I gave up with the Google Workspace Collaborative Inbox.

It had a number of problems for my use case, including:

• I couldn’t get the custom footer working
• Replies to the originator go as CC: instead of TO: as the group address is always the only TO: address.
• Sending an email from the Groups web view, you always have to click CC: to add an address (we want to send emails from our collaborative inbox as well as process incoming emails).

On the plus side, it did allow email conversations to be assigned to members of the group but I didn’t get as far as testing if marking the conversation as ‘complete’ also allow it to be hidden from view by default.

So what now?

Option 1: Find a suitable helpdesk software platform

like Zendesk, FreshDesk, Gekko, HelpScout, FreeScout, uvDesk or osTIcket (and that’s the shorter list of all the platforms I stumbled upon).

I mentioned before I like to keep overhead to a minimum. These are typically charged between £4 and £40 per month per user and we have 4 users covering the shop email account, so thats £192-£1920 per year of cost. Some have limited free offerings but the limitation often includes a limited number of records being kept which is too limiting for me.

The exceptions here are FreeScout, uvDesk and osTicket which have open source editions. I can run those on my own server and the only cost is time to set them up and maintain them. I can also alter them to suit our needs and processes and I have full control and access to all data. There’s a good argument that an open source solution will cost me more than £192 per year to run but the hosted £192 option doesn’t include all the nice things I could do with open source. The cost of open source is relatively fixed and not dependant on the number of users I have.

I’ve also got the option of writing my own too. Our needs are not too complex so processing email into a database and having a web front end (viewed like an email client) allowing our users to assign and reply and attach things is well within my technical capabilities but currently outside of my available time to implement.

Ticketing solutions also start edging into full CRM (Customer Relationship Management) and whilst I’ve been considering those for a while we’re a long way off yet.

besides, option 2 is far simpler and simple is good.

Option 2: Use a dedicated email address and give everyone delegated access

Which is exactly what we do now as our legacy account never had the Collaborative Inbox option. The downsides are:

• Another user account to pay for (£5/month)
• Having an account with another password (ok, that’s trivial, I’ll be the only one with the password and I’ll delegate access to everyone).
• If you have a lot of users, knowing if someone was already working on a customer enquiry or a supplier request can get confusing – the app solutions in option 1 often had ‘collision prevention’ so two agents wouldn’t work on the same thing at the same time.

As we only have 4 users and a low volume of mail to our shared email, Delegated Access is the solution I’m using. There’s probably a limit to how many delegates you can allow to access your email, in one place I saw 10 as the limit and in another 100 so beware if you’ve lots of users of the shared email account.

Setting up delegated email

First, delete the group 🙂

Admin > Users > Add a user

First name = Hello, Surname = Roots, [drifts off remembering this post about names for users and how not every culture has a Surname]
email = hello@sroot

[Using an incognito window for the new account] Try to login, I can’t because 2FA is enforced, so Admin > User > hello roots (the user name) > 2 Step Verificatoin > get backup verification codes

Login with backup code, accept terms, set new password, enroll in 2 step verification, select phone prompt, then have to add the account to my phone usng another backup code.

Now, check users can allow delegated access (probably not by default). Unfortunately this change didn’t happen instantly for me, so you might have to come back to this point later.

Settings for gmail > User settings > Mail delegation (or search for delegation)

Add a delegate, instructions here but short version: settings > all settings > accounts > Grant Access to your account > enter the email address of the other user. They need to accept the invite.

These are my preferred settings for our shared account.

Once the invite is accepted a user can switch to the delegated email account (in this case hello@roots.uk) by selecting it from the top right panel icon with their initial

Whilst I’m here, I’d rather have my photo on my profile than my initials but by default users can’t edit their profile. Admin > Users > More is where you can change that.

So, I now have users set up and shared email account for us through delegated access. It’s the end of the day so I’m stopping here. Next task from my list will be setting up the server/infrastructure emails like noreply@

Now 2FA is working for my 2 users, I can create our first Shared email address. For Google Workspace this is a “Collaborative Inbox” (see the setup instructions here). We’ve not had this in the past. We used to have a shared email address, showroom@rkbb.co.uk that was a regular user email address and then had delegated access to all of us that monitored it and replied to emails from customers. Whilst that would work still, it will also cost the same as another user account each month (near £55 per year on the cheapest account) whereas a collaborative inbox is free and apparently has built in tools to handle being used my multiple people and stop duplication of replies or not actioning an email because you think someone else is doing it.

First, we create a new Group (9 dot link)

then the 3 lines link

then create group

I chose hello@roots.uk for the group name. We set up showroom@rkbb.co.uk as an address back in 1999 and in todays world hello@ sounds nicer and easier to say then showroom@.

Privacy settings next, and that’s easy for our small business as every user can see everything and everyone can join.

and finally I can add members now. Me and my brother as owners and as I add the other user accounts I can add them later.

I’ve left it as subscription to each email but I’m not entirely sure that’s right yet.

Now I can go to the group

Reading the setup instructions, next I have to go to group settings and turn on “collaborative inbox”

There are some permissions to be assigned but I’m going with the defaults for now and will see how they work. The other interesting setting is “Default Sender” and I’m going to start by changing this to “Group address” by default. I think this will mean that if I reply to an email and there’s a response it still goes to the collaborative inbox so that others can see and action it.

There’s an email option setting and that includes the ability to turn off the standard groups footer (I’m turning it off) and add a custom footer (which I’ll turn on and add our standard email footer text).

Now to send a test email from an address outside of roots.uk to see how it works…

and it failed, but I think I see why

the group only allows posting by people within roots.uk and so my email from my old address was rejected.

Back to the group settings, I’ve turned on “Shared Labels” whilst passing – I expect that will mean if I label an email “supplier invoice” everyone will see that label. I saw no option to allow posting from outside our domain.

Next step is to return to admin.google.com, type the group name into the search box then click on the group.

Opening the settings box to edit it, I can see a column for “External” and “publish posts” field so I’ll activate that and save. I did not allow external members to the group, as I don’t want anyone joining it and seeing our emails.

and it looks like it worked, I have an email delivered to my inbox;

I can reply to that as a normal email and that arrives fine.

I see the same email in the shared group, but I don’t see my reply. That makes sense as the email was delivered to two places. I think I need to turn of emails to group members.

and if I reply from the group I get… confused

ahh, I see, I can choose to reply from my personal email or the group address

and replying from my address means the reply is sent to:hello@roots.uk and CC: the original sender,

that’s no good for me. Back to the group settings and set the default sender to be the group address.

and another option “Post replies to” was set as Sender Chooses so I’ll change that to default to the author only

I think that means if there are multiple people in the conversation we’ll have remember to select them.

In My membership settings I can change from each email to No Email.

Time for a new test!

Looking good…

and it’s still not perfect

The email was CC’d to the originator again and I want them to be in the to: location, like a normal email.

Now it’s late, so I’ll return in the next day or so when I have time to figure out the solution.

Now to set up and enforce 2FA (Two Factor Authentication) for all users in my new domain. First I want to make sure it is active and working for me!

In Gmail, clicking the “S” at the top right, which comes from my name Steve, opens a box with an option to “Manage your Google Account”

In the next page I select Security and then the right arrow allong from “2 Step verification”

The default is to get an SMS message or phone call but I don’t want that. I want to use “Google Prompt” which is an app built into my Android phone and I think it also works on iPhones too. SMS can be compromised so Security Keys or prompts are the way to go. I think my android phone can also act as a security key too, but the prompt has always worked well for me.

I need to select “show more options”

My device isn’t shown, so the link “Don’t see your device”.

and this tells me I need to login to my new Workspace account from my phone for it to be seen, so I’ll go to my phone and do that.

On android I do this by going Settings > Accounts > Add Account > Google

(you can have more than one google account linked to your phone)

My new email address and password are entered and it takes 30 seconds or so to login and set itself up. Once that’s done, I click the “Try Again” link and my phone appears. Yes it’s an old phone (2 and a half years!) and yes I’m looking to update it but only because the charging port is slightly loose. Can you imagine how long it takes me to pick a new phone? !!

click Continue

It wants a backup option, and is asking for a phone number again. I’m going with this though deep down I think the current security wisdom is not to allow SMS resets.

Enter the confirmation code that came by text message

and “Turn on”

So that should be working and the confirmation screen gives me more options.

First, I generate the backup codes. These can be printed and put somewhere safe for the event you lose your phone and can’t use the Prompt or SMS methods. Perhaps keep them in your wallet. If you’re worried about losing your wallet and someone logging into your account using these backup codes then you can encrypt them with your own secret algorithm. Add 1 to the first and last digit.

Second, I set up an authenticator app. I used to use Google Authenticator but I had a problem once where a factory reset of my phone meant I lost access to the Generator. Now I use 1password which includes a generator. As long as I can get into 1password I can always get to the Authenticator codes.

Finally, I tried the security key but that doesn’t work for me as a I don’t have one 🙂 I thought my phone might act as one but I was prompted for Windows to look for one connected by USB. Maybe one day I’ll add that approach too. I think a hardware security key that can be on my keyring and work separate to my phone and wallet may be a useful backup method

Now to log out, log in and see if I’m prompted for a code:

and yes I was. All is good and secure.

Not to enforce 2FA as a requirement across all users.

The 9 dots top right > Admin > Security > 2-Step Verification

Maybe I’m bit too worried about security, but these are the settings I’ve chosen for my users.

• 2FA is turned on from now
• There is no grace period for new ysers
• They can trust the device once they’re logged in. I think google still prompts every 30 days.
• They can’t get verification codes by SMS message of phone calls. SMS is not secure and we are all vulnerable to SIM Swapping (that’s a link to youtube video that explains it well. She also covers a lot of security related topics with great advice for geeks and non geeks alike).

So, that should be enforcing 2FA for all our users, which is so far just me and my brother. Except he probably didn’t set up 2FA when I told him he could log in earlier so he’s probably being locked out right now. To fix that, Admin > directory > Users and click on his name and I can see that he does not have 2FA enabled and also he has no recovery options.

When I go to edit this (the down arrow on the top right opens the panel up) I see that only the user can enable 2FA.

I suspect that the next time he logs in he will be forced to do that so I’ll leave this for now and see what happens. It might be I need to add a recovery email address and/or phone number as he hadn’t set those yet either.

Once he is set up with 2FA I will also make him a super admin. This is important as if something happens to me I want him to be have full access to everything in the business. Also if I lose my phone he can also reset my password. I’m always trying to avoid a single point of failure in our business.