Now 2FA is working for my 2 users, I can create our first Shared email address. For Google Workspace this is a “Collaborative Inbox” (see the setup instructions here). We’ve not had this in the past. We used to have a shared email address, showroom@rkbb.co.uk that was a regular user email address and then had delegated access to all of us that monitored it and replied to emails from customers. Whilst that would work still, it will also cost the same as another user account each month (near £55 per year on the cheapest account) whereas a collaborative inbox is free and apparently has built in tools to handle being used my multiple people and stop duplication of replies or not actioning an email because you think someone else is doing it.

First, we create a new Group (9 dot link)

then the 3 lines link

then create group

I chose hello@roots.uk for the group name. We set up showroom@rkbb.co.uk as an address back in 1999 and in todays world hello@ sounds nicer and easier to say then showroom@.

Privacy settings next, and that’s easy for our small business as every user can see everything and everyone can join.

and finally I can add members now. Me and my brother as owners and as I add the other user accounts I can add them later.

I’ve left it as subscription to each email but I’m not entirely sure that’s right yet.

Now I can go to the group

Reading the setup instructions, next I have to go to group settings and turn on “collaborative inbox”

There are some permissions to be assigned but I’m going with the defaults for now and will see how they work. The other interesting setting is “Default Sender” and I’m going to start by changing this to “Group address” by default. I think this will mean that if I reply to an email and there’s a response it still goes to the collaborative inbox so that others can see and action it.

There’s an email option setting and that includes the ability to turn off the standard groups footer (I’m turning it off) and add a custom footer (which I’ll turn on and add our standard email footer text).

Now to send a test email from an address outside of roots.uk to see how it works…

and it failed, but I think I see why

the group only allows posting by people within roots.uk and so my email from my old address was rejected.

Back to the group settings, I’ve turned on “Shared Labels” whilst passing – I expect that will mean if I label an email “supplier invoice” everyone will see that label. I saw no option to allow posting from outside our domain.

Next step is to return to admin.google.com, type the group name into the search box then click on the group.

Opening the settings box to edit it, I can see a column for “External” and “publish posts” field so I’ll activate that and save. I did not allow external members to the group, as I don’t want anyone joining it and seeing our emails.

and it looks like it worked, I have an email delivered to my inbox;

I can reply to that as a normal email and that arrives fine.

I see the same email in the shared group, but I don’t see my reply. That makes sense as the email was delivered to two places. I think I need to turn of emails to group members.

and if I reply from the group I get… confused

ahh, I see, I can choose to reply from my personal email or the group address

and replying from my address means the reply is sent to:hello@roots.uk and CC: the original sender,

that’s no good for me. Back to the group settings and set the default sender to be the group address.

and another option “Post replies to” was set as Sender Chooses so I’ll change that to default to the author only

I think that means if there are multiple people in the conversation we’ll have remember to select them.

In My membership settings I can change from each email to No Email.

Time for a new test!

Looking good…

and it’s still not perfect

The email was CC’d to the originator again and I want them to be in the to: location, like a normal email.

Now it’s late, so I’ll return in the next day or so when I have time to figure out the solution.

Now to set up and enforce 2FA (Two Factor Authentication) for all users in my new domain. First I want to make sure it is active and working for me!

In Gmail, clicking the “S” at the top right, which comes from my name Steve, opens a box with an option to “Manage your Google Account”

In the next page I select Security and then the right arrow allong from “2 Step verification”

The default is to get an SMS message or phone call but I don’t want that. I want to use “Google Prompt” which is an app built into my Android phone and I think it also works on iPhones too. SMS can be compromised so Security Keys or prompts are the way to go. I think my android phone can also act as a security key too, but the prompt has always worked well for me.

I need to select “show more options”

My device isn’t shown, so the link “Don’t see your device”.

and this tells me I need to login to my new Workspace account from my phone for it to be seen, so I’ll go to my phone and do that.

On android I do this by going Settings > Accounts > Add Account > Google

(you can have more than one google account linked to your phone)

My new email address and password are entered and it takes 30 seconds or so to login and set itself up. Once that’s done, I click the “Try Again” link and my phone appears. Yes it’s an old phone (2 and a half years!) and yes I’m looking to update it but only because the charging port is slightly loose. Can you imagine how long it takes me to pick a new phone? !!

click Continue

It wants a backup option, and is asking for a phone number again. I’m going with this though deep down I think the current security wisdom is not to allow SMS resets.

Enter the confirmation code that came by text message

and “Turn on”

So that should be working and the confirmation screen gives me more options.

First, I generate the backup codes. These can be printed and put somewhere safe for the event you lose your phone and can’t use the Prompt or SMS methods. Perhaps keep them in your wallet. If you’re worried about losing your wallet and someone logging into your account using these backup codes then you can encrypt them with your own secret algorithm. Add 1 to the first and last digit.

Second, I set up an authenticator app. I used to use Google Authenticator but I had a problem once where a factory reset of my phone meant I lost access to the Generator. Now I use 1password which includes a generator. As long as I can get into 1password I can always get to the Authenticator codes.

Finally, I tried the security key but that doesn’t work for me as a I don’t have one 🙂 I thought my phone might act as one but I was prompted for Windows to look for one connected by USB. Maybe one day I’ll add that approach too. I think a hardware security key that can be on my keyring and work separate to my phone and wallet may be a useful backup method

Now to log out, log in and see if I’m prompted for a code:

and yes I was. All is good and secure.

Not to enforce 2FA as a requirement across all users.

The 9 dots top right > Admin > Security > 2-Step Verification

Maybe I’m bit too worried about security, but these are the settings I’ve chosen for my users.

• 2FA is turned on from now
• There is no grace period for new ysers
• They can trust the device once they’re logged in. I think google still prompts every 30 days.
• They can’t get verification codes by SMS message of phone calls. SMS is not secure and we are all vulnerable to SIM Swapping (that’s a link to youtube video that explains it well. She also covers a lot of security related topics with great advice for geeks and non geeks alike).

So, that should be enforcing 2FA for all our users, which is so far just me and my brother. Except he probably didn’t set up 2FA when I told him he could log in earlier so he’s probably being locked out right now. To fix that, Admin > directory > Users and click on his name and I can see that he does not have 2FA enabled and also he has no recovery options.

When I go to edit this (the down arrow on the top right opens the panel up) I see that only the user can enable 2FA.

I suspect that the next time he logs in he will be forced to do that so I’ll leave this for now and see what happens. It might be I need to add a recovery email address and/or phone number as he hadn’t set those yet either.

Once he is set up with 2FA I will also make him a super admin. This is important as if something happens to me I want him to be have full access to everything in the business. Also if I lose my phone he can also reset my password. I’m always trying to avoid a single point of failure in our business.

In Part 1 I registered a new Google Workspace account and told it our domain name. Now we have to prove to google it’s actually our domain to use.

There are a couple of ways to do this and all of them involve adding entries to the DNS records of your domain, which you do through the website of whoever you bought your domain from. For many years I’ve bought all my domains through Gandi and I highly recommend them (not a referral link and I’ve no promo codes to pass on). Google & Gandi work for the “Automatic Activation” method which makes things very easy from this point.

Once signed in, the verification process begins!

The automatic process is doing what you can do by hand. Firstly, it adds a DNS TXT record with a unique string that is publicly available. Because you can set this google know this is really your domain.

Here things get a little complicated, as I already had this domain set up with our old Google Workspace legacy account and I left the email settings in place. These are DNS MX records that tell the world where to deliver your email.

If you’re using email on another provider I assume Google Workspace would give you the option as to whether to change these settings from your current provider to the google servers. As we weren’t using the domain for email (at least, not in a way I minded breaking for few days) I can’t tell if that’s the case or if they’d be added automatically if there are no existing MX records. Seeing as this is step 3 in the setup and we haven’t yet done step 2, I’m assuming assuming you get to choose when to switch over the email servers.

It can take some time (several hours) for the DNS records to show publicly for google to check but you can carry on with other steps whilst you’re waiting.

Step 2 is to create your users.

Obviously my user is already there so I use the “Add another user” link to add more.

After that, it’s time to accept the terms and log into our new accounts!

Naturally the dashboard has a lot of options but in my excitement the first thing I want to do is send an email. In google workspace a grid of 9 dots at the top right opens the menu for all the workspace apps. Gmail is the one I want and…. it doesn’t work!

I’m signed into the admin panel and every other app I click on redirects me back to the Admin panel. What’s going wrong? I think it’s due to the domain still be verified. Sure enough the next morning I could log in fine. I think there is the option of accessing Gmail by logging in using the test domain whilst verification is happening but it worked before I got to try that.

Now my email is working, next on my list:

2FA – two factor authentication or MFA – multi factor authentication, which is to say I want to enforce better security on our email accounts requiring anyone that logs in not only knows their password but gets an extra security code from a device they own.

Set up a shared email address – which is all new to me as our legacy workspace account didn’t allow for this