Gmail Baseline Report
| Customer Name | Customer Domain | Customer ID | Report Date | Baseline Version | Tool Version |
|---|---|---|---|---|---|
| Cool Example Org | example.org | ABCDEFG | 06/26/2025 16:02:22 Pacific Daylight Time | 0.5 | v0.5.0 |
GMAIL-1 Mail Delegation
| Control ID | Requirement | Result | Criticality | Details |
|---|---|---|---|---|
| GWS.GMAIL.1.1v0.5 | Mail Delegation SHOULD be disabled. | Warning | Should | The following OUs are non-compliant:
|
GMAIL-2 DomainKeys Identified Mail
| Control ID | Requirement | Result | Criticality | Details |
|---|---|---|---|---|
| GWS.GMAIL.2.1v0.5 | DKIM SHOULD be enabled for all domains. | Warning | Should | 1 of 2 agency domain(s) found in violation: carroll.com. |
GMAIL-3 Sender Policy Framework
| Control ID | Requirement | Result | Criticality | Details |
|---|---|---|---|---|
| GWS.GMAIL.3.1v0.5 | An SPF policy SHALL be published for each domain that fails all non-approved senders. | Fail | Shall | 2 of 2 agency domain(s) found in violation: example.org, carroll.com. |
GMAIL-4 Domain-based Message Authentication, Reporting, and Conformance
| Control ID | Requirement | Result | Criticality | Details |
|---|---|---|---|---|
| GWS.GMAIL.4.1v0.5 | A DMARC policy SHALL be published for every second-level domain. | Fail | Shall | 1 of 2 agency domain(s) found in violation: example.org. |
| GWS.GMAIL.4.2v0.5 | The DMARC message rejection option SHALL be p=reject. | Fail | Shall | 1 of 2 agency domain(s) found in violation: example.org. |
| GWS.GMAIL.4.3v0.5 | The DMARC point of contact for aggregate reports SHALL include `reports@dmarc.cyber.dhs.gov`. | Fail | Shall | 1 of 2 agency domain(s) found in violation: example.org. |
| GWS.GMAIL.4.4v0.5 | An agency point of contact SHOULD be included for aggregate and failure reports. | Warning | Should | 1 of 2 agency domain(s) found in violation: example.org. |
GMAIL-5 Attachment Protections
| Control ID | Requirement | Result | Criticality | Details |
|---|---|---|---|---|
| GWS.GMAIL.5.1v0.5 | Protect against encrypted attachments from untrusted senders SHALL be enabled. | Pass | Shall | Requirement met in all OUs and groups. |
| GWS.GMAIL.5.2v0.5 | Protect against attachments with scripts from untrusted senders SHALL be enabled. | Pass | Shall | Requirement met in all OUs and groups. |
| GWS.GMAIL.5.3v0.5 | Protect against anomalous attachment types in emails SHALL be enabled. | Pass | Shall | Requirement met in all OUs and groups. |
| GWS.GMAIL.5.4v0.5 | Google SHOULD be allowed to automatically apply future recommended settings for attachments. | Pass | Should | Requirement met in all OUs and groups. |
| GWS.GMAIL.5.5v0.5 | Emails flagged by the above attachment protection controls SHALL NOT be kept in inbox. | Pass | Shall | Requirement met in all OUs and groups. |
| GWS.GMAIL.5.6v0.5 | Any third-party or outside application selected for attachment protection SHOULD offer services comparable to those offered by Google Workspace. | N/A | Should/Not-Implemented | Currently not able to be tested automatically; please check manually. |
GMAIL-6 Links and External Images Protection
| Control ID | Requirement | Result | Criticality | Details |
|---|---|---|---|---|
| GWS.GMAIL.6.1v0.5 | Identify links behind shortened URLs SHALL be enabled. | Pass | Shall | Requirement met in all OUs and groups. |
| GWS.GMAIL.6.2v0.5 | Scan linked images SHALL be enabled. | Pass | Shall | Requirement met in all OUs and groups. |
| GWS.GMAIL.6.3v0.5 | Show warning prompt for any click on links to untrusted domains SHALL be enabled. | Pass | Shall | Requirement met in all OUs and groups. |
| GWS.GMAIL.6.4v0.5 | Google SHALL be allowed to automatically apply future recommended settings for links and external images. | Pass | Should | Requirement met in all OUs and groups. |
| GWS.GMAIL.6.5v0.5 | Any third-party or outside application selected for links and external images protection SHOULD offer services comparable to those offered by Google Workspace. | N/A | Should/Not-Implemented | Currently not able to be tested automatically; please manually check. |
GMAIL-7 Spoofing and Authentication Protection
| Control ID | Requirement | Result | Criticality | Details |
|---|---|---|---|---|
| GWS.GMAIL.7.1v0.5 | Protect against domain spoofing based on similar domain names SHALL be enabled. | Pass | Shall | Requirement met in all OUs and groups. |
| GWS.GMAIL.7.2v0.5 | Protect against spoofing of employee names SHALL be enabled. | Pass | Shall | Requirement met in all OUs and groups. |
| GWS.GMAIL.7.3v0.5 | Protect against inbound emails spoofing your domain SHALL be enabled. | Pass | Shall | Requirement met in all OUs and groups. |
| GWS.GMAIL.7.4v0.5 | Protect against any unauthenticated emails SHALL be enabled. | Pass | Shall | Requirement met in all OUs and groups. |
| GWS.GMAIL.7.5v0.5 | Protect your Groups from inbound emails spoofing your domain SHALL be enabled. | Pass | Shall | Requirement met in all OUs and groups. |
| GWS.GMAIL.7.6v0.5 | Emails flagged by the above spoofing and authentication controls SHALL NOT be kept in inbox. | Fail | Shall | The following OUs are non-compliant:
|
| GWS.GMAIL.7.7v0.5 | Google SHALL be allowed to automatically apply future recommended settings for spoofing and authentication. | Warning | Should | The following OUs are non-compliant:
|
| GWS.GMAIL.7.8v0.5 | Any third-party or outside application selected for spoofing and authentication protection SHOULD offer services comparable to those offered by Google Workspace. | N/A | Should/Not-Implemented | Currently not able to be tested automatically; please manually check. |
GMAIL-8 User Email Uploads
| Control ID | Requirement | Result | Criticality | Details |
|---|---|---|---|---|
| GWS.GMAIL.8.1v0.5 | User email uploads SHALL be disabled to protect against unauthorized files being introduced into the secured environment. | Pass | Shall | Requirement met in all OUs and groups. |
GMAIL-9 POP and IMAP Access for Users
| Control ID | Requirement | Result | Criticality | Details |
|---|---|---|---|---|
| GWS.GMAIL.9.1v0.5 | POP and IMAP access SHALL be disabled to protect sensitive agency or organization emails from being accessed through legacy applications or other third-party mail clients. | Fail | Shall | The following OUs are non-compliant:
|
GMAIL-10 Google Workspace Sync
| Control ID | Requirement | Result | Criticality | Details |
|---|---|---|---|---|
| GWS.GMAIL.10.1v0.5 | Google Workspace Sync SHOULD be disabled. | Pass | Shall | Requirement met in all OUs and groups. |
GMAIL-11 Automatic Forwarding
| Control ID | Requirement | Result | Criticality | Details |
|---|---|---|---|---|
| GWS.GMAIL.11.1v0.5 | Automatic forwarding SHOULD be disabled, especially to external domains. | Pass | Shall | Requirement met in all OUs and groups. |
GMAIL-12 Per-user Outbound Gateways
| Control ID | Requirement | Result | Criticality | Details |
|---|---|---|---|---|
| GWS.GMAIL.12.1v0.5 | Using a per-user outbound gateway that is a mail server other than the Google Workspace mail servers SHALL be disabled. | Pass | Shall | Requirement met in all OUs and groups. |
GMAIL-13 Unintended External Reply Warning
| Control ID | Requirement | Result | Criticality | Details |
|---|---|---|---|---|
| GWS.GMAIL.13.1v0.5 | Unintended external reply warnings SHALL be enabled. | Fail | Shall | The following OUs are non-compliant:
|
GMAIL-14 Email Allowlist
| Control ID | Requirement | Result | Criticality | Details |
|---|---|---|---|---|
| GWS.GMAIL.14.1v0.5 | An email allowlist SHOULD not be implemented. | Pass | Should | Email allowlists are disabled in Cool Example Org. |
GMAIL-15 Enhanced Pre-Delivery Message Scanning
| Control ID | Requirement | Result | Criticality | Details |
|---|---|---|---|---|
| GWS.GMAIL.15.1v0.5 | Enhanced pre-delivery message scanning SHALL be enabled to prevent phishing. | Fail | Shall | The following OUs are non-compliant:
|
| GWS.GMAIL.15.2v0.5 | Any third-party or outside application selected for enhanced pre-delivery message scanning SHOULD offer services comparable to those offered by Google Workspace. | N/A | Should/Not-Implemented | Currently not able to be tested automatically; please manually check. |
GMAIL-16 Security Sandbox
| Control ID | Requirement | Result | Criticality | Details |
|---|---|---|---|---|
| GWS.GMAIL.16.1v0.5 | Security sandbox SHOULD be enabled to provide additional protections for their email messages. | No events found | Should | No relevant event in the current logs for the top-level OU, Cool Example Org. While we are unable to determine the state from the logs, the default setting is non-compliant; manual check recommended. Log-based check. See limitations. |
| GWS.GMAIL.16.2v0.5 | Any third-party or outside application selected for security sandbox SHOULD offer services comparable to those offered by Google Workspace. | N/A | Should/Not-Implemented | Currently not able to be tested automatically; please manually check. |
GMAIL-17 Comprehensive Mail Storage
| Control ID | Requirement | Result | Criticality | Details |
|---|---|---|---|---|
| GWS.GMAIL.17.1v0.5 | Comprehensive mail storage SHOULD be enabled to allow tracking of information across applications. | N/A | Should/Not-Implemented | Currently not able to be tested automatically; please manually check. |
GMAIL-18 Spam Filtering
| Control ID | Requirement | Result | Criticality | Details |
|---|---|---|---|---|
| GWS.GMAIL.18.1v0.5 | Domains SHALL NOT be added to lists that bypass spam filters. | N/A | Shall/Not-Implemented | Currently not able to be tested automatically; please manually check. |
| GWS.GMAIL.18.2v0.5 | Domains SHALL NOT be added to lists that bypass spam filters and hide warnings. | N/A | Shall/Not-Implemented | Currently not able to be tested automatically; please manually check. |
| GWS.GMAIL.18.3v0.5 | Bypass spam filters and hide warnings for all messages from internal and external senders SHALL NOT be enabled. | N/A | Shall/Not-Implemented | Currently not able to be tested automatically; please manually check. |