Starting in early 2024, Google stepped up three enforcement actions in the organization's ongoing fight against spam. First, bulk email senders must authenticate the email with domain-related email settings to ensure that each email actually comes from the specified sender. Second, large email senders should offer a one-click unsubscribe option and process the request within two days, so that people don't experience absurdly long delays or complicated cancellation processes when they cancel. the subscription. Third, Google will impose a spam rate threshold, so people who send too many messages that recipients consider spam will be much less likely to reach your inbox.
These changes have implications for Google Workspace administrators and everyone who uses Gmail. Administrators, at a minimum, should ensure that email authentication is active and configured correctly to ensure reliable email delivery and prevent spoofing. Gmail users should be careful not to send mass spam emails so that an account is not marked as a spammer. Details and links for both are covered below.
How a Google Workspace administrator can combat spam in Gmail
A Google Workspace administrator can manage several settings that help reduce spam issues across the organization. The single most important task is to enable DKIM for Gmail in the Google Workspace admin console and configure two text domain name system records with your DNS provider. The other settings offer additional spam protections, but the authentication step is essential.
Required: Correctly configure domain-related email settings
To prevent phishing, a Google Workspace administrator must manage three email-related settings: DKIM, SPF, and DMARC.
- Email identified with domain keys can be enabled in the Google Workspace Admin Console by going to Apps | Google Workspace | Gmail | Authenticate Mail and then follow the instructions displayed. Once active, this system uses mathematics to confirm that an outgoing email comes from an authorized sender account.
- Sender Policy Framework is a domain name system record that specifies the mail providers authorized to send email on your behalf. In addition to your organization's domain, vendors also typically include third-party systems, such as mailing list services, customer relationship databases, and financial systems (for example, billing and accounting).
- Domain-based message authentication, reporting, and compliance Like SPF, also configured as a DNS record, it allows you to specify what the system should do when suspected spam is detected. The most severe setting allows you to reject suspicious spam. Alternatively, you can quarantine it or choose to receive a notification. Proper DMARC settings stop a significant amount of potential phishing.
All three settings work together to ensure that your organization's outgoing email is authenticated and therefore more likely to be delivered to recipients' inboxes.
Recommended: Help prevent phishing and spoofing
A Google Workspace administrator can enable enhanced pre-delivery message scanning to prevent fraudulent emails from being delivered to inboxes. This configuration requires a one-time check of a box in the Administration Console: Applications | Google Workspace | Gmail | Spam, phishing and malware | Select the check box that allows enhanced detection of suspicious content before delivery, and then select Save. Please note that this may cause a slight delay in the delivery of some emails.
Additionally, most administrators will want to enable a full set of advanced options found in the Administration Console | Google Workspace | Gmail | Security | Phishing and Authentication | Select the pencil to edit, then check the box next to each option. Select Save when you're done.
Optional: Manually manage allowed and blocked senders
Another way to deal with recurring spam is to add a sender's domain to a blocked senders list. This blocks all email from an email address or domain to any recipient in your organization. In a school setting, for example, an administrator could add a commonly misspelled domain to this list, such as whitehouse.com, which is a gambling site as of 2024. Access this in the Admin Console | Applications | Google Workspace | Gmail | Spam, phishing and malware | Blocked Senders option and then select Configure.
Similarly, an administrator can add domains to a list of approved senders. This indicates that email from the specified domain should be delivered to your organization's accounts. In a school setting, the domains of a parent organization, local government, or funding organization are often added to this list. In an enterprise environment, domains from partners, suppliers, vendors, or affiliate companies are typically set to always allowed. Access this in the Admin Console | Applications | Google Workspace | Gmail | Spam, phishing and malware | Spam option, then select Configure.
How you can combat spam in Gmail
Google's changes may mean more emails are sent to a user's Gmail spam folder than to their inbox. The following actions are available to people who use Gmail and can help reduce spam.
Recommended: Use the Spam and No Spam buttons
Gmail gives you the option to report the email as spam or non-spam. When you discover a spam email in your inbox, select the email and then click or tap the Report Spam icon. This indicates that you prefer emails from that sender to be sent to spam rather than your inbox.
Accordingly, when you identify an email as spam that should not be labeled as such, select the email and then click or tap the Not Spam button. This sends a signal to the system that you believe the email should not have been placed in spam and moves it to your inbox.
Required: Do not send bulk emails without an unsubscribe option
Make sure any mass email you send offers an unsubscribe option. For example, when you send an email using Google's mail merge feature, templates include an unsubscribe link by default. This also applies to any third-party email systems you may use, such as Constant Contact, Mailchimp, or Salesforce.
Optional: Add a sender as a Google Contact
Emails from people you've added to Google Contacts are more likely to arrive in your Gmail inbox. A series of searches and cleaning of your Gmail messages can help you identify sender addresses to add to Contacts. To add addresses, go to Google Contacts on the web, select the + Create Contact button, and then add your contact details, including their email addresses.
Optional: Sign up for Google's advanced protection program
The Advanced Protection Program adds layers of security to your Google Account, including more rigorous sign-in procedures, stricter limitations on third-party sign-ins, and restrictions on data access from external apps. You will need security keys (physical pieces of hardware) to enroll in the Advanced Protection Program. Once activated, the Advanced Protection Program makes it much more difficult for anyone else to access your account.
You can enroll in the Advanced Protection Program with any personal Gmail account; However, users in your organization should be aware that a Workspace administrator can choose to enable or disable the Advanced Protection Program for Workspace organizational accounts. If you can't register a work or school account, check with your Google Workspace administrator for more details.
Optional: Opt out of commercial email
Beyond the controls provided by Google, the Data & Marketing Association allows you to register your email address with the Email Preference Service. Once added, ethical email marketers who trust this list will remove your address from unsolicited emails. You can enter up to three email addresses at a time and then confirm your deletion request by clicking a link in an email sent to each address.
Mention me or send me a message at X (@awolber) to tell me how you handle spam, whether as a Google Workspace administrator or Gmail user.
