三叉戟

本页面只读。您可以查看源文件，但不能更改它。如果您觉得这是系统错误，请联系管理员。
# 第4章 GWS邮件管理
## 练习1
略
## DNS介绍 
CNAME记录，TXT记录，MX记录，SPF，DKIM和DMARC
还有NS记录，A记录等。
{{:resources:courses:pasted:20250123-181528.png}}
## 练习2
参考链接[[https://support.google.com/a/answer/140034]]
<note>1.先要创建用户账号（应该是指邮箱）然后再将MX记录转到GWS上
2.TTL默认是3600，但正常使用Gmail后可以改为86400，这样更新频率会改为每天1次
3.如果是要把现行的邮箱系统转移到GWS上，可以保留现在的MX记录，但调低优先级（比如将优先级改为10+），当所有邮箱都经由Google后，再删除原MX记录，这样保证不会有邮件丢失</note>
## 练习3
检查MX
工具URL为[[https://toolbox.googleapps.com/apps/checkmx/]]
{{:resources:courses:pasted:20250123-215110.png}}
点击报警会给出解决方法
## 测试1
<q>You need to make a change to your MX records and you want the change to be implemented as soon as possible. What approach can you take?</q>
  - Change your MX records in the admin console and reduce the Time to Live (TTL) value to one hour. Once the change has been implemented revert the TTL value to 24 hours
  - **Make the change in your DNS console and reduce the Time to Live (TTL) value to 1 hour. Once the change has been implemented revert the TTL value to 24 hours**
  - Change your MX records in the admin console and reduce the Time to Live (TTL) value to one hour
  - Make the change in your DNS console and reduce the Time to Live (TTL) value to 1 hour

<q>Which type of DNS record determines where mail destined for your domain is routed?</q>
  - **MX Record**
  - TXT Record
  - NS Record
  - CNAME Record

<q>In general, from where would you manage your domain's DNS records?</q>
  - All of the options here
  - In your local DNS files
  - **In your domain registrar console**
  - In the Google Workspace admin console

<q>What are common uses for a DNS TXT record when using Google Workspace? (Choose 2)</q>
  - Customise a Google service address
  - Control inbound mail to your domain
  - **Domain verification**
  - **Email security records**

## 邮件安全
3招，SPF，DKIM和DMARC
SPF: verify the domain you own
DKIM: prevent email spoofing on outbound message by adding an encrypted header
DMARC: tell email servers how to handle messages that fail SPF/DKIM checks

## 练习1
SPF，通过添加TXT记录到DNS中
Xserver中已经有一条记录了，现在在后面追加<code>include:_spf.google.com ~all</code>
记录生效需要24小时左右
参考链接：[[https://support.google.com/a/answer/33786#zippy=%2Cspf-%E8%AE%B0%E5%BD%95%E7%A4%BA%E4%BE%8B]]
## 练习2
{{:resources:courses:pasted:20250123-221340.png}}
{{:resources:courses:pasted:20250123-221407.png}}
生成后长这个样子
{{:resources:courses:pasted:20250123-221505.png}}
生成的记录在Xserver的DNS DKIM记录中已经有了，一模一样。
参考链接：
[[https://support.google.com/a/answer/174124]]
## 练习3
{{:resources:courses:pasted:20250123-222013.png}}
这条TXT记录告诉收件邮箱服务器，如果判定Fail，如何操作，这里是通知管理员。
## 测试2
<q>What is the main purpose of a Sender Policy Framework (SPF) record?</q>
  - **It specifies which servers/domains can send messages on your behalf**
  - It can be used to verify that message content is authentic and has not changed
  - It defines the action to take on suspicious incoming messages

<q>You have been asked to implement DomainKeys Identified Mail (DKIM) for your organization. How would you do this?</q>
  - Enable DKIM from Apps > Google Workspace > Gmail > Authenticate email
  - Enable DKIM directly in your DNS records
  - Generate a key from your DNS records and add it to the Google Workspace admin console. Then Enable DKIM from Apps > Google Workspace > Gmail > Authenticate email
  - **Generate a DKIM record from Apps > Google Workspace > Gmail > Authenticate email. Add the record to your DNS records and then start authentication from the admin console**


<q>What policy defines what to do if an incoming message is not authenticated?</q>
  - SPF
  - DKIM
  - All of the options here
  - **DMARC**

<q>DKIM adds an encrypted signature to the header of all outgoing messages. What happens if you don't turn on email signing with your own domain DKIM key?</q>
  - Gmail signs all outgoing messages with a temporary key generated for your domain
  - **Gmail signs all outgoing messages with this default DKIM domain key d=\*.gappssmtp.com**
  - Gmail signs all outgoing messages with a key generated using the From address in the message
  - Messages are sent as normal with no additional headers

## 邮件安全配置
对于未受信任的发件人的加密附件，处理方式是隔离。
{{:resources:courses:pasted:20250123-222958.png}}
<note>既便你把某一个域加为安全，但这里的设定仍然会生效。各自相互独立</note>
## 练习2
对于外包人员，禁止他们的自动转发邮件到个人邮箱，并且禁止POP和IMAP，但那些开户GWS Sync的人例外。
{{:resources:courses:pasted:20250123-223432.png}}
现在Rules也会终止工作
## 测试3
<q>The attachment section in the Gmail Safety settings page allows you to protect against malicious attachments. What actions can you perform on a suspicious attachment? (Choose 2)</q>
  - Keep email in inbox without warning
  - **Move email to spam**
  - Send to a designated user
  - **Keep email in inbox and show warning**

<q>You have enabled protection against anomalous attachment types in emails from the Gmail > Safety page but you are finding some emails with valid attachment types are not being delivered. How can you resolve this?</q>
  - Ask each user to create an allowlist of allowable file types
  - **Add an allowlist of allowable file types to the entry in the Attachments section on the Safety page**
  - Have all messages that trigger this setting delivered to a quarantine and then release the messages manually
  - You cannot control what file types are considered anomalous so you must disable this protection to allow messages to be delivered

<q>What are valid reasons for allowing per-user outbound gateways in your organization? (Choose 2)</q>
  - **An outbound gateway ensures that the same mail server delivers all messages from otherdomain and that server has a record that the mail has been sent**
  - Mail delivery times are improved because messages bypass the Gmail servers
  - **An outbound gateway can prevent the appearance of "on behalf of" addresses in the From field**
  - Allows your users to send mail from their business and personal Gmail account from one inbox

<q>Google recommends against the use of the Image URL proxy allowlist?</q>
  - **True**
  - False

## 练习1
添加一个信任IP地址，虽然是信任，但如果从它发出来可疑邮件，仍然会被放入垃圾邮箱 
{{:resources:courses:pasted:20250123-224534.png}}
从自己的邮箱发一封邮件给GWS管理员邮箱。
在Console中添加黑名单
{{:resources:courses:pasted:20250123-224944.png}}
{{:resources:courses:pasted:20250123-225101.png}}
参考链接：[[https://support.google.com/a/answer/2364632?hl=zh-Hans&sjid=16549908282098203174-AP]]
## 练习2
创建白名单
Gmail>Spam,Phishing and Malware>Spam
{{:resources:courses:pasted:20250123-225549.png}}
{{:resources:courses:pasted:20250123-225642.png}}
<note>虽然添加了白名单，但仍然要做验证，即Sender authentication保护，所以不要关闭它</note>
<note>除了增加SpamFilter，另一个措施是使用预Scan</note>
参考链接：[[https://support.google.com/a/answer/7380368]]

## 测试4
<q>Which of the following are reasons to use an inbound gateway? (Choose 2)</q>
  - Can be used for batch delivery of email to Gmail
  - Improves mail delivery performance
  - **Spam filtering**
  - **Message archiving**

<q>Your organization has been receiving unwanted emails from another organization, and attempts by you to get the organization to stop sending the emails have failed. What approach is best to stop messages from this organization from reaching your users?</q>
  - Configure a blocked senders list and add the domain's IP address to the list
  - Ask each of your user's to block the domain
  - **Configure a blocked senders list and add the domain name to the list**
  - Contact Google Support and ask them to block the organization for you

<q>Messages from a single person that you trust are being marked as spam by Gmail. What approach is best to ensure that these messages reach the intended recipients inboxes?</q>
  - Setup a security sandbox rule for the user to have all mail verified by the sandbox prior to delivery
  - **Add a spam setting which bypasses spam filters for messages received from addresses within an approved senders list. Add the user's email address to the list**
  - Ask each of your users to add the contact to their personal contacts
  - Add the user's email address to your email allowlist

## 邮件合规检查 
  - Attachment compliance
  - Content compliance
  - objectionable content compliance
触发后的动作
  - rejected before reaches the recipient
  - be sent to admin
  - be modified before delivery
DLP对策
## 练习1
{{:resources:courses:pasted:20250123-230719.png}}
## 练习2
{{:resources:courses:pasted:20250123-231456.png}}
然后发一封包含Jupiter（在标题或是正文）的邮件到自己个人邮箱，发现是收不到的。
## 练习3
{{:resources:courses:pasted:20250123-232142.png}}
发送违规邮件，然后查看隔离邮件（使用管理员账号）
{{:resources:courses:pasted:20250123-232301.png}}
也可以访问下列URL [[https://email-quarantine.google.com/adminreview]]
<note>管理员需要定期处理隔离邮件，如果30天内不处理，会被自动删除</note>
## 其他合规对策
  - email and chat auto-deletion 删除超过某一时间的信息
  - OCR for email attachment (并不是所有GWS版本都支持)
  - restrict delivery (一般用于教育账号）
  - Security sandbox (微软家的EDR也有这个功能）

## 测试5
<q>You want to prevent your users from receiving mail from baddomain.com. What is the best way to achieve this?</q>
  - **Add baddomain.com to a blocked senders list**
  - Add baddomain.com's IP address to the blocked senders list
  - 1Create a security sandbox rule to filter and delete messages to/from baddomain.com
  - Configure the 'Restrict delivery' setting to prevent message exchange between your users and baddomain.com

<q>What actions can an administrator perform on a quarantined message? (Choose 2)</q>
  - **Deny**
  - **Allow**
  - Return to sender
  - Deliver to another recipient

<q>In which type of compliance control can you apply a Data Loss Prevention (DLP) rule for Gmail?</q>
  - Objectionable content
  - **Content compliance**
  - Optical Character Recognition (OCR)
  - Attachment compliance

<q>Which statements are true for an objectionable content rule? (Choose 2)</q>
  - **An objectionable content setting works on inbound and outbound messages**
  - In an objectionable content setting you use a predefined list of objectionable words for filtering for objectionable content
  - An objectionable content setting works on inbound messages only
  - **In an objectionable content setting you create word lists for filtering for objectionable content**

## Mail routing
有3种方式，默认的Direct，还有Dual，以及Split Delivery
Dual用于小范围测试邮件，需要新旧2个邮箱都收到邮件。（或是邮件迁移时，比如收购公司接收的一批邮箱（非GWS））
Spli用于进来的邮件分发到不同邮箱，它同Dual都是暂时操作而非长期。
## 练习1
设定Split Delivery
{{:resources:courses:pasted:20250123-234001.png}}
Port不能为空
{{:resources:courses:pasted:20250123-234109.png}}
{{:resources:courses:pasted:20250123-234321.png}}
这样所有未定额站以识别的用户发来的邮件都会被转到Legacy邮件服务器，适用于还未迁移到Gmail的人。
参考链接：[[https://support.google.com/a/answer/2614757]]

## 其他Routing选项
  - outbound mail gateway server 用于备份或是过滤邮件
  - virtual user table,建立映射，最多可以加5000条记录，每条里可以放12个地址,用于保存邮件
  - Inbound e-mail journal acceptance to Vault 保存邮件到另一个邮件平台
  - 3rd party email archiving


## 测试6
<q>Which mail delivery scheme allows messages to be delivered to multiple mailboxes?</q>
  - Indirect delivery
  - Split delivery
  - **Dual delivery**
  - Direct delivery

<q>What advantages does a routing setting have over an outbound gateway when you need to route mail through an external mail server?</q>
  - A routing setting can be applied at an OU level
  - Address lists can be used to control or bypass a routing setting
  - **All of the options here**
  - A routing setting can be applied to specific senders and recipients

<q>What must you define before you can change the route in a routing setting?</q>
  - An outbound gateway
  - Alternate secure route
  - **A mail host**
  - An SMTP relay

<q>Which features in Google Workspace can be used to leverage Google's spam protection for users who are on a non-Gmail mail platform? (Choose 2)</q>
  - Alternate secure route
  - **SMTP Relay service**
  - **Non-Gmail mailbox**
  - Outbound gateway
<note>后面2章节不再需要测试用GWS，可以取消订阅了！</note>
{{:resources:courses:pasted:20250125-094448.png}}
{{:resources:courses:pasted:20250125-094613.png}}
这时会发现Gmail，Drive和Calendar等核心GWS服务已经不可用。所以直接删除账户吧。
{{:resources:courses:pasted:20250125-095037.png}}
会确认有没有MarketplaceAPP，如果有，要先删除APP才能删除账户。