Return to the report summary

Gmail Baseline Report

Customer DomainReport DateBaseline VersionTool Version
example.org02/10/2025 09:39:56 Pacific Daylight Timev0.4v0.4.0

GMAIL-1 Mail Delegation

Control ID Requirement Result Criticality Details
GWS.GMAIL.1.1v0.4 Mail Delegation SHOULD be disabled. Warning Should The following OUs are non-compliant:
  • Org Name: Mail delegation is enabled

GMAIL-2 DomainKeys Identified Mail

Control ID Requirement Result Criticality Details
GWS.GMAIL.2.1v0.4 DKIM SHOULD be enabled for all domains. Warning Should 1 of 2 agency domain(s) found in violation: Matthew Wilson.

GMAIL-3 Sender Policy Framework

Control ID Requirement Result Criticality Details
GWS.GMAIL.3.1v0.4 An SPF policy SHALL be published for each domain that fails all non-approved senders. Fail Shall 2 of 2 agency domain(s) found in violation: example.org, Matthew Wilson.

GMAIL-4 Domain-based Message Authentication, Reporting, and Conformance

Control ID Requirement Result Criticality Details
GWS.GMAIL.4.1v0.4 A DMARC policy SHALL be published for every second-level domain. Fail Shall 1 of 2 agency domain(s) found in violation: example.org.
GWS.GMAIL.4.2v0.4 The DMARC message rejection option SHALL be p=reject. Fail Shall 1 of 2 agency domain(s) found in violation: example.org.
GWS.GMAIL.4.3v0.4 The DMARC point of contact for aggregate reports SHALL include `reports@dmarc.cyber.dhs.gov`. Fail Shall 1 of 2 agency domain(s) found in violation: example.org.
GWS.GMAIL.4.4v0.4 An agency point of contact SHOULD be included for aggregate and failure reports. Warning Should 1 of 2 agency domain(s) found in violation: example.org.

GMAIL-5 Attachment Protections

Control ID Requirement Result Criticality Details
GWS.GMAIL.5.1v0.4 Protect against encrypted attachments from untrusted senders SHALL be enabled. Pass Shall Requirement met in all OUs and groups.
GWS.GMAIL.5.2v0.4 Protect against attachments with scripts from untrusted senders SHALL be enabled. Pass Shall Requirement met in all OUs and groups.
GWS.GMAIL.5.3v0.4 Protect against anomalous attachment types in emails SHALL be enabled. Pass Shall Requirement met in all OUs and groups.
GWS.GMAIL.5.4v0.4 Google SHOULD be allowed to automatically apply future recommended settings for attachments. Pass Should Requirement met in all OUs and groups.
GWS.GMAIL.5.5v0.4 Emails flagged by the above attachment protection controls SHALL NOT be kept in inbox. Pass Shall Requirement met in all OUs and groups.
GWS.GMAIL.5.6v0.4 Any third-party or outside application selected for attachment protection SHOULD offer services comparable to those offered by Google Workspace. N/A Should/Not-Implemented Currently not able to be tested automatically; please check manually.

GMAIL-6 Links and External Images Protection

Control ID Requirement Result Criticality Details
GWS.GMAIL.6.1v0.4 Identify links behind shortened URLs SHALL be enabled. Pass Shall Requirement met in all OUs and groups.
GWS.GMAIL.6.2v0.4 Scan linked images SHALL be enabled. Pass Shall Requirement met in all OUs and groups.
GWS.GMAIL.6.3v0.4 Show warning prompt for any click on links to untrusted domains SHALL be enabled. Pass Shall Requirement met in all OUs and groups.
GWS.GMAIL.6.4v0.4 Google SHALL be allowed to automatically apply future recommended settings for links and external images. Pass Should Requirement met in all OUs and groups.
GWS.GMAIL.6.5v0.4 Any third-party or outside application selected for links and external images protection SHOULD offer services comparable to those offered by Google Workspace. N/A Should/Not-Implemented Currently not able to be tested automatically; please manually check.

GMAIL-7 Spoofing and Authentication Protection

Control ID Requirement Result Criticality Details
GWS.GMAIL.7.1v0.4 Protect against domain spoofing based on similar domain names SHALL be enabled. Pass Shall Requirement met in all OUs and groups.
GWS.GMAIL.7.2v0.4 Protect against spoofing of employee names SHALL be enabled. Pass Shall Requirement met in all OUs and groups.
GWS.GMAIL.7.3v0.4 Protect against inbound emails spoofing your domain SHALL be enabled. Pass Shall Requirement met in all OUs and groups.
GWS.GMAIL.7.4v0.4 Protect against any unauthenticated emails SHALL be enabled. Pass Shall Requirement met in all OUs and groups.
GWS.GMAIL.7.5v0.4 Protect your Groups from inbound emails spoofing your domain SHALL be enabled. Pass Shall Requirement met in all OUs and groups.
GWS.GMAIL.7.6v0.4 Emails flagged by the above spoofing and authentication controls SHALL NOT be kept in inbox. Pass Shall Requirement met in all OUs and groups.
GWS.GMAIL.7.7v0.4 Google SHALL be allowed to automatically apply future recommended settings for spoofing and authentication. Pass Should Requirement met in all OUs and groups.
GWS.GMAIL.7.8v0.4 Any third-party or outside application selected for spoofing and authentication protection SHOULD offer services comparable to those offered by Google Workspace. N/A Should/Not-Implemented Currently not able to be tested automatically; please manually check.

GMAIL-8 User Email Uploads

Control ID Requirement Result Criticality Details
GWS.GMAIL.8.1v0.4 User email uploads SHALL be disabled to protect against unauthorized files being introduced into the secured environment. Fail Shall The following OUs are non-compliant:
  • Org Name: User email uploads is enabled

GMAIL-9 POP and IMAP Access for Users

Control ID Requirement Result Criticality Details
GWS.GMAIL.9.1v0.4 POP and IMAP access SHALL be disabled to protect sensitive agency or organization emails from being accessed through legacy applications or other third-party mail clients. Fail Shall The following OUs are non-compliant:
  • Marilyn Cuevas: IMAP and POP access are enabled
  • Org Name: POP access is enabled

GMAIL-10 Google Workspace Sync

Control ID Requirement Result Criticality Details
GWS.GMAIL.10.1v0.4 Google Workspace Sync SHOULD be disabled. Fail Shall The following OUs are non-compliant:
  • Org Name: Google Workspace Sync is enabled
GWS.GMAIL.10.2v0.4 Google Workspace Sync MAY be enabled on a per-user basis as needed. N/A May/Not-Implemented Currently not able to be tested automatically; please manually check.

GMAIL-11 Automatic Forwarding

Control ID Requirement Result Criticality Details
GWS.GMAIL.11.1v0.4 Automatic forwarding SHOULD be disabled, especially to external domains. Pass Shall Requirement met in all OUs and groups.

GMAIL-12 Per-user Outbound Gateways

Control ID Requirement Result Criticality Details
GWS.GMAIL.12.1v0.4 Using a per-user outbound gateway that is a mail server other than the Google Workspace mail servers SHALL be disabled. Fail Shall The following OUs are non-compliant:
  • Org Name: Per-user Outbound Gateways are enabled

GMAIL-13 Unintended External Reply Warning

Control ID Requirement Result Criticality Details
GWS.GMAIL.13.1v0.4 Unintended external reply warnings SHALL be enabled. Pass Shall Requirement met in all OUs and groups.

GMAIL-14 Email Allowlist

Control ID Requirement Result Criticality Details
GWS.GMAIL.14.1v0.4 An email allowlist SHOULD not be implemented. Warning Should Email allowlists are enabled in Org Name.

GMAIL-15 Enhanced Pre-Delivery Message Scanning

Control ID Requirement Result Criticality Details
GWS.GMAIL.15.1v0.4 Enhanced pre-delivery message scanning SHALL be enabled to prevent phishing. Pass Shall Requirement met in all OUs and groups.
GWS.GMAIL.15.2v0.4 Any third-party or outside application selected for enhanced pre-delivery message scanning SHOULD offer services comparable to those offered by Google Workspace. N/A Should/Not-Implemented Currently not able to be tested automatically; please manually check.

GMAIL-16 Security Sandbox

Control ID Requirement Result Criticality Details
GWS.GMAIL.16.1v0.4 Security sandbox SHOULD be enabled to provide additional protections for their email messages. Pass Should Requirement met in all OUs and groups.
GWS.GMAIL.16.2v0.4 Any third-party or outside application selected for security sandbox SHOULD offer services comparable to those offered by Google Workspace. N/A Should/Not-Implemented Currently not able to be tested automatically; please manually check.

GMAIL-17 Comprehensive Mail Storage

Control ID Requirement Result Criticality Details
GWS.GMAIL.17.1v0.4 Comprehensive mail storage SHOULD be enabled to allow tracking of information across applications. N/A Should/Not-Implemented Currently not able to be tested automatically; please manually check.

GMAIL-18 Content Compliance Filtering

Control ID Requirement Result Criticality Details
GWS.GMAIL.18.1v0.4 Content filtering SHOULD be enabled within Gmail messages. N/A Should/Not-Implemented Currently not able to be tested automatically; please manually check.
GWS.GMAIL.18.2v0.4 Any third-party or outside application selected for advanced email content filtering SHOULD offer services comparable to those offered by Google Workspace. N/A Should/Not-Implemented Currently not able to be tested automatically; please manually check.
GWS.GMAIL.18.3v0.4 Gmail or third-party applications SHALL be configured to protect PII and sensitive information as defined by the agency. At a minimum, credit card numbers, taxpayer Identification Numbers (TIN), and Social Security Numbers (SSN) SHALL be blocked. N/A Shall/Not-Implemented Currently not able to be tested automatically; please manually check.

GMAIL-19 Spam Filtering

Control ID Requirement Result Criticality Details
GWS.GMAIL.19.1v0.4 Domains SHALL NOT be added to lists that bypass spam filters. N/A Shall/Not-Implemented Currently not able to be tested automatically; please manually check.
GWS.GMAIL.19.2v0.4 Domains SHALL NOT be added to lists that bypass spam filters and hide warnings. N/A Shall/Not-Implemented Currently not able to be tested automatically; please manually check.
GWS.GMAIL.19.3v0.4 Bypass spam filters and hide warnings for all messages from internal and external senders SHALL NOT be enabled. N/A Shall/Not-Implemented Currently not able to be tested automatically; please manually check.