Starting in early 2024, Google tightened three enforcement efforts in the organization’s on-going fight against spam. First, bulk senders of email must authenticate email with domain-related email settings to ensure each email is actually from the sender specified. Second, large senders of email must offer a one-click unsubscribe option and process the request within two days, so people don’t experience absurdly long delays or complicated opt-out processes when they unsubscribe. Third, Google will enforce a spam rate threshold, so people who send too many messages that recipients report as spam will be much less likely to reach your inbox.

These changes have implications for Google Workspace administrators and every person who uses Gmail. Administrators, at a minimum, must make certain that email authentication is active and properly configured to ensure reliable email delivery and prevent spoofing. Gmail users must take care to not mass-send unwanted emails so as to not have an account flagged as a spammer. Details and links for both are covered below.

How a Google Workspace administrator can fight spam in Gmail

A Google Workspace administrator may manage several settings that help reduce spam email issues for the entire organization. The most critical one-time task is to activate DKIM for Gmail in the Google Workspace Admin console and configure two domain name system text records with your DNS provider. The other settings offer additional spam protections, but the authentication step is critical.

To prevent spoofing, a Google Workspace administrator must manage three email-related settings: DKIM, SPF and DMARC.

  • DomainKeys Identified Mail can be enabled in the Google Workspace Admin Console by going to Apps | Google Workspace | Gmail | Authenticate Mail, then following the displayed instructions. Once active, this system uses math to confirm an outbound email is from an authorized sender’s account.
  • Sender Policy Framework is a domain name system record that specifies the mail providers allowed to send email on your behalf. In addition to your organization’s domain, providers also typically include third-party systems, such as mailing list services, customer relationship databases and financial systems (e.g., billing and accounting).
  • Domain-based Message Authentication, Reporting and Conformance like SPF, also configured as a DNS record, lets you specify what the system should do when suspected spam is detected. The most severe setting lets you reject suspected spam. Alternatively, you might quarantine it or choose to be notified. Proper configuration of DMARC stops a significant amount of potential phishing.

All three settings work together to ensure that your organization’s outbound email is authenticated and therefore more likely to be delivered to recipients’ inboxes.

A Google Workspace administrator will need to generate a key within the Admin Console (left) and configure SPF (top right), DMARC (middle right) and DKIM (bottom right) text records in DNS.
A Google Workspace administrator will need to generate a key within the Admin Console (left) and configure SPF (top right), DMARC (middle right) and DKIM (bottom right) text records in DNS. Screenshot: Andy Wolber/TechRepublic

Recommended: Help prevent phishing and spoofing

A Google Workspace administrator can enable enhanced pre-delivery message scanning to prevent fraudulent email from being delivered to inboxes. This setting requires a one-time check of a box in the Admin Console: Apps | Google Workspace | Gmail | Spam, Phishing, And Malware | Select the check box that Enables Improved Detection Of Suspicious Content Prior To Delivery and then select Save. Note that this may introduce a slight delivery delay for some email messages.

Additionally, most administrators will want to enable a whole set of advanced options found in the Admin Console | Google Workspace | Gmail | Safety | Spoofing And Authentication | Select the pencil to edit, then check the box next to every option. Select Save when done.

Most Workspace administrators will also want to enable additional Spoofing And Authentication options.
Most Workspace administrators will also want to enable additional Spoofing And Authentication options. Screenshot: Andy Wolber/TechRepublic

Optional: Manually manage allowed and blocked senders

Another way to deal with recurring spam is to add a sender’s domain to a blocked senders list. This blocks all email from either an email address or domain to any recipient in your organization. In a school setting, for example, an administrator might add a commonly mistyped domain to this list, such as whitehouse.com, which is a gambling site as of 2024. Access this in the Admin Console | Apps | Google Workspace | Gmail | Spam, Phishing, And Malware | Blocked Senders Option, then select Configure.

Similarly, an administrator may add domains to an approved senders list. This signals that email from the specified domain should be delivered to your organization’s accounts. In a school setting, the domains of a parent organization, local government or funding organization are often added to this list. In an enterprise setting, domains of partners, suppliers, vendors or affiliated companies are typically set to as always allowed. Access this in the Admin Console | Apps | Google Workspace | Gmail | Spam, Phishing, And Malware | Spam option, then select Configure.

Specify blocked email addresses or domains to prevent delivery or add approved senders to bypass spam screening.
Specify blocked email addresses or domains to prevent delivery or add approved senders to bypass spam screening. Screenshot: Andy Wolber/TechRepublic

How you can fight spam in Gmail

Google’s changes may mean more email delivered to a user’s Gmail spam folder than the inbox. The following actions are available to people who use Gmail and can help reduce unwanted email.

Recommended: Use the Spam and Not Spam buttons

Gmail gives you the option to report email either as spam or not spam. When you discover a spam email in your inbox, select the email, then click or tap the Report Spam icon. This indicates you prefer emails from that sender be sent to spam instead of your inbox.

Correspondingly, when you identify an email in spam that should not be labeled as such, select the email and then click or tap the Not Spam button. This sends a signal to the system that you think the email should not have been placed in spam and moves it into your inbox.

Every person who uses Gmail should report spam when it arrives in the Inbox (left) or select Not spam (right) when a wanted email errantly arrives in spam.
Every person who uses Gmail should report spam when it arrives in the Inbox (left) or select Not spam (right) when a wanted email errantly arrives in spam. Screenshot: Andy Wolber/TechRepublic

Required: Don’t mass send email without an unsubscribe option

Make sure any mass emails you send offer an unsubscribe option. For example, when you send an email using Google’s mail merge feature, the templates include an Unsubscribe link by default. This also applies to any third-party email system you might use, such as Constant Contact, Mailchimp or Salesforce.

Optional: Add a sender as a Google Contact

Email from people you have added to Google Contacts will be more likely to be delivered to your Gmail inbox. A series of searches and cleanout of your Gmail messages may help you identify addresses from senders to add to Contacts. To add addresses, go to Google Contacts on the web, select the + Create Contact button, then add your contact’s details, including their email address(es).

Optional: Enroll in Google’s Advanced Protection Program

The Advanced Protection Program adds layers of security to your Google account, including more rigorous sign-in procedures, stronger limitations on third-party sign-ins and constraints on external application data access. You’ll need security keys — physical pieces of hardware — in order to enroll in the Advanced Protection Program. Once activated, the Advanced Protection Program makes it much more difficult for anyone other than you to access your account.

You may enroll in the Advanced Protection Program with any personal Gmail account; however, organizational users should know that a Workspace admin can choose to enable or disable the Advanced Protection Program for Workspace organizational accounts. If you are unable to enroll either a work or school account, check with your Google Workspace admin for details.

Optional: Opt-out of receiving commercial email

Beyond Google-provided controls, the Data & Marketing Association lets you register your email address with the Email Preference Service. Once added, the ethical email marketers who rely on this list will remove your address from unsolicited emailings. You may enter as many as three email addresses at a time, then confirm your removal request by clicking on a link in an email sent to each address.

Mention or message me on X (@awolber) to let me know how you deal with spam, either as a Google Workspace administrator or Gmail user.

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday