Return to the report summary

Secure Cloud Business Applications (SCuBA)

Baseline Documents

Light mode

Gmail Baseline Report

Customer Name Customer Domain Customer ID Report Date Baseline Version Tool Version
Cool Example Org example.org ABCDEFG 10/10/2025 13:08:59 Pacific Daylight Time 0.6 v0.6.0

GMAIL-1 Mail Delegation

Control ID Requirement Result Criticality Details
GWS.GMAIL.1.1v0.6 Mail Delegation SHOULD be disabled. Warning Should The following OUs are non-compliant:
  • Terry Hahn's OU: Mail delegation is enabled

GMAIL-2 DomainKeys Identified Mail

Control ID Requirement Result Criticality Details
GWS.GMAIL.2.1v0.6 DKIM SHOULD be enabled for all domains. Warning Should 1 of 2 agency domain(s) found in violation: benson-young.biz. View DNS logs for more details.

GMAIL-3 Sender Policy Framework

Control ID Requirement Result Criticality Details
GWS.GMAIL.3.1v0.6 An SPF policy SHALL be published for each domain that fails all non-approved senders. Fail Shall 2 of 2 agency domain(s) found in violation: example.org, benson-young.biz. View DNS logs for more details.

GMAIL-4 Domain-based Message Authentication, Reporting, and Conformance

Control ID Requirement Result Criticality Details
GWS.GMAIL.4.1v0.6 A DMARC policy SHALL be published at the full domain or the second-level domain for all Google Workspace domains, including user alias domains. Fail Shall 1 of 2 agency domain(s) found in violation: example.org. View DNS logs for more details.
GWS.GMAIL.4.2v0.6 The DMARC message rejection option SHALL be p=reject. Fail Shall 1 of 2 agency domain(s) found in violation: example.org. View DNS logs for more details.
GWS.GMAIL.4.3v0.6 The DMARC point of contact for aggregate reports SHALL include `reports@dmarc.cyber.dhs.gov`. Fail Shall 1 of 2 agency domain(s) found in violation: example.org. View DNS logs for more details.
GWS.GMAIL.4.4v0.6 An agency point of contact SHOULD be included for aggregate and failure reports. Warning Should 1 of 2 agency domain(s) found in violation: example.org. View DNS logs for more details.

GMAIL-5 Attachment Protections

Control ID Requirement Result Criticality Details
GWS.GMAIL.5.1v0.6 Protect against encrypted attachments from untrusted senders SHALL be enabled. Pass Shall Requirement met in all OUs and groups.
GWS.GMAIL.5.2v0.6 Protect against attachments with scripts from untrusted senders SHALL be enabled. Pass Shall Requirement met in all OUs and groups.
GWS.GMAIL.5.3v0.6 Protect against anomalous attachment types in emails SHALL be enabled. Pass Shall Requirement met in all OUs and groups.
GWS.GMAIL.5.4v0.6 Google SHOULD be allowed to automatically apply future recommended settings for attachments. Pass Should Requirement met in all OUs and groups.
GWS.GMAIL.5.5v0.6 Emails flagged by the above attachment protection controls SHALL NOT be kept in inbox. Pass Shall Requirement met in all OUs and groups.
GWS.GMAIL.5.6v0.6 Any third-party or outside application selected for attachment protection SHOULD offer services comparable to those offered by Google Workspace. N/A Should/Not-Implemented Currently not able to be tested automatically; please check manually.

GMAIL-6 Links and External Images Protection

Control ID Requirement Result Criticality Details
GWS.GMAIL.6.1v0.6 Identify links behind shortened URLs SHALL be enabled. Pass Shall Requirement met in all OUs and groups.
GWS.GMAIL.6.2v0.6 Scan linked images SHALL be enabled. Pass Shall Requirement met in all OUs and groups.
GWS.GMAIL.6.3v0.6 Show warning prompt for any click on links to untrusted domains SHALL be enabled. Pass Shall Requirement met in all OUs and groups.
GWS.GMAIL.6.4v0.6 Google SHALL be allowed to automatically apply future recommended settings for links and external images. Pass Should Requirement met in all OUs and groups.
GWS.GMAIL.6.5v0.6 Any third-party or outside application selected for links and external images protection SHOULD offer services comparable to those offered by Google Workspace. N/A Should/Not-Implemented Currently not able to be tested automatically; please manually check.

GMAIL-7 Spoofing and Authentication Protection

Control ID Requirement Result Criticality Details
GWS.GMAIL.7.1v0.6 Protect against domain spoofing based on similar domain names SHALL be enabled. Pass Shall Requirement met in all OUs and groups.
GWS.GMAIL.7.2v0.6 Protect against spoofing of employee names SHALL be enabled. Pass Shall Requirement met in all OUs and groups.
GWS.GMAIL.7.3v0.6 Protect against inbound emails spoofing your domain SHALL be enabled. Pass Shall Requirement met in all OUs and groups.
GWS.GMAIL.7.4v0.6 Protect against any unauthenticated emails SHALL be enabled. Pass Shall Requirement met in all OUs and groups.
GWS.GMAIL.7.5v0.6 Protect your Groups from inbound emails spoofing your domain SHALL be enabled. Pass Shall Requirement met in all OUs and groups.
GWS.GMAIL.7.6v0.6 Emails flagged by the above spoofing and authentication controls SHALL NOT be kept in inbox. Pass Shall Requirement met in all OUs and groups.
GWS.GMAIL.7.7v0.6 Google SHALL be allowed to automatically apply future recommended settings for spoofing and authentication. Pass Should Requirement met in all OUs and groups.
GWS.GMAIL.7.8v0.6 Any third-party or outside application selected for spoofing and authentication protection SHOULD offer services comparable to those offered by Google Workspace. N/A Should/Not-Implemented Currently not able to be tested automatically; please manually check.

GMAIL-8 User Email Uploads

Control ID Requirement Result Criticality Details
GWS.GMAIL.8.1v0.6 User email uploads SHALL be disabled to protect against unauthorized files being introduced into the secured environment. Pass Shall Requirement met in all OUs and groups.

GMAIL-9 POP and IMAP Access for Users

Control ID Requirement Result Criticality Details
GWS.GMAIL.9.1v0.6 POP and IMAP access SHALL be disabled to protect sensitive agency or organization emails from being accessed through legacy applications or other third-party mail clients. Fail Shall The following OUs are non-compliant:
  • Cool Example Org (group "Thomas Parker's group"): IMAP access is enabled

GMAIL-10 Google Workspace Sync

Control ID Requirement Result Criticality Details
GWS.GMAIL.10.1v0.6 Google Workspace Sync SHOULD be disabled. Pass Shall Requirement met in all OUs and groups.

GMAIL-11 Automatic Forwarding

Control ID Requirement Result Criticality Details
GWS.GMAIL.11.1v0.6 Automatic forwarding SHOULD be disabled, especially to external domains. Pass Shall Requirement met in all OUs and groups.

GMAIL-12 Per-user Outbound Gateways

Control ID Requirement Result Criticality Details
GWS.GMAIL.12.1v0.6 Using a per-user outbound gateway that is a mail server other than the Google Workspace mail servers SHALL be disabled. Pass Shall Requirement met in all OUs and groups.

GMAIL-13 Unintended External Reply Warning

Control ID Requirement Result Criticality Details
GWS.GMAIL.13.1v0.6 Unintended external reply warnings SHALL be enabled. Pass Shall Requirement met in all OUs and groups.

 Log-based check. See limitations.

GMAIL-14 Email Allowlist

Control ID Requirement Result Criticality Details
GWS.GMAIL.14.1v0.6 An email allowlist SHOULD not be implemented. Warning Should Email allowlists are enabled in Cool Example Org.

GMAIL-15 Enhanced Pre-Delivery Message Scanning

Control ID Requirement Result Criticality Details
GWS.GMAIL.15.1v0.6 Enhanced pre-delivery message scanning SHALL be enabled to prevent phishing. Pass Shall Requirement met in all OUs and groups.
GWS.GMAIL.15.2v0.6 Any third-party or outside application selected for enhanced pre-delivery message scanning SHOULD offer services comparable to those offered by Google Workspace. N/A Should/Not-Implemented Currently not able to be tested automatically; please manually check.

GMAIL-16 Security Sandbox

Control ID Requirement Result Criticality Details
GWS.GMAIL.16.1v0.6 Security sandbox SHOULD be enabled to provide additional protections for their email messages. No events found Should No relevant event in the current logs for the top-level OU, Cool Example Org. While we are unable to determine the state from the logs, the default setting is non-compliant; manual check recommended.

 Log-based check. See limitations.
GWS.GMAIL.16.2v0.6 Any third-party or outside application selected for security sandbox SHOULD offer services comparable to those offered by Google Workspace. N/A Should/Not-Implemented Currently not able to be tested automatically; please manually check.

GMAIL-17 Comprehensive Mail Storage

Control ID Requirement Result Criticality Details
GWS.GMAIL.17.1v0.6 Comprehensive mail storage SHOULD be enabled to allow tracking of information across applications. N/A Should/Not-Implemented Currently not able to be tested automatically; please manually check.

GMAIL-18 Spam Filtering

Control ID Requirement Result Criticality Details
GWS.GMAIL.18.1v0.6 Domains SHALL NOT be added to lists that bypass spam filters. N/A Shall/Not-Implemented Currently not able to be tested automatically; please manually check.
GWS.GMAIL.18.2v0.6 Domains SHALL NOT be added to lists that bypass spam filters and hide warnings. N/A Shall/Not-Implemented Currently not able to be tested automatically; please manually check.
GWS.GMAIL.18.3v0.6 Bypass spam filters and hide warnings for all messages from internal and external senders SHALL NOT be enabled. N/A Shall/Not-Implemented Currently not able to be tested automatically; please manually check.

DNS Logs

DNS queries ScubaGear made while identifying SPF, DKIM, and DMARC records. Note: if DNS queries unexepectedly return 0 txt records, it may be a sign the system-defualt resolver is unable to resolve the domain names (e.g., due to a split horizon setup).

SPF

Query Name Query Method Summary Answers
e​x​a​m​p​l​e​.​c​o​m traditional Query returned 0 txt records
e​x​a​m​p​l​e​.​c​o​m DoH Query returned 0 txt records
e​x​a​m​p​l​e​.​g​o​v traditional Query returned 1 txt records v​=​s​p​f​1​ ​i​n​c​l​u​d​e​:​_​s​p​f​.​g​o​o​g​l​e​.​c​o​m​ ​~​a​l​l

DKIM

Query Name Query Method Summary Answers
g​o​o​g​l​e​.​_​d​o​m​a​i​n​k​e​y​.​e​x​a​m​p​l​e​.​c​o​m traditional Query returned 0 txt records
g​o​o​g​l​e​.​_​d​o​m​a​i​n​k​e​y​.​e​x​a​m​p​l​e​.​c​o​m DoH Query returned 0 txt records
s​e​l​e​c​t​o​r​1​.​_​d​o​m​a​i​n​k​e​y​.​e​x​a​m​p​l​e​.​c​o​m traditional Query returned 0 txt records
s​e​l​e​c​t​o​r​1​.​_​d​o​m​a​i​n​k​e​y​.​e​x​a​m​p​l​e​.​c​o​m DoH Query returned 0 txt records
s​e​l​e​c​t​o​r​2​.​_​d​o​m​a​i​n​k​e​y​.​e​x​a​m​p​l​e​.​c​o​m traditional Query returned 0 txt records
s​e​l​e​c​t​o​r​2​.​_​d​o​m​a​i​n​k​e​y​.​e​x​a​m​p​l​e​.​c​o​m DoH Query returned 0 txt records
g​o​o​g​l​e​.​_​d​o​m​a​i​n​k​e​y​.​e​x​a​m​p​l​e​.​g​o​v traditional Query returned 1 txt records v​=​D​K​I​M​1​;​ ​k​=​r​s​a​;​ ​p​=​M​I​I​B​I​j​A​N​B​g​k​q​h​k​i​G​9​w​0​B​A​Q​E​F​A​A​O​C​A​Q​8​A​M​I​I​B​C​g​K​C​A​Q​E​A​l​a​k​n​W​s​K​v​t​b​T​L​A​x​t​W​S​F​5​s​D​t​+​z​v​Q​h​T​X​h​T​7​V​2​Q​T​n​h​P​G​l​V​X​o​t​X​x​L​4​V​s​c​G​5​c​S​n​W​u​s​8​r​S​4​i​t​N​9​I​t​x​t​z​o​m​p​U​V​R​Z​1​4​b​6​h​O​1​C​+​p​x​Y​A​c​l​8​Z​a​j​6​w​s​j​E​2​v​m​E​A​m​L​H​e​X​j​j​9​E​H​M​z​r​h​f​a​y​2​A​0​2​M​J​H​R​e​s​z​o​k​"​ ​"​y​L​K​B​m​+​O​Z​7​F​4​S​N​W​P​4​S​C​a​z​X​k​o​u​O​e​A​T​N​r​c​I​P​U​Z​x​B​V​7​6​9​e​w​x​6​C​l​u​m​v​O​e​H​A​q​C​7​7​V​x​J​i​e​B​g​+​7​L​a​O​R​r​m​2​3​D​M​t​W​q​d​k​M​U​W​B​/​w​m​f​C​H​O​3​3​3​/​u​6​b​Y​2​1​e​C​M​g​i​P​/​f​+​j​S​i​y​l​K​D​d​Y​5​k​E​R​p​R​U​0​N​i​I​x​l​T​G​U​h​q​R​O​J​E​S​n​x​N​U​T​q​b​K​6​9​C​T​A​O​Y​R​6​q​h​w​J​e​T​4​O​C​s​u​E​1​z​u​6​g​x​A​N​m​Z​M​C​l​I​M​i​M​2​S​u​n​t​X​w​N​s​w​b​"​ ​"​4​Q​I​D​A​Q​A​B

DMARC

Query Name Query Method Summary Answers
_​d​m​a​r​c​.​e​x​a​m​p​l​e​.​c​o​m traditional Query returned 0 txt records
_​d​m​a​r​c​.​e​x​a​m​p​l​e​.​c​o​m DoH Query returned 0 txt records
_​d​m​a​r​c​.​e​x​a​m​p​l​e​.​o​r​g traditional Query returned 1 txt records v​=​D​M​A​R​C​1​;​ ​p​=​r​e​j​e​c​t​;​ ​p​c​t​=​1​0​0​;​ ​r​u​a​=​m​a​i​l​t​o​:​D​M​A​R​C​@​e​x​a​m​p​l​e​.​o​r​g​,​ ​ ​m​a​i​l​t​o​:​r​e​p​o​r​t​s​@​d​m​a​r​c​.​c​y​b​e​r​.​d​h​s​.​g​o​v​;​ ​r​u​f​=​m​a​i​l​t​o​:​d​m​a​r​c​-​f​o​r​e​n​s​i​c​s​@​e​x​a​m​p​l​e​.​o​r​g
_​d​m​a​r​c​.​e​x​a​m​p​l​e​.​g​o​v traditional Query returned NXDOMAIN
_​d​m​a​r​c​.​e​x​a​m​p​l​e​.​g​o​v DoH Query returned NXDomain
_​d​m​a​r​c​.​e​x​a​m​p​l​e​.​g​o​v traditional Query returned NXDOMAIN
_​d​m​a​r​c​.​e​x​a​m​p​l​e​.​g​o​v DoH Query returned NXDomain