# 19 Residual mail & service hygiene

> v0.1.3 · role: Assure · [policy: #27 · #18](https://docs.google.com/spreadsheets/d/1nOztaPd1Y7eNeRSR_hdovYy-ncpx-bAx/edit?usp=sharing&ouid=115159875779023172526&rtpof=true&sd=true)

The remaining mail and service defaults, all of them free on every edition. Gmail's Safety protections — attachments, links and external images, spoofing and unauthenticated senders — are turned on and set to quarantine rather than a warning banner; the spam-bypass holes (an over-broad approved-senders list, 'bypass spam filters for internal senders') are closed; comprehensive mail storage is turned on so Vault actually sees everything; and unused services such as Google Sites are turned off, because an unused publishing surface inside the tenant is a free phishing host carrying your domain's reputation. The Gmail Security Sandbox ([23 Gmail Security Sandbox + safety-toggle verification](gmail-sandbox-safety.md)) adds attachment detonation on top of these toggles, but it is edition-gated and these are not.

## Caveats

- The Safety toggles default to 'keep in inbox and show warning' — a banner users click through is not a control; quarantine is the setting that takes the decision away from them.
- 'Bypass spam filters for internal senders' is the toggle a mail-migration vendor quietly re-enables — watch it with the config-drift sentinel (№59).
- Turning off a service such as Sites does not delete what is already published — enumerate and remove the existing sites.
- Comprehensive mail storage is a Vault prerequisite — without it, mail that never touched a user's mailbox is not retained and will not be discoverable.

## Setup steps

1. Turn on every Safety protection and, critically, set each one to quarantine rather than 'keep in inbox with warning' where the policy allows; quarantine acts on incoming messages only. — `Apps › Google Workspace › Gmail › Safety`

   - **Attachments (encrypted, scripts, anomalous)** = On + Quarantine
   - **Links and external images** = all On
   - **Spoofing and authentication** = all On (incl. 'Protect against domain spoofing based on similar domain names' and 'Protect against any unauthenticated emails')

   docs: [Advanced phishing and malware protection](https://knowledge.workspace.google.com/admin/gmail/advanced/advanced-phishing-and-malware-protection)

2. Verify no spam-bypass hole exists: an over-broad approved-senders list or 'bypass spam filters for internal senders' undoes the whole safety stack. — `Apps › Google Workspace › Gmail › Spam, phishing and malware`

   - **Bypass spam filters for internal senders** = Off
   - **approved-sender lists** = empty or narrowly justified
   - **Enhanced pre-delivery message scanning** = On

   docs: [Add custom spam filters to Gmail](https://knowledge.workspace.google.com/admin/gmail/advanced/add-custom-spam-filters-to-gmail) · [Help prevent phishing with pre-delivery message scanning](https://knowledge.workspace.google.com/admin/security/help-prevent-phishing-with-pre-delivery-message-scanning)

3. Turn off Google Sites — an unused publishing surface inside the tenant is a free phishing/exfil host carrying your domain's reputation. — `Apps › Google Workspace › Sites › Service status`

   - **Sites service status** = Off for everyone

   docs: [Turn Sites on or off for users](https://knowledge.workspace.google.com/admin/users/access/turn-sites-on-or-off-for-users)

4. Sweep the Additional Google services list and turn off every service nobody uses. — `Apps › Additional Google services`

   - **Unused additional services** = Off

   docs: [Turn on or off additional Google services](https://knowledge.workspace.google.com/admin/users/advanced/turn-on-or-off-additional-google-services)

5. Turn on comprehensive mail storage, so a copy of every sent and received message — including mail that never lands in a user's mailbox — is stored and Vault ([№30](vault-retention.md)) actually sees everything. — `Apps › Google Workspace › Gmail › Compliance`

   - **Comprehensive mail storage** = On

   docs: [Set up comprehensive mail storage](https://knowledge.workspace.google.com/admin/gmail/advanced/set-up-comprehensive-mail-storage)

## How to verify

1. Walk the four hygiene screens and confirm each setting matches the control; there is no user-visible surface to probe.

## Settings screens

- Apps > Google Workspace > Gmail > Safety (attachment, link, external-sender warnings)
  - console: https://admin.google.com/ac/apps/gmail/safety
  - screenshot: ../screenshots/admin.google.com/ac/apps/gmail/safety.png
- Apps > Google Workspace > Gmail > Spam, phishing and malware
  - console: https://admin.google.com/ac/apps/gmail/spam
  - screenshot: ../screenshots/admin.google.com/ac/apps/gmail/spam.png
- Apps > Google Workspace > Sites (service status)
  - console: https://admin.google.com/ac/managedsettings/142495531730
  - screenshot: ../screenshots/admin.google.com/ac/managedsettings/142495531730.png
- Apps > Additional Google services (turn off unused services)
  - console: https://admin.google.com/ac/appslist/additional
  - screenshot: ../screenshots/admin.google.com/ac/appslist/additional.png
- Apps > Google Workspace > Gmail > Compliance (comprehensive mail storage)
  - console: https://admin.google.com/ac/apps/gmail/compliance
  - screenshot: ../screenshots/admin.google.com/ac/apps/gmail/compliance.png
