | Pass | Should | Requirement met in all OUs and groups. |
GWS.GMAIL.7.8v0.4 | Any third-party or outside application selected for spoofing and authentication protection SHOULD offer services comparable to those offered by Google Workspace. | N/A | Should/Not-Implemented | Currently not able to be tested automatically; please manually check. |
GMAIL-8 User Email Uploads
Control ID | Requirement | Result | Criticality | Details |
---|---|---|---|---|
GWS.GMAIL.8.1v0.4 | User email uploads SHALL be disabled to protect against unauthorized files being introduced into the secured environment. | Fail | Shall | The following OUs are non-compliant:
|
GMAIL-9 POP and IMAP Access for Users
Control ID | Requirement | Result | Criticality | Details |
---|---|---|---|---|
GWS.GMAIL.9.1v0.4 | POP and IMAP access SHALL be disabled to protect sensitive agency or organization emails from being accessed through legacy applications or other third-party mail clients. | Fail | Shall | The following OUs are non-compliant:
|
GMAIL-10 Google Workspace Sync
Control ID | Requirement | Result | Criticality | Details |
---|---|---|---|---|
GWS.GMAIL.10.1v0.4 | Google Workspace Sync SHOULD be disabled. | Fail | Shall | The following OUs are non-compliant:
|
GWS.GMAIL.10.2v0.4 | Google Workspace Sync MAY be enabled on a per-user basis as needed. | N/A | May/Not-Implemented | Currently not able to be tested automatically; please manually check. |
GMAIL-11 Automatic Forwarding
Control ID | Requirement | Result | Criticality | Details |
---|---|---|---|---|
GWS.GMAIL.11.1v0.4 | Automatic forwarding SHOULD be disabled, especially to external domains. | Pass | Shall | Requirement met in all OUs and groups. |
GMAIL-12 Per-user Outbound Gateways
Control ID | Requirement | Result | Criticality | Details |
---|---|---|---|---|
GWS.GMAIL.12.1v0.4 | Using a per-user outbound gateway that is a mail server other than the Google Workspace mail servers SHALL be disabled. | Fail | Shall | The following OUs are non-compliant:
|
GMAIL-13 Unintended External Reply Warning
Control ID | Requirement | Result | Criticality | Details |
---|---|---|---|---|
GWS.GMAIL.13.1v0.4 | Unintended external reply warnings SHALL be enabled. | Pass | Shall | Requirement met in all OUs and groups. |
GMAIL-14 Email Allowlist
Control ID | Requirement | Result | Criticality | Details |
---|---|---|---|---|
GWS.GMAIL.14.1v0.4 | An email allowlist SHOULD not be implemented. | Warning | Should | Email allowlists are enabled in Org Name. |
GMAIL-15 Enhanced Pre-Delivery Message Scanning
Control ID | Requirement | Result | Criticality | Details |
---|---|---|---|---|
GWS.GMAIL.15.1v0.4 | Enhanced pre-delivery message scanning SHALL be enabled to prevent phishing. | Pass | Shall | Requirement met in all OUs and groups. |
GWS.GMAIL.15.2v0.4 | Any third-party or outside application selected for enhanced pre-delivery message scanning SHOULD offer services comparable to those offered by Google Workspace. | N/A | Should/Not-Implemented | Currently not able to be tested automatically; please manually check. |
GMAIL-16 Security Sandbox
Control ID | Requirement | Result | Criticality | Details |
---|---|---|---|---|
GWS.GMAIL.16.1v0.4 | Security sandbox SHOULD be enabled to provide additional protections for their email messages. | Pass | Should | Requirement met in all OUs and groups. |
GWS.GMAIL.16.2v0.4 | Any third-party or outside application selected for security sandbox SHOULD offer services comparable to those offered by Google Workspace. | N/A | Should/Not-Implemented | Currently not able to be tested automatically; please manually check. |
GMAIL-17 Comprehensive Mail Storage
Control ID | Requirement | Result | Criticality | Details |
---|---|---|---|---|
GWS.GMAIL.17.1v0.4 | Comprehensive mail storage SHOULD be enabled to allow tracking of information across applications. | N/A | Should/Not-Implemented | Currently not able to be tested automatically; please manually check. |
GMAIL-18 Content Compliance Filtering
Control ID | Requirement | Result | Criticality | Details |
---|---|---|---|---|
GWS.GMAIL.18.1v0.4 | Content filtering SHOULD be enabled within Gmail messages. | N/A | Should/Not-Implemented | Currently not able to be tested automatically; please manually check. |
GWS.GMAIL.18.2v0.4 | Any third-party or outside application selected for advanced email content filtering SHOULD offer services comparable to those offered by Google Workspace. | N/A | Should/Not-Implemented | Currently not able to be tested automatically; please manually check. |
GWS.GMAIL.18.3v0.4 | Gmail or third-party applications SHALL be configured to protect PII and sensitive information as defined by the agency. At a minimum, credit card numbers, taxpayer Identification Numbers (TIN), and Social Security Numbers (SSN) SHALL be blocked. | N/A | Shall/Not-Implemented | Currently not able to be tested automatically; please manually check. |
GMAIL-19 Spam Filtering
Control ID | Requirement | Result | Criticality | Details |
---|---|---|---|---|
GWS.GMAIL.19.1v0.4 | Domains SHALL NOT be added to lists that bypass spam filters. | N/A | Shall/Not-Implemented | Currently not able to be tested automatically; please manually check. |
GWS.GMAIL.19.2v0.4 | Domains SHALL NOT be added to lists that bypass spam filters and hide warnings. | N/A | Shall/Not-Implemented | Currently not able to be tested automatically; please manually check. |
GWS.GMAIL.19.3v0.4 | Bypass spam filters and hide warnings for all messages from internal and external senders SHALL NOT be enabled. | N/A | Shall/Not-Implemented | Currently not able to be tested automatically; please manually check. |