Back in 2018, Gmail had over 1.5 billion monthly active users, and that number has grown considerably since then.
Gmail is the uncontested global leader among email services for good reason. Using it is intuitive, convenient, and affordable. But how well does it perform when it comes to privacy and email security?
Gmail Security Features
Let’s go over what Gmail has to offer when it comes to protecting your organization’s correspondence and data security.
Spam Protection
According to Google’s Security Center, the email service uses AI technology to filter out more than 10 million spam emails per minute.
Spam filtering is automatically turned on and it doesn’t normally require any input from you as the user. If a junk email does get through, you can mark it as spam - this aids the machine learning process.
The “Report as spam” icon is next to the Delete icon. Look for a white exclamation mark over a dark octagon.
Warning Messages
Some spam and phishing messages are filtered out before they ever reach your inbox. Others arrive with a warning banner telling you to be careful and verify the email before you click on anything or download an attachment.
The specific warning message will depend on your account details, the device you’re using, and on what caused Google to identify the message as harmful.
Why would you receive a warning? Possible reasons include:
- Suspicious language in the email. It's not clear exactly which keywords trigger Gmail's spam filters - this is understandably confidential, and it also depends on context (such as who the recipient is and whether we’ve been in touch with them before). However, certain phrases are especially likely to get flagged due to their frequent use in spam and phishing emails.
- High-risk link in the email. Emails with outgoing links always come under Google's scrutiny, and you get notified if the linked website seems suspicious to the algorithm. Of course, the absence of a warning doesn’t guarantee safety - it’s always best to avoid clicking on links in emails until you check the URL.
- The email has an attachment. Some email attacks happen through malware sent as an attachment. Gmail parses image embeds (such as logos) as attachments too, and this can lead to certain emails being misidentified as spam.
- Suspicious sender. As part of its recent anti-spoofing efforts, Gmail may be able to identify emails sent from someone who is pretending to be a part of your organization. If the sender’s name matches the name of someone in your organization, but they’re using a different email address, you may see a warning message.
Account Security Validation
Google is relentless in its mission to improve account security for both personal accounts and business accounts. You can use the Security Checkup page to make sure your account’s security is up-to-date.
Google Workspace admins have an impressive number of ways to protect their team’s accounts. For example, they can ensure that every team member has to use the 2-step verification process (as well as security keys) before signing in. They can restrict email communication altogether, and there’s also a way to restrict access based on which device is being used.
According to the 2020 Google Cloud Whitepaper, account protection extends to sign-ins on third-party platforms, since “Google Workspace supports OAuth 2.0 and OpenID Connect, an open protocol for authentication and authorization that allows customers to configure one single sign-on service (SSO) for multiple cloud solutions. Users can log on to third-party applications through Google Workspace—and vice versa—without re-entering their credentials or sharing sensitive password information.”
Gmail Security FAQ
What is an email mistakenly gets marked as spam?
Some emails you receive seem suspicious to Google but aren’t actually spam. If you think something got filtered out when it shouldn’t have been, check your Spam folder (near the bottom of the left-hand-side column). Note that spam emails are automatically deleted from this folder after 30 days.
To unmark a message as spam, click on Not Spam at the top of the screen.
This won’t necessarily stop the filtering process the next time you get a message from the same address. To make it clear that you want to receive messages from this sender, you can add them to your Contacts.
Can you change spam settings?
Yes, but only if you’re a Google Workspace administrator. If you’re using the free version of Gmail (or the legacy free G Suite), this option isn’t available.
To change spam settings, you should:
- Sign in with your admin account.
- From the admin console home page, select Apps.
- Select Google Workspace.
- Select Gmail.
- Go to Spam, Phishing and Malware. If you can’t see this option, select Advanced Settings first.
Settings you can select:
- Be more aggressive when filtering spam - in this case, Google uses stricter criteria when determining whether a message is spam or not. Turning this on increases security but also makes it likelier that incoming messages will get incorrectly flagged as spam.
- Bypass spam filters for messages received from internal senders - generally speaking, spam emails are sent from outside of the organization. You can turn this option on to make sure every email gets through if it’s sent within the organization (including all subdomains). However, that means you won’t be protected from more sophisticated attacks from hacked email addresses.
- Put spam in administrative quarantine - this option lets you review each suspicious email before it reaches the intended recipient.
- Bypass spam filters for messages received from addresses or domains within these approved senders lists - as an admin, you can create a list of trusted organizations, and Gmail’s security measures will be less strict for messages sent from the listed domains.
You can apply these settings to all users within an organizational unit (along with any child organizations). There is no option yet to apply filtering to groups.
Does Google Offer Security Checks for Outgoing Emails?
On the whole, Gmail does a good job of protecting your inbox from various types of cyberattacks. But can you rely on Google to monitor the messages sent from your organization?
Up to a point, yes. Employees may receive an external reply warning when attempting to message someone outside of your organization. However, Gmail doesn’t generally monitor confidential information in outgoing messages (such as bank account details, etc.) Consider using third-party applications to scan your drafts, and also look into comprehensive training options for employees.
Spam and phishing protection is a significant part of any organization’s security posture. Gmail blocks or flags most of these messages. However, it’s important to make sure the security settings fit your organization’s needs, or you may miss out on important messages that get mistakenly marked as spam.
Unfortunately, there will always be a few dangerous emails that slip through the cracks - that applies to both incoming and outgoing messages. It is best to complement Gmail’s security features with additional layers of protection, such as Preava Prevent.