fix(googleworkspace): treat secure Google defaults as PASS for Gmail checks

prowler/CHANGELOG.md

@@ -10,6 +10,7 @@ All notable changes to the **Prowler SDK** are documented in this file.
 - `entra_conditional_access_policy_all_apps_all_users` check for M365 provider [(#10619)](https://github.com/prowler-cloud/prowler/pull/10619)
 - `bedrock_full_access_policy_attached` check for AWS provider [(#10577)](https://github.com/prowler-cloud/prowler/pull/10577)
 - `iam_role_access_not_stale_to_bedrock` and `iam_user_access_not_stale_to_bedrock` checks for AWS provider [(#10536)](https://github.com/prowler-cloud/prowler/pull/10536)
+- 9 Gmail checks for Google Workspace provider (`gmail_mail_delegation_disabled`, `gmail_shortener_scanning_enabled`, `gmail_external_image_scanning_enabled`, `gmail_untrusted_link_warnings_enabled`, `gmail_pop_imap_access_disabled`, `gmail_auto_forwarding_disabled`, `gmail_per_user_outbound_gateway_disabled`, `gmail_enhanced_pre_delivery_scanning_enabled`, `gmail_comprehensive_mail_storage_enabled`) using the Cloud Identity Policy API [(#10683)](https://github.com/prowler-cloud/prowler/pull/10683)
 - `iam_policy_no_wildcard_marketplace_subscribe` and `iam_inline_policy_no_wildcard_marketplace_subscribe` checks for AWS provider [(#10525)](https://github.com/prowler-cloud/prowler/pull/10525)
 - `bedrock_vpc_endpoints_configured` check for AWS provider [(#10591)](https://github.com/prowler-cloud/prowler/pull/10591)
 - `exchange_organization_delicensing_resiliency_enabled` check for m365 provider [(#10608)](https://github.com/prowler-cloud/prowler/pull/10608)

prowler/compliance/googleworkspace/cis_1.3_googleworkspace.json

@@ -525,7 +525,9 @@
     {
       "Id": "3.1.3.1.1",
       "Description": "Ensure users cannot delegate access to their mailbox",
-      "Checks": [],
+      "Checks": [
+        "gmail_mail_delegation_disabled"
+      ],
       "Attributes": [
         {
           "Section": "3 Apps",
@@ -714,7 +716,9 @@
     {
       "Id": "3.1.3.4.2.1",
       "Description": "Ensure link identification behind shortened URLs is enabled",
-      "Checks": [],
+      "Checks": [
+        "gmail_shortener_scanning_enabled"
+      ],
       "Attributes": [
         {
           "Section": "3 Apps",
@@ -735,7 +739,9 @@
     {
       "Id": "3.1.3.4.2.2",
       "Description": "Ensure scan linked images for malicious content is enabled",
-      "Checks": [],
+      "Checks": [
+        "gmail_external_image_scanning_enabled"
+      ],
       "Attributes": [
         {
           "Section": "3 Apps",
@@ -756,7 +762,9 @@
     {
       "Id": "3.1.3.4.2.3",
       "Description": "Ensure warning prompt is shown for any click on links to untrusted domains",
-      "Checks": [],
+      "Checks": [
+        "gmail_untrusted_link_warnings_enabled"
+      ],
       "Attributes": [
         {
           "Section": "3 Apps",
@@ -882,7 +890,9 @@
     {
       "Id": "3.1.3.5.1",
       "Description": "Ensure POP and IMAP access is disabled for all users",
-      "Checks": [],
+      "Checks": [
+        "gmail_pop_imap_access_disabled"
+      ],
       "Attributes": [
         {
           "Section": "3 Apps",
@@ -903,7 +913,9 @@
     {
       "Id": "3.1.3.5.2",
       "Description": "Ensure automatic forwarding options are disabled",
-      "Checks": [],
+      "Checks": [
+        "gmail_auto_forwarding_disabled"
+      ],
       "Attributes": [
         {
           "Section": "3 Apps",
@@ -924,7 +936,9 @@
     {
       "Id": "3.1.3.5.3",
       "Description": "Ensure per-user outbound gateways is disabled",
-      "Checks": [],
+      "Checks": [
+        "gmail_per_user_outbound_gateway_disabled"
+      ],
       "Attributes": [
         {
           "Section": "3 Apps",
@@ -966,7 +980,9 @@
     {
       "Id": "3.1.3.6.1",
       "Description": "Ensure enhanced pre-delivery message scanning is enabled",
-      "Checks": [],
+      "Checks": [
+        "gmail_enhanced_pre_delivery_scanning_enabled"
+      ],
       "Attributes": [
         {
           "Section": "3 Apps",
@@ -1008,7 +1024,9 @@
     {
       "Id": "3.1.3.7.1",
       "Description": "Ensure comprehensive mail storage is enabled",
-      "Checks": [],
+      "Checks": [
+        "gmail_comprehensive_mail_storage_enabled"
+      ],
       "Attributes": [
         {
           "Section": "3 Apps",

prowler/compliance/googleworkspace/cisa_scuba_0.6_googleworkspace.json

@@ -556,7 +556,9 @@
     {
       "Id": "GWS.GMAIL.1.1",
       "Description": "Mail Delegation SHOULD be disabled",
-      "Checks": [],
+      "Checks": [
+        "gmail_mail_delegation_disabled"
+      ],
       "Attributes": [
         {
           "Section": "Gmail",
@@ -725,7 +727,9 @@
     {
       "Id": "GWS.GMAIL.6.1",
       "Description": "Identify links behind shortened URLs SHALL be enabled",
-      "Checks": [],
+      "Checks": [
+        "gmail_shortener_scanning_enabled"
+      ],
       "Attributes": [
         {
           "Section": "Gmail",
@@ -738,7 +742,9 @@
     {
       "Id": "GWS.GMAIL.6.2",
       "Description": "Scan linked images SHALL be enabled",
-      "Checks": [],
+      "Checks": [
+        "gmail_external_image_scanning_enabled"
+      ],
       "Attributes": [
         {
           "Section": "Gmail",
@@ -751,7 +757,9 @@
     {
       "Id": "GWS.GMAIL.6.3",
       "Description": "Show warning prompt for any click on links to untrusted domains SHALL be enabled",
-      "Checks": [],
+      "Checks": [
+        "gmail_untrusted_link_warnings_enabled"
+      ],
       "Attributes": [
         {
           "Section": "Gmail",
@@ -907,7 +915,9 @@
     {
       "Id": "GWS.GMAIL.9.1",
       "Description": "POP and IMAP access SHALL be disabled to protect sensitive agency or organization emails from being accessed through legacy applications or other third-party mail clients",
-      "Checks": [],
+      "Checks": [
+        "gmail_pop_imap_access_disabled"
+      ],
       "Attributes": [
         {
           "Section": "Gmail",
@@ -933,7 +943,9 @@
     {
       "Id": "GWS.GMAIL.11.1",
       "Description": "Automatic forwarding SHOULD be disabled, especially to external domains",
-      "Checks": [],
+      "Checks": [
+        "gmail_auto_forwarding_disabled"
+      ],
       "Attributes": [
         {
           "Section": "Gmail",
@@ -946,7 +958,9 @@
     {
       "Id": "GWS.GMAIL.12.1",
       "Description": "Using a per-user outbound gateway that is a mail server other than the Google Workspace (GWS) mail servers SHALL be disabled",
-      "Checks": [],
+      "Checks": [
+        "gmail_per_user_outbound_gateway_disabled"
+      ],
       "Attributes": [
         {
           "Section": "Gmail",
@@ -985,7 +999,9 @@
     {
       "Id": "GWS.GMAIL.15.1",
       "Description": "Enhanced pre-delivery message scanning SHALL be enabled to prevent phishing",
-      "Checks": [],
+      "Checks": [
+        "gmail_enhanced_pre_delivery_scanning_enabled"
+      ],
       "Attributes": [
         {
           "Section": "Gmail",
@@ -1037,7 +1053,9 @@
     {
       "Id": "GWS.GMAIL.17.1",
       "Description": "Comprehensive mail storage SHOULD be enabled to allow information traceability across applications",
-      "Checks": [],
+      "Checks": [
+        "gmail_comprehensive_mail_storage_enabled"
+      ],
       "Attributes": [
         {
           "Section": "Gmail",

prowler/providers/googleworkspace/services/gmail/gmail_auto_forwarding_disabled/gmail_auto_forwarding_disabled.metadata.json

@@ -0,0 +1,40 @@
+{
+  "Provider": "googleworkspace",
+  "CheckID": "gmail_auto_forwarding_disabled",
+  "CheckTitle": "Automatic forwarding options are disabled",
+  "CheckType": [],
+  "ServiceName": "gmail",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "",
+  "Severity": "medium",
+  "ResourceType": "NotDefined",
+  "ResourceGroup": "collaboration",
+  "Description": "Automatic email forwarding allows users to automatically forward all incoming email to an external address. Disabling this feature prevents unauthorized data exfiltration through email forwarding rules.",
+  "Risk": "With auto-forwarding enabled, an attacker who gains control of a user account can create **forwarding rules to exfiltrate** all incoming email to an external address. This can persist undetected and provide the attacker with continuous access to sensitive communications even after the account is recovered.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://support.google.com/a/answer/2491924",
+    "https://cloud.google.com/identity/docs/concepts/supported-policy-api-settings"
+  ],
+  "Remediation": {
+    "Code": {
+      "CLI": "",
+      "NativeIaC": "",
+      "Other": "1. Sign in to the Google **Admin console** at https://admin.google.com\n2. Navigate to **Apps** > **Google Workspace** > **Gmail**\n3. Click **End User Access** > **Automatic forwarding**\n4. Uncheck **Allow users to automatically forward incoming email to another address**\n5. Click **Save**",
+      "Terraform": ""
+    },
+    "Recommendation": {
+      "Text": "Disable automatic email forwarding to prevent users and attackers from setting up rules that exfiltrate email data to external addresses.",
+      "Url": "https://hub.prowler.com/check/gmail_auto_forwarding_disabled"
+    }
+  },
+  "Categories": [
+    "email-security"
+  ],
+  "DependsOn": [],
+  "RelatedTo": [
+    "gmail_pop_imap_access_disabled",
+    "gmail_per_user_outbound_gateway_disabled"
+  ],
+  "Notes": ""
+}

prowler/providers/googleworkspace/services/gmail/gmail_auto_forwarding_disabled/gmail_auto_forwarding_disabled.py

@@ -0,0 +1,53 @@
+from typing import List
+
+from prowler.lib.check.models import Check, CheckReportGoogleWorkspace
+from prowler.providers.googleworkspace.services.gmail.gmail_client import gmail_client
+
+
+class gmail_auto_forwarding_disabled(Check):
+    """Check that automatic forwarding options are disabled.
+
+    This check verifies that the domain-level Gmail policy prevents users
+    from automatically forwarding incoming email to external addresses,
+    reducing the risk of data exfiltration.
+    """
+
+    def execute(self) -> List[CheckReportGoogleWorkspace]:
+        findings = []
+
+        if gmail_client.policies_fetched:
+            report = CheckReportGoogleWorkspace(
+                metadata=self.metadata(),
+                resource=gmail_client.provider.identity,
+                resource_name=gmail_client.provider.identity.domain,
+                resource_id=gmail_client.provider.identity.customer_id,
+                customer_id=gmail_client.provider.identity.customer_id,
+                location="global",
+            )
+
+            forwarding_enabled = gmail_client.policies.enable_auto_forwarding
+
+            if forwarding_enabled is False:
+                report.status = "PASS"
+                report.status_extended = (
+                    f"Automatic email forwarding is disabled "
+                    f"in domain {gmail_client.provider.identity.domain}."
+                )
+            else:
+                report.status = "FAIL"
+                if forwarding_enabled is None:
+                    report.status_extended = (
+                        f"Automatic email forwarding is not explicitly configured "
+                        f"in domain {gmail_client.provider.identity.domain}. "
+                        f"Auto-forwarding should be disabled to prevent data exfiltration."
+                    )
+                else:
+                    report.status_extended = (
+                        f"Automatic email forwarding is enabled "
+                        f"in domain {gmail_client.provider.identity.domain}. "
+                        f"Auto-forwarding should be disabled to prevent data exfiltration."
+                    )
+
+            findings.append(report)
+
+        return findings

prowler/providers/googleworkspace/services/gmail/gmail_client.py

@@ -0,0 +1,4 @@
+from prowler.providers.common.provider import Provider
+from prowler.providers.googleworkspace.services.gmail.gmail_service import Gmail
+
+gmail_client = Gmail(Provider.get_global_provider())

prowler/providers/googleworkspace/services/gmail/gmail_comprehensive_mail_storage_enabled/gmail_comprehensive_mail_storage_enabled.metadata.json

@@ -0,0 +1,37 @@
+{
+  "Provider": "googleworkspace",
+  "CheckID": "gmail_comprehensive_mail_storage_enabled",
+  "CheckTitle": "Comprehensive mail storage is enabled",
+  "CheckType": [],
+  "ServiceName": "gmail",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "",
+  "Severity": "medium",
+  "ResourceType": "NotDefined",
+  "ResourceGroup": "collaboration",
+  "Description": "Comprehensive mail storage ensures that a copy of all sent and received messages in the domain, including messages sent or received by non-Gmail mailboxes, is stored in users' Gmail mailboxes. This makes all messages accessible to Google Vault for retention, eDiscovery, and compliance purposes.",
+  "Risk": "Without comprehensive mail storage, messages sent through other Google services (Calendar, Drive, etc.) may not be stored in Gmail and therefore **not subject to Vault retention policies**. This creates gaps in **compliance coverage**, **eDiscovery**, and **audit trails** that could violate regulatory requirements.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://support.google.com/a/answer/3547347",
+    "https://cloud.google.com/identity/docs/concepts/supported-policy-api-settings"
+  ],
+  "Remediation": {
+    "Code": {
+      "CLI": "",
+      "NativeIaC": "",
+      "Other": "1. Sign in to the Google **Admin console** at https://admin.google.com\n2. Navigate to **Apps** > **Google Workspace** > **Gmail**\n3. Click **Compliance** > **Comprehensive mail storage**\n4. Check **Ensure that a copy of all sent and received mail is stored in associated users' mailboxes**\n5. Click **Save**",
+      "Terraform": ""
+    },
+    "Recommendation": {
+      "Text": "Enable comprehensive mail storage to ensure all email is stored in Gmail mailboxes for Vault retention and eDiscovery compliance.",
+      "Url": "https://hub.prowler.com/check/gmail_comprehensive_mail_storage_enabled"
+    }
+  },
+  "Categories": [
+    "forensics-ready"
+  ],
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": ""
+}

prowler/providers/googleworkspace/services/gmail/gmail_comprehensive_mail_storage_enabled/gmail_comprehensive_mail_storage_enabled.py

@@ -0,0 +1,53 @@
+from typing import List
+
+from prowler.lib.check.models import Check, CheckReportGoogleWorkspace
+from prowler.providers.googleworkspace.services.gmail.gmail_client import gmail_client
+
+
+class gmail_comprehensive_mail_storage_enabled(Check):
+    """Check that comprehensive mail storage is enabled.
+
+    This check verifies that the domain-level Gmail policy ensures a copy
+    of all sent and received mail is stored in users' Gmail mailboxes,
+    making all messages accessible to Vault for compliance and eDiscovery.
+    """
+
+    def execute(self) -> List[CheckReportGoogleWorkspace]:
+        findings = []
+
+        if gmail_client.policies_fetched:
+            report = CheckReportGoogleWorkspace(
+                metadata=self.metadata(),
+                resource=gmail_client.provider.identity,
+                resource_name=gmail_client.provider.identity.domain,
+                resource_id=gmail_client.provider.identity.customer_id,
+                customer_id=gmail_client.provider.identity.customer_id,
+                location="global",
+            )
+
+            storage_enabled = gmail_client.policies.comprehensive_mail_storage_enabled
+
+            if storage_enabled is True:
+                report.status = "PASS"
+                report.status_extended = (
+                    f"Comprehensive mail storage is enabled "
+                    f"in domain {gmail_client.provider.identity.domain}."
+                )
+            else:
+                report.status = "FAIL"
+                if storage_enabled is None:
+                    report.status_extended = (
+                        f"Comprehensive mail storage is not explicitly configured "
+                        f"in domain {gmail_client.provider.identity.domain}. "
+                        f"Comprehensive mail storage should be enabled for compliance."
+                    )
+                else:
+                    report.status_extended = (
+                        f"Comprehensive mail storage is disabled "
+                        f"in domain {gmail_client.provider.identity.domain}. "
+                        f"Comprehensive mail storage should be enabled for compliance."
+                    )
+
+            findings.append(report)
+
+        return findings

prowler/providers/googleworkspace/services/gmail/gmail_enhanced_pre_delivery_scanning_enabled/gmail_enhanced_pre_delivery_scanning_enabled.metadata.json

@@ -0,0 +1,37 @@
+{
+  "Provider": "googleworkspace",
+  "CheckID": "gmail_enhanced_pre_delivery_scanning_enabled",
+  "CheckTitle": "Enhanced pre-delivery message scanning is enabled",
+  "CheckType": [],
+  "ServiceName": "gmail",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "",
+  "Severity": "medium",
+  "ResourceType": "NotDefined",
+  "ResourceGroup": "collaboration",
+  "Description": "Enhanced pre-delivery message scanning adds additional security checks for messages identified as potentially suspicious. When enabled, Gmail may slightly delay delivery to perform deeper analysis, improving detection of phishing and malware that might otherwise evade standard filters.",
+  "Risk": "Without enhanced pre-delivery scanning, some **sophisticated phishing and malware** messages may pass through standard filters and be delivered to users. The additional scanning layer catches threats that the first-pass filters miss, reducing the organization's exposure to **zero-day phishing campaigns** and **targeted attacks**.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://support.google.com/a/answer/7380368",
+    "https://cloud.google.com/identity/docs/concepts/supported-policy-api-settings"
+  ],
+  "Remediation": {
+    "Code": {
+      "CLI": "",
+      "NativeIaC": "",
+      "Other": "1. Sign in to the Google **Admin console** at https://admin.google.com\n2. Navigate to **Apps** > **Google Workspace** > **Gmail**\n3. Click **Spam, phishing, and malware**\n4. Check **Enhanced pre-delivery message scanning** - Enables improved detection of suspicious content prior to delivery\n5. Click **Save**",
+      "Terraform": ""
+    },
+    "Recommendation": {
+      "Text": "Enable enhanced pre-delivery message scanning to improve Gmail's ability to detect and block sophisticated phishing and malware before delivery to users.",
+      "Url": "https://hub.prowler.com/check/gmail_enhanced_pre_delivery_scanning_enabled"
+    }
+  },
+  "Categories": [
+    "email-security"
+  ],
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": ""
+}

prowler/providers/googleworkspace/services/gmail/gmail_enhanced_pre_delivery_scanning_enabled/gmail_enhanced_pre_delivery_scanning_enabled.py

@@ -0,0 +1,55 @@
+from typing import List
+
+from prowler.lib.check.models import Check, CheckReportGoogleWorkspace
+from prowler.providers.googleworkspace.services.gmail.gmail_client import gmail_client
+
+
+class gmail_enhanced_pre_delivery_scanning_enabled(Check):
+    """Check that enhanced pre-delivery message scanning is enabled.
+
+    This check verifies that Gmail is configured to perform additional
+    security checks on suspicious messages before delivering them,
+    improving detection of phishing and malware.
+    """
+
+    def execute(self) -> List[CheckReportGoogleWorkspace]:
+        findings = []
+
+        if gmail_client.policies_fetched:
+            report = CheckReportGoogleWorkspace(
+                metadata=self.metadata(),
+                resource=gmail_client.provider.identity,
+                resource_name=gmail_client.provider.identity.domain,
+                resource_id=gmail_client.provider.identity.customer_id,
+                customer_id=gmail_client.provider.identity.customer_id,
+                location="global",
+            )
+
+            scanning_enabled = (
+                gmail_client.policies.enable_enhanced_pre_delivery_scanning
+            )
+
+            if scanning_enabled is True:
+                report.status = "PASS"
+                report.status_extended = (
+                    f"Enhanced pre-delivery message scanning is enabled "
+                    f"in domain {gmail_client.provider.identity.domain}."
+                )
+            elif scanning_enabled is None:
+                report.status = "PASS"
+                report.status_extended = (
+                    f"Enhanced pre-delivery message scanning uses Google's "
+                    f"secure default configuration (enabled) "
+                    f"in domain {gmail_client.provider.identity.domain}."
+                )
+            else:
+                report.status = "FAIL"
+                report.status_extended = (
+                    f"Enhanced pre-delivery message scanning is disabled "
+                    f"in domain {gmail_client.provider.identity.domain}. "
+                    f"Pre-delivery scanning should be enabled for improved threat detection."
+                )
+
+            findings.append(report)
+
+        return findings

prowler/providers/googleworkspace/services/gmail/gmail_external_image_scanning_enabled/gmail_external_image_scanning_enabled.metadata.json

@@ -0,0 +1,40 @@
+{
+  "Provider": "googleworkspace",
+  "CheckID": "gmail_external_image_scanning_enabled",
+  "CheckTitle": "Scanning of linked images for malicious content is enabled",
+  "CheckType": [],
+  "ServiceName": "gmail",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "",
+  "Severity": "medium",
+  "ResourceType": "NotDefined",
+  "ResourceGroup": "collaboration",
+  "Description": "Gmail can scan images linked in email messages to detect malicious content. External images can be used to deliver tracking pixels, exploit browser vulnerabilities, or serve as part of phishing campaigns.",
+  "Risk": "Without external image scanning, attackers can use **linked images to track email opens**, deliver **exploit payloads via image rendering vulnerabilities**, or use images as part of sophisticated **phishing schemes** that mimic legitimate communications.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://support.google.com/a/answer/7676854",
+    "https://cloud.google.com/identity/docs/concepts/supported-policy-api-settings"
+  ],
+  "Remediation": {
+    "Code": {
+      "CLI": "",
+      "NativeIaC": "",
+      "Other": "1. Sign in to the Google **Admin console** at https://admin.google.com\n2. Navigate to **Apps** > **Google Workspace** > **Gmail**\n3. Click **Safety** > **Links and external images**\n4. Check **Scan linked images**\n5. Click **Save**",
+      "Terraform": ""
+    },
+    "Recommendation": {
+      "Text": "Enable scanning of linked images so that Gmail proactively checks external image resources for malicious content before displaying them to users.",
+      "Url": "https://hub.prowler.com/check/gmail_external_image_scanning_enabled"
+    }
+  },
+  "Categories": [
+    "email-security"
+  ],
+  "DependsOn": [],
+  "RelatedTo": [
+    "gmail_shortener_scanning_enabled",
+    "gmail_untrusted_link_warnings_enabled"
+  ],
+  "Notes": ""
+}

prowler/providers/googleworkspace/services/gmail/gmail_external_image_scanning_enabled/gmail_external_image_scanning_enabled.py

@@ -0,0 +1,53 @@
+from typing import List
+
+from prowler.lib.check.models import Check, CheckReportGoogleWorkspace
+from prowler.providers.googleworkspace.services.gmail.gmail_client import gmail_client
+
+
+class gmail_external_image_scanning_enabled(Check):
+    """Check that scanning of linked images for malicious content is enabled.
+
+    This check verifies that Gmail is configured to scan images linked
+    in emails to detect and block malicious content hidden within
+    external image resources.
+    """
+
+    def execute(self) -> List[CheckReportGoogleWorkspace]:
+        findings = []
+
+        if gmail_client.policies_fetched:
+            report = CheckReportGoogleWorkspace(
+                metadata=self.metadata(),
+                resource=gmail_client.provider.identity,
+                resource_name=gmail_client.provider.identity.domain,
+                resource_id=gmail_client.provider.identity.customer_id,
+                customer_id=gmail_client.provider.identity.customer_id,
+                location="global",
+            )
+
+            scanning_enabled = gmail_client.policies.enable_external_image_scanning
+
+            if scanning_enabled is True:
+                report.status = "PASS"
+                report.status_extended = (
+                    f"Scanning of linked images for malicious content is enabled "
+                    f"in domain {gmail_client.provider.identity.domain}."
+                )
+            elif scanning_enabled is None:
+                report.status = "PASS"
+                report.status_extended = (
+                    f"Scanning of linked images for malicious content uses Google's "
+                    f"secure default configuration (enabled) "
+                    f"in domain {gmail_client.provider.identity.domain}."
+                )
+            else:
+                report.status = "FAIL"
+                report.status_extended = (
+                    f"Scanning of linked images for malicious content is disabled "
+                    f"in domain {gmail_client.provider.identity.domain}. "
+                    f"External image scanning should be enabled to detect hidden threats."
+                )
+
+            findings.append(report)
+
+        return findings

prowler/providers/googleworkspace/services/gmail/gmail_mail_delegation_disabled/gmail_mail_delegation_disabled.metadata.json

@@ -0,0 +1,37 @@
+{
+  "Provider": "googleworkspace",
+  "CheckID": "gmail_mail_delegation_disabled",
+  "CheckTitle": "Mail delegation is disabled for users",
+  "CheckType": [],
+  "ServiceName": "gmail",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "",
+  "Severity": "medium",
+  "ResourceType": "NotDefined",
+  "ResourceGroup": "collaboration",
+  "Description": "Mail delegation allows a delegate to read, send, and delete messages on behalf of another user. When enabled at the user level, this creates a risk that unauthorized individuals could gain access to sensitive email content. Only administrators should be able to manage mailbox delegation.",
+  "Risk": "If users can delegate access to their mailbox, an attacker who compromises one account could silently delegate access to maintain persistent email surveillance. This also increases the risk of **insider threats** and **data exfiltration** through shared mailbox access.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://support.google.com/a/answer/7223765",
+    "https://cloud.google.com/identity/docs/concepts/supported-policy-api-settings"
+  ],
+  "Remediation": {
+    "Code": {
+      "CLI": "",
+      "NativeIaC": "",
+      "Other": "1. Sign in to the Google **Admin console** at https://admin.google.com\n2. Navigate to **Apps** > **Google Workspace** > **Gmail**\n3. Click **User Settings** > **Mail delegation**\n4. Uncheck **Let users delegate access to their mailbox to other users in the domain**\n5. Click **Save**",
+      "Terraform": ""
+    },
+    "Recommendation": {
+      "Text": "Disable mail delegation so that only administrators can manage mailbox access. This prevents users from granting unauthorized access to their email.",
+      "Url": "https://hub.prowler.com/check/gmail_mail_delegation_disabled"
+    }
+  },
+  "Categories": [
+    "email-security"
+  ],
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": ""
+}

prowler/providers/googleworkspace/services/gmail/gmail_mail_delegation_disabled/gmail_mail_delegation_disabled.py

@@ -0,0 +1,52 @@
+from typing import List
+
+from prowler.lib.check.models import Check, CheckReportGoogleWorkspace
+from prowler.providers.googleworkspace.services.gmail.gmail_client import gmail_client
+
+
+class gmail_mail_delegation_disabled(Check):
+    """Check that users cannot delegate access to their mailbox.
+
+    This check verifies that the domain-level Gmail policy prevents users
+    from delegating mailbox access to other users, ensuring only
+    administrators can manage mailbox delegation.
+    """
+
+    def execute(self) -> List[CheckReportGoogleWorkspace]:
+        findings = []
+
+        if gmail_client.policies_fetched:
+            report = CheckReportGoogleWorkspace(
+                metadata=self.metadata(),
+                resource=gmail_client.provider.identity,
+                resource_name=gmail_client.provider.identity.domain,
+                resource_id=gmail_client.provider.identity.customer_id,
+                customer_id=gmail_client.provider.identity.customer_id,
+                location="global",
+            )
+
+            delegation_enabled = gmail_client.policies.enable_mail_delegation
+
+            if delegation_enabled is False:
+                report.status = "PASS"
+                report.status_extended = (
+                    f"Mail delegation is disabled "
+                    f"in domain {gmail_client.provider.identity.domain}."
+                )
+            elif delegation_enabled is None:
+                report.status = "PASS"
+                report.status_extended = (
+                    f"Mail delegation uses Google's secure default configuration "
+                    f"(disabled) in domain {gmail_client.provider.identity.domain}."
+                )
+            else:
+                report.status = "FAIL"
+                report.status_extended = (
+                    f"Mail delegation is enabled "
+                    f"in domain {gmail_client.provider.identity.domain}. "
+                    f"Users should not be able to delegate access to their mailbox."
+                )
+
+            findings.append(report)
+
+        return findings

prowler/providers/googleworkspace/services/gmail/gmail_per_user_outbound_gateway_disabled/gmail_per_user_outbound_gateway_disabled.metadata.json

@@ -0,0 +1,40 @@
+{
+  "Provider": "googleworkspace",
+  "CheckID": "gmail_per_user_outbound_gateway_disabled",
+  "CheckTitle": "Per-user outbound gateways are disabled",
+  "CheckType": [],
+  "ServiceName": "gmail",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "",
+  "Severity": "medium",
+  "ResourceType": "NotDefined",
+  "ResourceGroup": "collaboration",
+  "Description": "A per-user outbound gateway allows users to send mail through an external SMTP server instead of Google's mail servers. Disabling this setting ensures all outbound email is routed through the organization's configured mail infrastructure.",
+  "Risk": "With per-user outbound gateways enabled, users can route outbound email through **external SMTP servers**, bypassing organizational **email security controls**, **DLP policies**, and **audit logging**. This creates an unmonitored channel for data exfiltration and policy circumvention.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://support.google.com/a/answer/176652",
+    "https://cloud.google.com/identity/docs/concepts/supported-policy-api-settings"
+  ],
+  "Remediation": {
+    "Code": {
+      "CLI": "",
+      "NativeIaC": "",
+      "Other": "1. Sign in to the Google **Admin console** at https://admin.google.com\n2. Navigate to **Apps** > **Google Workspace** > **Gmail**\n3. Click **End User Access** > **Allow per-user outbound gateways**\n4. Uncheck **Allow users to send mail through an external SMTP server when configuring a \"from\" address hosted outside your email domain**\n5. Click **Save**",
+      "Terraform": ""
+    },
+    "Recommendation": {
+      "Text": "Disable per-user outbound gateways to ensure all outbound email passes through the organization's mail infrastructure where security controls and monitoring are applied.",
+      "Url": "https://hub.prowler.com/check/gmail_per_user_outbound_gateway_disabled"
+    }
+  },
+  "Categories": [
+    "email-security"
+  ],
+  "DependsOn": [],
+  "RelatedTo": [
+    "gmail_pop_imap_access_disabled",
+    "gmail_auto_forwarding_disabled"
+  ],
+  "Notes": ""
+}

prowler/providers/googleworkspace/services/gmail/gmail_per_user_outbound_gateway_disabled/gmail_per_user_outbound_gateway_disabled.py

@@ -0,0 +1,53 @@
+from typing import List
+
+from prowler.lib.check.models import Check, CheckReportGoogleWorkspace
+from prowler.providers.googleworkspace.services.gmail.gmail_client import gmail_client
+
+
+class gmail_per_user_outbound_gateway_disabled(Check):
+    """Check that per-user outbound gateways are disabled.
+
+    This check verifies that the domain-level Gmail policy prevents users
+    from sending mail through external SMTP servers, ensuring all outbound
+    email passes through the organization's mail infrastructure.
+    """
+
+    def execute(self) -> List[CheckReportGoogleWorkspace]:
+        findings = []
+
+        if gmail_client.policies_fetched:
+            report = CheckReportGoogleWorkspace(
+                metadata=self.metadata(),
+                resource=gmail_client.provider.identity,
+                resource_name=gmail_client.provider.identity.domain,
+                resource_id=gmail_client.provider.identity.customer_id,
+                customer_id=gmail_client.provider.identity.customer_id,
+                location="global",
+            )
+
+            gateway_allowed = gmail_client.policies.allow_per_user_outbound_gateway
+
+            if gateway_allowed is False:
+                report.status = "PASS"
+                report.status_extended = (
+                    f"Per-user outbound gateways are disabled "
+                    f"in domain {gmail_client.provider.identity.domain}."
+                )
+            elif gateway_allowed is None:
+                report.status = "PASS"
+                report.status_extended = (
+                    f"Per-user outbound gateways use Google's secure default "
+                    f"configuration (disabled) "
+                    f"in domain {gmail_client.provider.identity.domain}."
+                )
+            else:
+                report.status = "FAIL"
+                report.status_extended = (
+                    f"Per-user outbound gateways are enabled "
+                    f"in domain {gmail_client.provider.identity.domain}. "
+                    f"External SMTP server usage should be disabled."
+                )
+
+            findings.append(report)
+
+        return findings

prowler/providers/googleworkspace/services/gmail/gmail_pop_imap_access_disabled/gmail_pop_imap_access_disabled.metadata.json

@@ -0,0 +1,40 @@
+{
+  "Provider": "googleworkspace",
+  "CheckID": "gmail_pop_imap_access_disabled",
+  "CheckTitle": "POP and IMAP access is disabled for all users",
+  "CheckType": [],
+  "ServiceName": "gmail",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "",
+  "Severity": "medium",
+  "ResourceType": "NotDefined",
+  "ResourceGroup": "collaboration",
+  "Description": "POP and IMAP allow users to access Gmail through legacy or third-party email clients that may not support modern authentication mechanisms such as multifactor authentication. Disabling these protocols forces users to access email through approved clients only.",
+  "Risk": "With POP and IMAP enabled, users can access email through **legacy clients** that rely on simple password authentication, bypassing **multifactor authentication** and other modern security controls. This significantly increases the risk of **credential-based account compromise**.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://support.google.com/a/answer/105694",
+    "https://cloud.google.com/identity/docs/concepts/supported-policy-api-settings"
+  ],
+  "Remediation": {
+    "Code": {
+      "CLI": "",
+      "NativeIaC": "",
+      "Other": "1. Sign in to the Google **Admin console** at https://admin.google.com\n2. Navigate to **Apps** > **Google Workspace** > **Gmail**\n3. Click **End User Access** > **POP and IMAP Access**\n4. Uncheck **Enable IMAP access for all users**\n5. Uncheck **Enable POP access for all users**\n6. Click **Save**",
+      "Terraform": ""
+    },
+    "Recommendation": {
+      "Text": "Disable both POP and IMAP access to prevent users from using legacy email clients that bypass modern authentication controls.",
+      "Url": "https://hub.prowler.com/check/gmail_pop_imap_access_disabled"
+    }
+  },
+  "Categories": [
+    "email-security"
+  ],
+  "DependsOn": [],
+  "RelatedTo": [
+    "gmail_auto_forwarding_disabled",
+    "gmail_per_user_outbound_gateway_disabled"
+  ],
+  "Notes": ""
+}

prowler/providers/googleworkspace/services/gmail/gmail_pop_imap_access_disabled/gmail_pop_imap_access_disabled.py

@@ -0,0 +1,71 @@
+from typing import List
+
+from prowler.lib.check.models import Check, CheckReportGoogleWorkspace
+from prowler.providers.googleworkspace.services.gmail.gmail_client import gmail_client
+
+
+class gmail_pop_imap_access_disabled(Check):
+    """Check that POP and IMAP access is disabled for all users.
+
+    This check verifies that the domain-level Gmail policy disables both
+    POP and IMAP access, preventing users from accessing email through
+    legacy clients that may not support modern authentication.
+    """
+
+    def execute(self) -> List[CheckReportGoogleWorkspace]:
+        findings = []
+
+        if gmail_client.policies_fetched:
+            report = CheckReportGoogleWorkspace(
+                metadata=self.metadata(),
+                resource=gmail_client.provider.identity,
+                resource_name=gmail_client.provider.identity.domain,
+                resource_id=gmail_client.provider.identity.customer_id,
+                customer_id=gmail_client.provider.identity.customer_id,
+                location="global",
+            )
+
+            pop_enabled = gmail_client.policies.enable_pop_access
+            imap_enabled = gmail_client.policies.enable_imap_access
+
+            if pop_enabled is False and imap_enabled is False:
+                report.status = "PASS"
+                report.status_extended = (
+                    f"POP and IMAP access are both disabled "
+                    f"in domain {gmail_client.provider.identity.domain}."
+                )
+            else:
+                report.status = "FAIL"
+                enabled_protocols = []
+                not_configured = []
+
+                if pop_enabled is True:
+                    enabled_protocols.append("POP")
+                elif pop_enabled is None:
+                    not_configured.append("POP")
+
+                if imap_enabled is True:
+                    enabled_protocols.append("IMAP")
+                elif imap_enabled is None:
+                    not_configured.append("IMAP")
+
+                details = []
+                if enabled_protocols:
+                    details.append(
+                        f"{' and '.join(enabled_protocols)} access is enabled"
+                    )
+                if not_configured:
+                    details.append(
+                        f"{' and '.join(not_configured)} access is not explicitly configured"
+                    )
+
+                report.status_extended = (
+                    f"{'; '.join(details)} "
+                    f"in domain {gmail_client.provider.identity.domain}. "
+                    f"Both POP and IMAP access should be disabled to prevent use of "
+                    f"legacy email clients."
+                )
+
+            findings.append(report)
+
+        return findings

prowler/providers/googleworkspace/services/gmail/gmail_service.py

@@ -0,0 +1,208 @@
+from typing import Optional
+
+from pydantic import BaseModel
+
+from prowler.lib.logger import logger
+from prowler.providers.googleworkspace.lib.service.service import GoogleWorkspaceService
+
+
+class Gmail(GoogleWorkspaceService):
+    """Google Workspace Gmail service for auditing domain-level Gmail policies.
+
+    Uses the Cloud Identity Policy API v1 to read Gmail safety, access,
+    delegation, and compliance settings configured in the Admin Console.
+    """
+
+    def __init__(self, provider):
+        super().__init__(provider)
+        self.policies = GmailPolicies()
+        self.policies_fetched = False
+        self._fetch_gmail_policies()
+
+    def _fetch_gmail_policies(self):
+        """Fetch Gmail policies from the Cloud Identity Policy API v1."""
+        logger.info("Gmail - Fetching Gmail policies...")
+
+        try:
+            service = self._build_service("cloudidentity", "v1")
+
+            if not service:
+                logger.error("Failed to build Cloud Identity service")
+                return
+
+            request = service.policies().list(pageSize=100)
+            fetch_succeeded = True
+
+            while request is not None:
+                try:
+                    response = request.execute()
+
+                    for policy in response.get("policies", []):
+                        if not self._is_customer_level_policy(policy):
+                            continue
+
+                        setting = policy.get("setting", {})
+                        setting_type = setting.get("type", "").removeprefix("settings/")
+                        value = setting.get("value", {})
+
+                        if setting_type == "gmail.mail_delegation":
+                            self.policies.enable_mail_delegation = value.get(
+                                "enableMailDelegation"
+                            )
+                            logger.debug("Gmail mail delegation setting fetched.")
+
+                        elif setting_type == "gmail.email_attachment_safety":
+                            self.policies.encrypted_attachment_protection_consequence = value.get(
+                                "encryptedAttachmentProtectionConsequence"
+                            )
+                            self.policies.script_attachment_protection_consequence = (
+                                value.get("scriptAttachmentProtectionConsequence")
+                            )
+                            self.policies.anomalous_attachment_protection_consequence = value.get(
+                                "anomalousAttachmentProtectionConsequence"
+                            )
+                            logger.debug("Gmail attachment safety settings fetched.")
+
+                        elif setting_type == "gmail.links_and_external_images":
+                            self.policies.enable_shortener_scanning = value.get(
+                                "enableShortenerScanning"
+                            )
+                            self.policies.enable_external_image_scanning = value.get(
+                                "enableExternalImageScanning"
+                            )
+                            self.policies.enable_aggressive_warnings_on_untrusted_links = value.get(
+                                "enableAggressiveWarningsOnUntrustedLinks"
+                            )
+                            logger.debug(
+                                "Gmail links and external images settings fetched."
+                            )
+
+                        elif setting_type == "gmail.spoofing_and_authentication":
+                            self.policies.domain_spoofing_consequence = value.get(
+                                "domainSpoofingConsequence"
+                            )
+                            self.policies.employee_name_spoofing_consequence = (
+                                value.get("employeeNameSpoofingConsequence")
+                            )
+                            self.policies.inbound_domain_spoofing_consequence = (
+                                value.get("inboundDomainSpoofingConsequence")
+                            )
+                            self.policies.unauthenticated_email_consequence = value.get(
+                                "unauthenticatedEmailConsequence"
+                            )
+                            self.policies.groups_spoofing_consequence = value.get(
+                                "groupsSpoofingConsequence"
+                            )
+                            logger.debug(
+                                "Gmail spoofing and authentication settings fetched."
+                            )
+
+                        elif setting_type == "gmail.pop_access":
+                            self.policies.enable_pop_access = value.get(
+                                "enablePopAccess"
+                            )
+                            logger.debug("Gmail POP access setting fetched.")
+
+                        elif setting_type == "gmail.imap_access":
+                            self.policies.enable_imap_access = value.get(
+                                "enableImapAccess"
+                            )
+                            logger.debug("Gmail IMAP access setting fetched.")
+
+                        elif setting_type == "gmail.auto_forwarding":
+                            self.policies.enable_auto_forwarding = value.get(
+                                "enableAutoForwarding"
+                            )
+                            logger.debug("Gmail auto-forwarding setting fetched.")
+
+                        elif setting_type == "gmail.per_user_outbound_gateway":
+                            self.policies.allow_per_user_outbound_gateway = value.get(
+                                "allowUsersToUseExternalSmtpServers"
+                            )
+                            logger.debug(
+                                "Gmail per-user outbound gateway setting fetched."
+                            )
+
+                        elif (
+                            setting_type
+                            == "gmail.enhanced_pre_delivery_message_scanning"
+                        ):
+                            self.policies.enable_enhanced_pre_delivery_scanning = (
+                                value.get("enableImprovedSuspiciousContentDetection")
+                            )
+                            logger.debug(
+                                "Gmail enhanced pre-delivery scanning setting fetched."
+                            )
+
+                        elif setting_type == "gmail.comprehensive_mail_storage":
+                            self.policies.comprehensive_mail_storage_enabled = (
+                                value.get("ruleId") is not None
+                            )
+                            logger.debug(
+                                "Gmail comprehensive mail storage setting fetched."
+                            )
+
+                    request = service.policies().list_next(request, response)
+
+                except Exception as error:
+                    self._handle_api_error(
+                        error,
+                        "fetching Gmail policies",
+                        self.provider.identity.customer_id,
+                    )
+                    fetch_succeeded = False
+                    break
+
+            self.policies_fetched = fetch_succeeded
+
+            logger.info("Gmail policies fetched successfully.")
+
+        except Exception as error:
+            self._handle_api_error(
+                error,
+                "fetching Gmail policies",
+                self.provider.identity.customer_id,
+            )
+            self.policies_fetched = False
+
+
+class GmailPolicies(BaseModel):
+    """Model for domain-level Gmail policy settings."""
+
+    # gmail.mail_delegation
+    enable_mail_delegation: Optional[bool] = None
+
+    # gmail.email_attachment_safety
+    encrypted_attachment_protection_consequence: Optional[str] = None
+    script_attachment_protection_consequence: Optional[str] = None
+    anomalous_attachment_protection_consequence: Optional[str] = None
+
+    # gmail.links_and_external_images
+    enable_shortener_scanning: Optional[bool] = None
+    enable_external_image_scanning: Optional[bool] = None
+    enable_aggressive_warnings_on_untrusted_links: Optional[bool] = None
+
+    # gmail.spoofing_and_authentication
+    domain_spoofing_consequence: Optional[str] = None
+    employee_name_spoofing_consequence: Optional[str] = None
+    inbound_domain_spoofing_consequence: Optional[str] = None
+    unauthenticated_email_consequence: Optional[str] = None
+    groups_spoofing_consequence: Optional[str] = None
+
+    # gmail.pop_access
+    enable_pop_access: Optional[bool] = None
+
+    # gmail.imap_access
+    enable_imap_access: Optional[bool] = None
+
+    # gmail.auto_forwarding
+    enable_auto_forwarding: Optional[bool] = None
+
+    # gmail.per_user_outbound_gateway
+    allow_per_user_outbound_gateway: Optional[bool] = None
+
+    # gmail.enhanced_pre_delivery_message_scanning
+    enable_enhanced_pre_delivery_scanning: Optional[bool] = None
+
+    # gmail.comprehensive_mail_storage
+    comprehensive_mail_storage_enabled: Optional[bool] = None

prowler/providers/googleworkspace/services/gmail/gmail_shortener_scanning_enabled/gmail_shortener_scanning_enabled.metadata.json

@@ -0,0 +1,40 @@
+{
+  "Provider": "googleworkspace",
+  "CheckID": "gmail_shortener_scanning_enabled",
+  "CheckTitle": "Identification of links behind shortened URLs is enabled",
+  "CheckType": [],
+  "ServiceName": "gmail",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "",
+  "Severity": "medium",
+  "ResourceType": "NotDefined",
+  "ResourceGroup": "collaboration",
+  "Description": "Gmail can identify and expand links behind shortened URLs (e.g., bit.ly, goo.gl) to check if the destination is malicious. URL shorteners are commonly used in phishing campaigns to obscure the true destination of a link.",
+  "Risk": "Without shortened URL scanning, attackers can use **URL shortening services** to hide malicious destinations in phishing emails. Users cannot visually verify where the link leads, increasing the success rate of **phishing and credential harvesting** attacks.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://support.google.com/a/answer/7676854",
+    "https://cloud.google.com/identity/docs/concepts/supported-policy-api-settings"
+  ],
+  "Remediation": {
+    "Code": {
+      "CLI": "",
+      "NativeIaC": "",
+      "Other": "1. Sign in to the Google **Admin console** at https://admin.google.com\n2. Navigate to **Apps** > **Google Workspace** > **Gmail**\n3. Click **Safety** > **Links and external images**\n4. Check **Identify links behind shortened URLs**\n5. Click **Save**",
+      "Terraform": ""
+    },
+    "Recommendation": {
+      "Text": "Enable identification of links behind shortened URLs so that Gmail can expand and scan shortened links for malicious content before users interact with them.",
+      "Url": "https://hub.prowler.com/check/gmail_shortener_scanning_enabled"
+    }
+  },
+  "Categories": [
+    "email-security"
+  ],
+  "DependsOn": [],
+  "RelatedTo": [
+    "gmail_external_image_scanning_enabled",
+    "gmail_untrusted_link_warnings_enabled"
+  ],
+  "Notes": ""
+}

prowler/providers/googleworkspace/services/gmail/gmail_shortener_scanning_enabled/gmail_shortener_scanning_enabled.py

@@ -0,0 +1,53 @@
+from typing import List
+
+from prowler.lib.check.models import Check, CheckReportGoogleWorkspace
+from prowler.providers.googleworkspace.services.gmail.gmail_client import gmail_client
+
+
+class gmail_shortener_scanning_enabled(Check):
+    """Check that identification of links behind shortened URLs is enabled.
+
+    This check verifies that Gmail is configured to expand and scan
+    shortened URLs to identify potentially malicious destinations
+    hidden behind URL shortening services.
+    """
+
+    def execute(self) -> List[CheckReportGoogleWorkspace]:
+        findings = []
+
+        if gmail_client.policies_fetched:
+            report = CheckReportGoogleWorkspace(
+                metadata=self.metadata(),
+                resource=gmail_client.provider.identity,
+                resource_name=gmail_client.provider.identity.domain,
+                resource_id=gmail_client.provider.identity.customer_id,
+                customer_id=gmail_client.provider.identity.customer_id,
+                location="global",
+            )
+
+            scanning_enabled = gmail_client.policies.enable_shortener_scanning
+
+            if scanning_enabled is True:
+                report.status = "PASS"
+                report.status_extended = (
+                    f"Identification of links behind shortened URLs is enabled "
+                    f"in domain {gmail_client.provider.identity.domain}."
+                )
+            elif scanning_enabled is None:
+                report.status = "PASS"
+                report.status_extended = (
+                    f"Identification of links behind shortened URLs uses Google's "
+                    f"secure default configuration (enabled) "
+                    f"in domain {gmail_client.provider.identity.domain}."
+                )
+            else:
+                report.status = "FAIL"
+                report.status_extended = (
+                    f"Identification of links behind shortened URLs is disabled "
+                    f"in domain {gmail_client.provider.identity.domain}. "
+                    f"Shortened URL scanning should be enabled to detect hidden malicious links."
+                )
+
+            findings.append(report)
+
+        return findings

prowler/providers/googleworkspace/services/gmail/gmail_untrusted_link_warnings_enabled/gmail_untrusted_link_warnings_enabled.metadata.json

@@ -0,0 +1,40 @@
+{
+  "Provider": "googleworkspace",
+  "CheckID": "gmail_untrusted_link_warnings_enabled",
+  "CheckTitle": "Warning prompt for clicks on untrusted domain links is enabled",
+  "CheckType": [],
+  "ServiceName": "gmail",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "",
+  "Severity": "medium",
+  "ResourceType": "NotDefined",
+  "ResourceGroup": "collaboration",
+  "Description": "Gmail can display a warning prompt when users click on links to domains that are not trusted. This gives users an opportunity to reconsider before navigating to a potentially malicious website.",
+  "Risk": "Without untrusted link warnings, users may click on **phishing links** or links to **malware distribution sites** without any warning. This significantly increases the success rate of **social engineering attacks** targeting the organization.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://support.google.com/a/answer/7676854",
+    "https://cloud.google.com/identity/docs/concepts/supported-policy-api-settings"
+  ],
+  "Remediation": {
+    "Code": {
+      "CLI": "",
+      "NativeIaC": "",
+      "Other": "1. Sign in to the Google **Admin console** at https://admin.google.com\n2. Navigate to **Apps** > **Google Workspace** > **Gmail**\n3. Click **Safety** > **Links and external images**\n4. Check **Show warning prompt for any click on links to untrusted domains**\n5. Click **Save**",
+      "Terraform": ""
+    },
+    "Recommendation": {
+      "Text": "Enable warning prompts for clicks on untrusted domain links so users are alerted before navigating to potentially malicious websites from email links.",
+      "Url": "https://hub.prowler.com/check/gmail_untrusted_link_warnings_enabled"
+    }
+  },
+  "Categories": [
+    "email-security"
+  ],
+  "DependsOn": [],
+  "RelatedTo": [
+    "gmail_shortener_scanning_enabled",
+    "gmail_external_image_scanning_enabled"
+  ],
+  "Notes": ""
+}

prowler/providers/googleworkspace/services/gmail/gmail_untrusted_link_warnings_enabled/gmail_untrusted_link_warnings_enabled.py

@@ -0,0 +1,55 @@
+from typing import List
+
+from prowler.lib.check.models import Check, CheckReportGoogleWorkspace
+from prowler.providers.googleworkspace.services.gmail.gmail_client import gmail_client
+
+
+class gmail_untrusted_link_warnings_enabled(Check):
+    """Check that warning prompts for clicks on untrusted domain links are enabled.
+
+    This check verifies that Gmail is configured to show warning prompts
+    when users click on links to domains that are not trusted, helping
+    prevent users from navigating to malicious sites.
+    """
+
+    def execute(self) -> List[CheckReportGoogleWorkspace]:
+        findings = []
+
+        if gmail_client.policies_fetched:
+            report = CheckReportGoogleWorkspace(
+                metadata=self.metadata(),
+                resource=gmail_client.provider.identity,
+                resource_name=gmail_client.provider.identity.domain,
+                resource_id=gmail_client.provider.identity.customer_id,
+                customer_id=gmail_client.provider.identity.customer_id,
+                location="global",
+            )
+
+            warnings_enabled = (
+                gmail_client.policies.enable_aggressive_warnings_on_untrusted_links
+            )
+
+            if warnings_enabled is True:
+                report.status = "PASS"
+                report.status_extended = (
+                    f"Warning prompts for clicks on untrusted domain links are enabled "
+                    f"in domain {gmail_client.provider.identity.domain}."
+                )
+            elif warnings_enabled is None:
+                report.status = "PASS"
+                report.status_extended = (
+                    f"Warning prompts for clicks on untrusted domain links uses Google's "
+                    f"secure default configuration (enabled) "
+                    f"in domain {gmail_client.provider.identity.domain}."
+                )
+            else:
+                report.status = "FAIL"
+                report.status_extended = (
+                    f"Warning prompts for clicks on untrusted domain links are disabled "
+                    f"in domain {gmail_client.provider.identity.domain}. "
+                    f"Untrusted link warnings should be enabled to protect users."
+                )
+
+            findings.append(report)
+
+        return findings

tests/providers/googleworkspace/services/gmail/gmail_auto_forwarding_disabled/gmail_auto_forwarding_disabled_test.py

@@ -0,0 +1,118 @@
+from unittest.mock import patch
+
+from prowler.providers.googleworkspace.services.gmail.gmail_service import GmailPolicies
+from tests.providers.googleworkspace.googleworkspace_fixtures import (
+    CUSTOMER_ID,
+    DOMAIN,
+    set_mocked_googleworkspace_provider,
+)
+
+
+class TestGmailAutoForwardingDisabled:
+    def test_pass(self):
+        mock_provider = set_mocked_googleworkspace_provider()
+
+        with (
+            patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=mock_provider,
+            ),
+            patch(
+                "prowler.providers.googleworkspace.services.gmail.gmail_auto_forwarding_disabled.gmail_auto_forwarding_disabled.gmail_client"
+            ) as mock_client,
+        ):
+            from prowler.providers.googleworkspace.services.gmail.gmail_auto_forwarding_disabled.gmail_auto_forwarding_disabled import (
+                gmail_auto_forwarding_disabled,
+            )
+
+            mock_client.provider = mock_provider
+            mock_client.policies_fetched = True
+            mock_client.policies = GmailPolicies(enable_auto_forwarding=False)
+
+            check = gmail_auto_forwarding_disabled()
+            findings = check.execute()
+
+            assert len(findings) == 1
+            assert findings[0].status == "PASS"
+            assert "disabled" in findings[0].status_extended
+            assert findings[0].resource_name == DOMAIN
+            assert findings[0].customer_id == CUSTOMER_ID
+
+    def test_fail_disabled(self):
+        mock_provider = set_mocked_googleworkspace_provider()
+
+        with (
+            patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=mock_provider,
+            ),
+            patch(
+                "prowler.providers.googleworkspace.services.gmail.gmail_auto_forwarding_disabled.gmail_auto_forwarding_disabled.gmail_client"
+            ) as mock_client,
+        ):
+            from prowler.providers.googleworkspace.services.gmail.gmail_auto_forwarding_disabled.gmail_auto_forwarding_disabled import (
+                gmail_auto_forwarding_disabled,
+            )
+
+            mock_client.provider = mock_provider
+            mock_client.policies_fetched = True
+            mock_client.policies = GmailPolicies(enable_auto_forwarding=True)
+
+            check = gmail_auto_forwarding_disabled()
+            findings = check.execute()
+
+            assert len(findings) == 1
+            assert findings[0].status == "FAIL"
+            assert "enabled" in findings[0].status_extended
+
+    def test_fail_no_policy_set(self):
+        mock_provider = set_mocked_googleworkspace_provider()
+
+        with (
+            patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=mock_provider,
+            ),
+            patch(
+                "prowler.providers.googleworkspace.services.gmail.gmail_auto_forwarding_disabled.gmail_auto_forwarding_disabled.gmail_client"
+            ) as mock_client,
+        ):
+            from prowler.providers.googleworkspace.services.gmail.gmail_auto_forwarding_disabled.gmail_auto_forwarding_disabled import (
+                gmail_auto_forwarding_disabled,
+            )
+
+            mock_client.provider = mock_provider
+            mock_client.policies_fetched = True
+            mock_client.policies = GmailPolicies(enable_auto_forwarding=None)
+
+            check = gmail_auto_forwarding_disabled()
+            findings = check.execute()
+
+            assert len(findings) == 1
+            assert findings[0].status == "FAIL"
+            assert "not explicitly configured" in findings[0].status_extended
+
+    def test_no_findings_when_fetch_failed(self):
+        mock_provider = set_mocked_googleworkspace_provider()
+
+        with (
+            patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=mock_provider,
+            ),
+            patch(
+                "prowler.providers.googleworkspace.services.gmail.gmail_auto_forwarding_disabled.gmail_auto_forwarding_disabled.gmail_client"
+            ) as mock_client,
+        ):
+            from prowler.providers.googleworkspace.services.gmail.gmail_auto_forwarding_disabled.gmail_auto_forwarding_disabled import (
+                gmail_auto_forwarding_disabled,
+            )
+
+            mock_client.provider = mock_provider
+            mock_client.policies_fetched = False
+            mock_client.policies = GmailPolicies()
+
+            check = gmail_auto_forwarding_disabled()
+            findings = check.execute()
+
+            assert len(findings) == 0

tests/providers/googleworkspace/services/gmail/gmail_comprehensive_mail_storage_enabled/gmail_comprehensive_mail_storage_enabled_test.py

@@ -0,0 +1,124 @@
+from unittest.mock import patch
+
+from prowler.providers.googleworkspace.services.gmail.gmail_service import GmailPolicies
+from tests.providers.googleworkspace.googleworkspace_fixtures import (
+    CUSTOMER_ID,
+    DOMAIN,
+    set_mocked_googleworkspace_provider,
+)
+
+
+class TestGmailComprehensiveMailStorageEnabled:
+    def test_pass(self):
+        mock_provider = set_mocked_googleworkspace_provider()
+
+        with (
+            patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=mock_provider,
+            ),
+            patch(
+                "prowler.providers.googleworkspace.services.gmail.gmail_comprehensive_mail_storage_enabled.gmail_comprehensive_mail_storage_enabled.gmail_client"
+            ) as mock_client,
+        ):
+            from prowler.providers.googleworkspace.services.gmail.gmail_comprehensive_mail_storage_enabled.gmail_comprehensive_mail_storage_enabled import (
+                gmail_comprehensive_mail_storage_enabled,
+            )
+
+            mock_client.provider = mock_provider
+            mock_client.policies_fetched = True
+            mock_client.policies = GmailPolicies(
+                comprehensive_mail_storage_enabled=True
+            )
+
+            check = gmail_comprehensive_mail_storage_enabled()
+            findings = check.execute()
+
+            assert len(findings) == 1
+            assert findings[0].status == "PASS"
+            assert "enabled" in findings[0].status_extended
+            assert findings[0].resource_name == DOMAIN
+            assert findings[0].customer_id == CUSTOMER_ID
+
+    def test_fail_disabled(self):
+        mock_provider = set_mocked_googleworkspace_provider()
+
+        with (
+            patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=mock_provider,
+            ),
+            patch(
+                "prowler.providers.googleworkspace.services.gmail.gmail_comprehensive_mail_storage_enabled.gmail_comprehensive_mail_storage_enabled.gmail_client"
+            ) as mock_client,
+        ):
+            from prowler.providers.googleworkspace.services.gmail.gmail_comprehensive_mail_storage_enabled.gmail_comprehensive_mail_storage_enabled import (
+                gmail_comprehensive_mail_storage_enabled,
+            )
+
+            mock_client.provider = mock_provider
+            mock_client.policies_fetched = True
+            mock_client.policies = GmailPolicies(
+                comprehensive_mail_storage_enabled=False
+            )
+
+            check = gmail_comprehensive_mail_storage_enabled()
+            findings = check.execute()
+
+            assert len(findings) == 1
+            assert findings[0].status == "FAIL"
+            assert "disabled" in findings[0].status_extended
+
+    def test_fail_no_policy_set(self):
+        mock_provider = set_mocked_googleworkspace_provider()
+
+        with (
+            patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=mock_provider,
+            ),
+            patch(
+                "prowler.providers.googleworkspace.services.gmail.gmail_comprehensive_mail_storage_enabled.gmail_comprehensive_mail_storage_enabled.gmail_client"
+            ) as mock_client,
+        ):
+            from prowler.providers.googleworkspace.services.gmail.gmail_comprehensive_mail_storage_enabled.gmail_comprehensive_mail_storage_enabled import (
+                gmail_comprehensive_mail_storage_enabled,
+            )
+
+            mock_client.provider = mock_provider
+            mock_client.policies_fetched = True
+            mock_client.policies = GmailPolicies(
+                comprehensive_mail_storage_enabled=None
+            )
+
+            check = gmail_comprehensive_mail_storage_enabled()
+            findings = check.execute()
+
+            assert len(findings) == 1
+            assert findings[0].status == "FAIL"
+            assert "not explicitly configured" in findings[0].status_extended
+
+    def test_no_findings_when_fetch_failed(self):
+        mock_provider = set_mocked_googleworkspace_provider()
+
+        with (
+            patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=mock_provider,
+            ),
+            patch(
+                "prowler.providers.googleworkspace.services.gmail.gmail_comprehensive_mail_storage_enabled.gmail_comprehensive_mail_storage_enabled.gmail_client"
+            ) as mock_client,
+        ):
+            from prowler.providers.googleworkspace.services.gmail.gmail_comprehensive_mail_storage_enabled.gmail_comprehensive_mail_storage_enabled import (
+                gmail_comprehensive_mail_storage_enabled,
+            )
+
+            mock_client.provider = mock_provider
+            mock_client.policies_fetched = False
+            mock_client.policies = GmailPolicies()
+
+            check = gmail_comprehensive_mail_storage_enabled()
+            findings = check.execute()
+
+            assert len(findings) == 0

tests/providers/googleworkspace/services/gmail/gmail_enhanced_pre_delivery_scanning_enabled/gmail_enhanced_pre_delivery_scanning_enabled_test.py

@@ -0,0 +1,124 @@
+from unittest.mock import patch
+
+from prowler.providers.googleworkspace.services.gmail.gmail_service import GmailPolicies
+from tests.providers.googleworkspace.googleworkspace_fixtures import (
+    CUSTOMER_ID,
+    DOMAIN,
+    set_mocked_googleworkspace_provider,
+)
+
+
+class TestGmailEnhancedPreDeliveryScanningEnabled:
+    def test_pass(self):
+        mock_provider = set_mocked_googleworkspace_provider()
+
+        with (
+            patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=mock_provider,
+            ),
+            patch(
+                "prowler.providers.googleworkspace.services.gmail.gmail_enhanced_pre_delivery_scanning_enabled.gmail_enhanced_pre_delivery_scanning_enabled.gmail_client"
+            ) as mock_client,
+        ):
+            from prowler.providers.googleworkspace.services.gmail.gmail_enhanced_pre_delivery_scanning_enabled.gmail_enhanced_pre_delivery_scanning_enabled import (
+                gmail_enhanced_pre_delivery_scanning_enabled,
+            )
+
+            mock_client.provider = mock_provider
+            mock_client.policies_fetched = True
+            mock_client.policies = GmailPolicies(
+                enable_enhanced_pre_delivery_scanning=True
+            )
+
+            check = gmail_enhanced_pre_delivery_scanning_enabled()
+            findings = check.execute()
+
+            assert len(findings) == 1
+            assert findings[0].status == "PASS"
+            assert "enabled" in findings[0].status_extended
+            assert findings[0].resource_name == DOMAIN
+            assert findings[0].customer_id == CUSTOMER_ID
+
+    def test_fail_disabled(self):
+        mock_provider = set_mocked_googleworkspace_provider()
+
+        with (
+            patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=mock_provider,
+            ),
+            patch(
+                "prowler.providers.googleworkspace.services.gmail.gmail_enhanced_pre_delivery_scanning_enabled.gmail_enhanced_pre_delivery_scanning_enabled.gmail_client"
+            ) as mock_client,
+        ):
+            from prowler.providers.googleworkspace.services.gmail.gmail_enhanced_pre_delivery_scanning_enabled.gmail_enhanced_pre_delivery_scanning_enabled import (
+                gmail_enhanced_pre_delivery_scanning_enabled,
+            )
+
+            mock_client.provider = mock_provider
+            mock_client.policies_fetched = True
+            mock_client.policies = GmailPolicies(
+                enable_enhanced_pre_delivery_scanning=False
+            )
+
+            check = gmail_enhanced_pre_delivery_scanning_enabled()
+            findings = check.execute()
+
+            assert len(findings) == 1
+            assert findings[0].status == "FAIL"
+            assert "disabled" in findings[0].status_extended
+
+    def test_pass_using_default(self):
+        mock_provider = set_mocked_googleworkspace_provider()
+
+        with (
+            patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=mock_provider,
+            ),
+            patch(
+                "prowler.providers.googleworkspace.services.gmail.gmail_enhanced_pre_delivery_scanning_enabled.gmail_enhanced_pre_delivery_scanning_enabled.gmail_client"
+            ) as mock_client,
+        ):
+            from prowler.providers.googleworkspace.services.gmail.gmail_enhanced_pre_delivery_scanning_enabled.gmail_enhanced_pre_delivery_scanning_enabled import (
+                gmail_enhanced_pre_delivery_scanning_enabled,
+            )
+
+            mock_client.provider = mock_provider
+            mock_client.policies_fetched = True
+            mock_client.policies = GmailPolicies(
+                enable_enhanced_pre_delivery_scanning=None
+            )
+
+            check = gmail_enhanced_pre_delivery_scanning_enabled()
+            findings = check.execute()
+
+            assert len(findings) == 1
+            assert findings[0].status == "PASS"
+            assert "secure default" in findings[0].status_extended
+
+    def test_no_findings_when_fetch_failed(self):
+        mock_provider = set_mocked_googleworkspace_provider()
+
+        with (
+            patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=mock_provider,
+            ),
+            patch(
+                "prowler.providers.googleworkspace.services.gmail.gmail_enhanced_pre_delivery_scanning_enabled.gmail_enhanced_pre_delivery_scanning_enabled.gmail_client"
+            ) as mock_client,
+        ):
+            from prowler.providers.googleworkspace.services.gmail.gmail_enhanced_pre_delivery_scanning_enabled.gmail_enhanced_pre_delivery_scanning_enabled import (
+                gmail_enhanced_pre_delivery_scanning_enabled,
+            )
+
+            mock_client.provider = mock_provider
+            mock_client.policies_fetched = False
+            mock_client.policies = GmailPolicies()
+
+            check = gmail_enhanced_pre_delivery_scanning_enabled()
+            findings = check.execute()
+
+            assert len(findings) == 0

tests/providers/googleworkspace/services/gmail/gmail_external_image_scanning_enabled/gmail_external_image_scanning_enabled_test.py

@@ -0,0 +1,118 @@
+from unittest.mock import patch
+
+from prowler.providers.googleworkspace.services.gmail.gmail_service import GmailPolicies
+from tests.providers.googleworkspace.googleworkspace_fixtures import (
+    CUSTOMER_ID,
+    DOMAIN,
+    set_mocked_googleworkspace_provider,
+)
+
+
+class TestGmailExternalImageScanningEnabled:
+    def test_pass(self):
+        mock_provider = set_mocked_googleworkspace_provider()
+
+        with (
+            patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=mock_provider,
+            ),
+            patch(
+                "prowler.providers.googleworkspace.services.gmail.gmail_external_image_scanning_enabled.gmail_external_image_scanning_enabled.gmail_client"
+            ) as mock_client,
+        ):
+            from prowler.providers.googleworkspace.services.gmail.gmail_external_image_scanning_enabled.gmail_external_image_scanning_enabled import (
+                gmail_external_image_scanning_enabled,
+            )
+
+            mock_client.provider = mock_provider
+            mock_client.policies_fetched = True
+            mock_client.policies = GmailPolicies(enable_external_image_scanning=True)
+
+            check = gmail_external_image_scanning_enabled()
+            findings = check.execute()
+
+            assert len(findings) == 1
+            assert findings[0].status == "PASS"
+            assert "enabled" in findings[0].status_extended
+            assert findings[0].resource_name == DOMAIN
+            assert findings[0].customer_id == CUSTOMER_ID
+
+    def test_fail_disabled(self):
+        mock_provider = set_mocked_googleworkspace_provider()
+
+        with (
+            patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=mock_provider,
+            ),
+            patch(
+                "prowler.providers.googleworkspace.services.gmail.gmail_external_image_scanning_enabled.gmail_external_image_scanning_enabled.gmail_client"
+            ) as mock_client,
+        ):
+            from prowler.providers.googleworkspace.services.gmail.gmail_external_image_scanning_enabled.gmail_external_image_scanning_enabled import (
+                gmail_external_image_scanning_enabled,
+            )
+
+            mock_client.provider = mock_provider
+            mock_client.policies_fetched = True
+            mock_client.policies = GmailPolicies(enable_external_image_scanning=False)
+
+            check = gmail_external_image_scanning_enabled()
+            findings = check.execute()
+
+            assert len(findings) == 1
+            assert findings[0].status == "FAIL"
+            assert "disabled" in findings[0].status_extended
+
+    def test_pass_using_default(self):
+        mock_provider = set_mocked_googleworkspace_provider()
+
+        with (
+            patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=mock_provider,
+            ),
+            patch(
+                "prowler.providers.googleworkspace.services.gmail.gmail_external_image_scanning_enabled.gmail_external_image_scanning_enabled.gmail_client"
+            ) as mock_client,
+        ):
+            from prowler.providers.googleworkspace.services.gmail.gmail_external_image_scanning_enabled.gmail_external_image_scanning_enabled import (
+                gmail_external_image_scanning_enabled,
+            )
+
+            mock_client.provider = mock_provider
+            mock_client.policies_fetched = True
+            mock_client.policies = GmailPolicies(enable_external_image_scanning=None)
+
+            check = gmail_external_image_scanning_enabled()
+            findings = check.execute()
+
+            assert len(findings) == 1
+            assert findings[0].status == "PASS"
+            assert "secure default" in findings[0].status_extended
+
+    def test_no_findings_when_fetch_failed(self):
+        mock_provider = set_mocked_googleworkspace_provider()
+
+        with (
+            patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=mock_provider,
+            ),
+            patch(
+                "prowler.providers.googleworkspace.services.gmail.gmail_external_image_scanning_enabled.gmail_external_image_scanning_enabled.gmail_client"
+            ) as mock_client,
+        ):
+            from prowler.providers.googleworkspace.services.gmail.gmail_external_image_scanning_enabled.gmail_external_image_scanning_enabled import (
+                gmail_external_image_scanning_enabled,
+            )
+
+            mock_client.provider = mock_provider
+            mock_client.policies_fetched = False
+            mock_client.policies = GmailPolicies()
+
+            check = gmail_external_image_scanning_enabled()
+            findings = check.execute()
+
+            assert len(findings) == 0

tests/providers/googleworkspace/services/gmail/gmail_mail_delegation_disabled/gmail_mail_delegation_disabled_test.py

@@ -0,0 +1,118 @@
+from unittest.mock import patch
+
+from prowler.providers.googleworkspace.services.gmail.gmail_service import GmailPolicies
+from tests.providers.googleworkspace.googleworkspace_fixtures import (
+    CUSTOMER_ID,
+    DOMAIN,
+    set_mocked_googleworkspace_provider,
+)
+
+
+class TestGmailMailDelegationDisabled:
+    def test_pass_delegation_disabled(self):
+        mock_provider = set_mocked_googleworkspace_provider()
+
+        with (
+            patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=mock_provider,
+            ),
+            patch(
+                "prowler.providers.googleworkspace.services.gmail.gmail_mail_delegation_disabled.gmail_mail_delegation_disabled.gmail_client"
+            ) as mock_client,
+        ):
+            from prowler.providers.googleworkspace.services.gmail.gmail_mail_delegation_disabled.gmail_mail_delegation_disabled import (
+                gmail_mail_delegation_disabled,
+            )
+
+            mock_client.provider = mock_provider
+            mock_client.policies_fetched = True
+            mock_client.policies = GmailPolicies(enable_mail_delegation=False)
+
+            check = gmail_mail_delegation_disabled()
+            findings = check.execute()
+
+            assert len(findings) == 1
+            assert findings[0].status == "PASS"
+            assert "disabled" in findings[0].status_extended
+            assert findings[0].resource_name == DOMAIN
+            assert findings[0].customer_id == CUSTOMER_ID
+
+    def test_fail_delegation_enabled(self):
+        mock_provider = set_mocked_googleworkspace_provider()
+
+        with (
+            patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=mock_provider,
+            ),
+            patch(
+                "prowler.providers.googleworkspace.services.gmail.gmail_mail_delegation_disabled.gmail_mail_delegation_disabled.gmail_client"
+            ) as mock_client,
+        ):
+            from prowler.providers.googleworkspace.services.gmail.gmail_mail_delegation_disabled.gmail_mail_delegation_disabled import (
+                gmail_mail_delegation_disabled,
+            )
+
+            mock_client.provider = mock_provider
+            mock_client.policies_fetched = True
+            mock_client.policies = GmailPolicies(enable_mail_delegation=True)
+
+            check = gmail_mail_delegation_disabled()
+            findings = check.execute()
+
+            assert len(findings) == 1
+            assert findings[0].status == "FAIL"
+            assert "enabled" in findings[0].status_extended
+
+    def test_pass_using_default(self):
+        mock_provider = set_mocked_googleworkspace_provider()
+
+        with (
+            patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=mock_provider,
+            ),
+            patch(
+                "prowler.providers.googleworkspace.services.gmail.gmail_mail_delegation_disabled.gmail_mail_delegation_disabled.gmail_client"
+            ) as mock_client,
+        ):
+            from prowler.providers.googleworkspace.services.gmail.gmail_mail_delegation_disabled.gmail_mail_delegation_disabled import (
+                gmail_mail_delegation_disabled,
+            )
+
+            mock_client.provider = mock_provider
+            mock_client.policies_fetched = True
+            mock_client.policies = GmailPolicies(enable_mail_delegation=None)
+
+            check = gmail_mail_delegation_disabled()
+            findings = check.execute()
+
+            assert len(findings) == 1
+            assert findings[0].status == "PASS"
+            assert "secure default" in findings[0].status_extended
+
+    def test_no_findings_when_fetch_failed(self):
+        mock_provider = set_mocked_googleworkspace_provider()
+
+        with (
+            patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=mock_provider,
+            ),
+            patch(
+                "prowler.providers.googleworkspace.services.gmail.gmail_mail_delegation_disabled.gmail_mail_delegation_disabled.gmail_client"
+            ) as mock_client,
+        ):
+            from prowler.providers.googleworkspace.services.gmail.gmail_mail_delegation_disabled.gmail_mail_delegation_disabled import (
+                gmail_mail_delegation_disabled,
+            )
+
+            mock_client.provider = mock_provider
+            mock_client.policies_fetched = False
+            mock_client.policies = GmailPolicies()
+
+            check = gmail_mail_delegation_disabled()
+            findings = check.execute()
+
+            assert len(findings) == 0

tests/providers/googleworkspace/services/gmail/gmail_per_user_outbound_gateway_disabled/gmail_per_user_outbound_gateway_disabled_test.py

@@ -0,0 +1,118 @@
+from unittest.mock import patch
+
+from prowler.providers.googleworkspace.services.gmail.gmail_service import GmailPolicies
+from tests.providers.googleworkspace.googleworkspace_fixtures import (
+    CUSTOMER_ID,
+    DOMAIN,
+    set_mocked_googleworkspace_provider,
+)
+
+
+class TestGmailPerUserOutboundGatewayDisabled:
+    def test_pass(self):
+        mock_provider = set_mocked_googleworkspace_provider()
+
+        with (
+            patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=mock_provider,
+            ),
+            patch(
+                "prowler.providers.googleworkspace.services.gmail.gmail_per_user_outbound_gateway_disabled.gmail_per_user_outbound_gateway_disabled.gmail_client"
+            ) as mock_client,
+        ):
+            from prowler.providers.googleworkspace.services.gmail.gmail_per_user_outbound_gateway_disabled.gmail_per_user_outbound_gateway_disabled import (
+                gmail_per_user_outbound_gateway_disabled,
+            )
+
+            mock_client.provider = mock_provider
+            mock_client.policies_fetched = True
+            mock_client.policies = GmailPolicies(allow_per_user_outbound_gateway=False)
+
+            check = gmail_per_user_outbound_gateway_disabled()
+            findings = check.execute()
+
+            assert len(findings) == 1
+            assert findings[0].status == "PASS"
+            assert "disabled" in findings[0].status_extended
+            assert findings[0].resource_name == DOMAIN
+            assert findings[0].customer_id == CUSTOMER_ID
+
+    def test_fail_disabled(self):
+        mock_provider = set_mocked_googleworkspace_provider()
+
+        with (
+            patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=mock_provider,
+            ),
+            patch(
+                "prowler.providers.googleworkspace.services.gmail.gmail_per_user_outbound_gateway_disabled.gmail_per_user_outbound_gateway_disabled.gmail_client"
+            ) as mock_client,
+        ):
+            from prowler.providers.googleworkspace.services.gmail.gmail_per_user_outbound_gateway_disabled.gmail_per_user_outbound_gateway_disabled import (
+                gmail_per_user_outbound_gateway_disabled,
+            )
+
+            mock_client.provider = mock_provider
+            mock_client.policies_fetched = True
+            mock_client.policies = GmailPolicies(allow_per_user_outbound_gateway=True)
+
+            check = gmail_per_user_outbound_gateway_disabled()
+            findings = check.execute()
+
+            assert len(findings) == 1
+            assert findings[0].status == "FAIL"
+            assert "enabled" in findings[0].status_extended
+
+    def test_pass_using_default(self):
+        mock_provider = set_mocked_googleworkspace_provider()
+
+        with (
+            patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=mock_provider,
+            ),
+            patch(
+                "prowler.providers.googleworkspace.services.gmail.gmail_per_user_outbound_gateway_disabled.gmail_per_user_outbound_gateway_disabled.gmail_client"
+            ) as mock_client,
+        ):
+            from prowler.providers.googleworkspace.services.gmail.gmail_per_user_outbound_gateway_disabled.gmail_per_user_outbound_gateway_disabled import (
+                gmail_per_user_outbound_gateway_disabled,
+            )
+
+            mock_client.provider = mock_provider
+            mock_client.policies_fetched = True
+            mock_client.policies = GmailPolicies(allow_per_user_outbound_gateway=None)
+
+            check = gmail_per_user_outbound_gateway_disabled()
+            findings = check.execute()
+
+            assert len(findings) == 1
+            assert findings[0].status == "PASS"
+            assert "secure default" in findings[0].status_extended
+
+    def test_no_findings_when_fetch_failed(self):
+        mock_provider = set_mocked_googleworkspace_provider()
+
+        with (
+            patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=mock_provider,
+            ),
+            patch(
+                "prowler.providers.googleworkspace.services.gmail.gmail_per_user_outbound_gateway_disabled.gmail_per_user_outbound_gateway_disabled.gmail_client"
+            ) as mock_client,
+        ):
+            from prowler.providers.googleworkspace.services.gmail.gmail_per_user_outbound_gateway_disabled.gmail_per_user_outbound_gateway_disabled import (
+                gmail_per_user_outbound_gateway_disabled,
+            )
+
+            mock_client.provider = mock_provider
+            mock_client.policies_fetched = False
+            mock_client.policies = GmailPolicies()
+
+            check = gmail_per_user_outbound_gateway_disabled()
+            findings = check.execute()
+
+            assert len(findings) == 0

tests/providers/googleworkspace/services/gmail/gmail_pop_imap_access_disabled/gmail_pop_imap_access_disabled_test.py

@@ -0,0 +1,183 @@
+from unittest.mock import patch
+
+from prowler.providers.googleworkspace.services.gmail.gmail_service import GmailPolicies
+from tests.providers.googleworkspace.googleworkspace_fixtures import (
+    CUSTOMER_ID,
+    DOMAIN,
+    set_mocked_googleworkspace_provider,
+)
+
+
+class TestGmailPopImapAccessDisabled:
+    def test_pass_both_disabled(self):
+        mock_provider = set_mocked_googleworkspace_provider()
+
+        with (
+            patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=mock_provider,
+            ),
+            patch(
+                "prowler.providers.googleworkspace.services.gmail.gmail_pop_imap_access_disabled.gmail_pop_imap_access_disabled.gmail_client"
+            ) as mock_client,
+        ):
+            from prowler.providers.googleworkspace.services.gmail.gmail_pop_imap_access_disabled.gmail_pop_imap_access_disabled import (
+                gmail_pop_imap_access_disabled,
+            )
+
+            mock_client.provider = mock_provider
+            mock_client.policies_fetched = True
+            mock_client.policies = GmailPolicies(
+                enable_pop_access=False, enable_imap_access=False
+            )
+
+            check = gmail_pop_imap_access_disabled()
+            findings = check.execute()
+
+            assert len(findings) == 1
+            assert findings[0].status == "PASS"
+            assert "disabled" in findings[0].status_extended
+            assert findings[0].resource_name == DOMAIN
+            assert findings[0].customer_id == CUSTOMER_ID
+
+    def test_fail_both_enabled(self):
+        mock_provider = set_mocked_googleworkspace_provider()
+
+        with (
+            patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=mock_provider,
+            ),
+            patch(
+                "prowler.providers.googleworkspace.services.gmail.gmail_pop_imap_access_disabled.gmail_pop_imap_access_disabled.gmail_client"
+            ) as mock_client,
+        ):
+            from prowler.providers.googleworkspace.services.gmail.gmail_pop_imap_access_disabled.gmail_pop_imap_access_disabled import (
+                gmail_pop_imap_access_disabled,
+            )
+
+            mock_client.provider = mock_provider
+            mock_client.policies_fetched = True
+            mock_client.policies = GmailPolicies(
+                enable_pop_access=True, enable_imap_access=True
+            )
+
+            check = gmail_pop_imap_access_disabled()
+            findings = check.execute()
+
+            assert len(findings) == 1
+            assert findings[0].status == "FAIL"
+            assert "POP" in findings[0].status_extended
+            assert "IMAP" in findings[0].status_extended
+
+    def test_fail_pop_enabled_only(self):
+        mock_provider = set_mocked_googleworkspace_provider()
+
+        with (
+            patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=mock_provider,
+            ),
+            patch(
+                "prowler.providers.googleworkspace.services.gmail.gmail_pop_imap_access_disabled.gmail_pop_imap_access_disabled.gmail_client"
+            ) as mock_client,
+        ):
+            from prowler.providers.googleworkspace.services.gmail.gmail_pop_imap_access_disabled.gmail_pop_imap_access_disabled import (
+                gmail_pop_imap_access_disabled,
+            )
+
+            mock_client.provider = mock_provider
+            mock_client.policies_fetched = True
+            mock_client.policies = GmailPolicies(
+                enable_pop_access=True, enable_imap_access=False
+            )
+
+            check = gmail_pop_imap_access_disabled()
+            findings = check.execute()
+
+            assert len(findings) == 1
+            assert findings[0].status == "FAIL"
+            assert "POP" in findings[0].status_extended
+
+    def test_fail_imap_enabled_only(self):
+        mock_provider = set_mocked_googleworkspace_provider()
+
+        with (
+            patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=mock_provider,
+            ),
+            patch(
+                "prowler.providers.googleworkspace.services.gmail.gmail_pop_imap_access_disabled.gmail_pop_imap_access_disabled.gmail_client"
+            ) as mock_client,
+        ):
+            from prowler.providers.googleworkspace.services.gmail.gmail_pop_imap_access_disabled.gmail_pop_imap_access_disabled import (
+                gmail_pop_imap_access_disabled,
+            )
+
+            mock_client.provider = mock_provider
+            mock_client.policies_fetched = True
+            mock_client.policies = GmailPolicies(
+                enable_pop_access=False, enable_imap_access=True
+            )
+
+            check = gmail_pop_imap_access_disabled()
+            findings = check.execute()
+
+            assert len(findings) == 1
+            assert findings[0].status == "FAIL"
+            assert "IMAP" in findings[0].status_extended
+
+    def test_fail_no_policy_set(self):
+        mock_provider = set_mocked_googleworkspace_provider()
+
+        with (
+            patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=mock_provider,
+            ),
+            patch(
+                "prowler.providers.googleworkspace.services.gmail.gmail_pop_imap_access_disabled.gmail_pop_imap_access_disabled.gmail_client"
+            ) as mock_client,
+        ):
+            from prowler.providers.googleworkspace.services.gmail.gmail_pop_imap_access_disabled.gmail_pop_imap_access_disabled import (
+                gmail_pop_imap_access_disabled,
+            )
+
+            mock_client.provider = mock_provider
+            mock_client.policies_fetched = True
+            mock_client.policies = GmailPolicies(
+                enable_pop_access=None, enable_imap_access=None
+            )
+
+            check = gmail_pop_imap_access_disabled()
+            findings = check.execute()
+
+            assert len(findings) == 1
+            assert findings[0].status == "FAIL"
+            assert "not explicitly configured" in findings[0].status_extended
+
+    def test_no_findings_when_fetch_failed(self):
+        mock_provider = set_mocked_googleworkspace_provider()
+
+        with (
+            patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=mock_provider,
+            ),
+            patch(
+                "prowler.providers.googleworkspace.services.gmail.gmail_pop_imap_access_disabled.gmail_pop_imap_access_disabled.gmail_client"
+            ) as mock_client,
+        ):
+            from prowler.providers.googleworkspace.services.gmail.gmail_pop_imap_access_disabled.gmail_pop_imap_access_disabled import (
+                gmail_pop_imap_access_disabled,
+            )
+
+            mock_client.provider = mock_provider
+            mock_client.policies_fetched = False
+            mock_client.policies = GmailPolicies()
+
+            check = gmail_pop_imap_access_disabled()
+            findings = check.execute()
+
+            assert len(findings) == 0

tests/providers/googleworkspace/services/gmail/gmail_service_test.py

@@ -0,0 +1,376 @@
+from unittest.mock import MagicMock, patch
+
+from tests.providers.googleworkspace.googleworkspace_fixtures import (
+    set_mocked_googleworkspace_provider,
+)
+
+
+class TestGmailService:
+    def test_gmail_fetch_policies_all_settings(self):
+        """Test fetching all 10 Gmail policy settings from Cloud Identity API"""
+        mock_provider = set_mocked_googleworkspace_provider()
+        mock_provider.audit_config = {}
+        mock_provider.fixer_config = {}
+        mock_credentials = MagicMock()
+        mock_session = MagicMock()
+        mock_session.credentials = mock_credentials
+        mock_provider.session = mock_session
+
+        mock_service = MagicMock()
+        mock_policies_list = MagicMock()
+        mock_policies_list.execute.return_value = {
+            "policies": [
+                {
+                    "setting": {
+                        "type": "settings/gmail.mail_delegation",
+                        "value": {"enableMailDelegation": False},
+                    }
+                },
+                {
+                    "setting": {
+                        "type": "settings/gmail.email_attachment_safety",
+                        "value": {
+                            "encryptedAttachmentProtectionConsequence": "SPAM_FOLDER",
+                            "scriptAttachmentProtectionConsequence": "QUARANTINE",
+                            "anomalousAttachmentProtectionConsequence": "WARNING",
+                        },
+                    }
+                },
+                {
+                    "setting": {
+                        "type": "settings/gmail.links_and_external_images",
+                        "value": {
+                            "enableShortenerScanning": True,
+                            "enableExternalImageScanning": True,
+                            "enableAggressiveWarningsOnUntrustedLinks": True,
+                        },
+                    }
+                },
+                {
+                    "setting": {
+                        "type": "settings/gmail.spoofing_and_authentication",
+                        "value": {
+                            "domainSpoofingConsequence": "SPAM_FOLDER",
+                            "employeeNameSpoofingConsequence": "SPAM_FOLDER",
+                            "inboundDomainSpoofingConsequence": "QUARANTINE",
+                            "unauthenticatedEmailConsequence": "WARNING",
+                            "groupsSpoofingConsequence": "SPAM_FOLDER",
+                        },
+                    }
+                },
+                {
+                    "setting": {
+                        "type": "settings/gmail.pop_access",
+                        "value": {"enablePopAccess": False},
+                    }
+                },
+                {
+                    "setting": {
+                        "type": "settings/gmail.imap_access",
+                        "value": {"enableImapAccess": False},
+                    }
+                },
+                {
+                    "setting": {
+                        "type": "settings/gmail.auto_forwarding",
+                        "value": {"enableAutoForwarding": False},
+                    }
+                },
+                {
+                    "setting": {
+                        "type": "settings/gmail.per_user_outbound_gateway",
+                        "value": {"allowUsersToUseExternalSmtpServers": False},
+                    }
+                },
+                {
+                    "setting": {
+                        "type": "settings/gmail.enhanced_pre_delivery_message_scanning",
+                        "value": {"enableImprovedSuspiciousContentDetection": True},
+                    }
+                },
+                {
+                    "setting": {
+                        "type": "settings/gmail.comprehensive_mail_storage",
+                        "value": {"ruleId": "rule-abc-123"},
+                    }
+                },
+            ]
+        }
+        mock_service.policies().list.return_value = mock_policies_list
+        mock_service.policies().list_next.return_value = None
+
+        with (
+            patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=mock_provider,
+            ),
+            patch(
+                "prowler.providers.googleworkspace.services.gmail.gmail_service.GoogleWorkspaceService._build_service",
+                return_value=mock_service,
+            ),
+        ):
+            from prowler.providers.googleworkspace.services.gmail.gmail_service import (
+                Gmail,
+            )
+
+            gmail = Gmail(mock_provider)
+
+            assert gmail.policies_fetched is True
+            assert gmail.policies.enable_mail_delegation is False
+            assert (
+                gmail.policies.encrypted_attachment_protection_consequence
+                == "SPAM_FOLDER"
+            )
+            assert (
+                gmail.policies.script_attachment_protection_consequence == "QUARANTINE"
+            )
+            assert (
+                gmail.policies.anomalous_attachment_protection_consequence == "WARNING"
+            )
+            assert gmail.policies.enable_shortener_scanning is True
+            assert gmail.policies.enable_external_image_scanning is True
+            assert gmail.policies.enable_aggressive_warnings_on_untrusted_links is True
+            assert gmail.policies.domain_spoofing_consequence == "SPAM_FOLDER"
+            assert gmail.policies.employee_name_spoofing_consequence == "SPAM_FOLDER"
+            assert gmail.policies.inbound_domain_spoofing_consequence == "QUARANTINE"
+            assert gmail.policies.unauthenticated_email_consequence == "WARNING"
+            assert gmail.policies.groups_spoofing_consequence == "SPAM_FOLDER"
+            assert gmail.policies.enable_pop_access is False
+            assert gmail.policies.enable_imap_access is False
+            assert gmail.policies.enable_auto_forwarding is False
+            assert gmail.policies.allow_per_user_outbound_gateway is False
+            assert gmail.policies.enable_enhanced_pre_delivery_scanning is True
+            assert gmail.policies.comprehensive_mail_storage_enabled is True
+
+    def test_gmail_fetch_policies_empty_response(self):
+        """Test handling empty policies response"""
+        mock_provider = set_mocked_googleworkspace_provider()
+        mock_provider.audit_config = {}
+        mock_provider.fixer_config = {}
+        mock_session = MagicMock()
+        mock_session.credentials = MagicMock()
+        mock_provider.session = mock_session
+
+        mock_service = MagicMock()
+        mock_policies_list = MagicMock()
+        mock_policies_list.execute.return_value = {"policies": []}
+        mock_service.policies().list.return_value = mock_policies_list
+        mock_service.policies().list_next.return_value = None
+
+        with (
+            patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=mock_provider,
+            ),
+            patch(
+                "prowler.providers.googleworkspace.services.gmail.gmail_service.GoogleWorkspaceService._build_service",
+                return_value=mock_service,
+            ),
+        ):
+            from prowler.providers.googleworkspace.services.gmail.gmail_service import (
+                Gmail,
+            )
+
+            gmail = Gmail(mock_provider)
+
+            assert gmail.policies_fetched is True
+            assert gmail.policies.enable_mail_delegation is None
+            assert gmail.policies.encrypted_attachment_protection_consequence is None
+            assert gmail.policies.enable_pop_access is None
+            assert gmail.policies.comprehensive_mail_storage_enabled is None
+
+    def test_gmail_fetch_policies_api_error(self):
+        """Test handling of API errors during policy fetch"""
+        mock_provider = set_mocked_googleworkspace_provider()
+        mock_provider.audit_config = {}
+        mock_provider.fixer_config = {}
+        mock_session = MagicMock()
+        mock_session.credentials = MagicMock()
+        mock_provider.session = mock_session
+
+        mock_service = MagicMock()
+        mock_service.policies().list.side_effect = Exception("API Error")
+
+        with (
+            patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=mock_provider,
+            ),
+            patch(
+                "prowler.providers.googleworkspace.services.gmail.gmail_service.GoogleWorkspaceService._build_service",
+                return_value=mock_service,
+            ),
+        ):
+            from prowler.providers.googleworkspace.services.gmail.gmail_service import (
+                Gmail,
+            )
+
+            gmail = Gmail(mock_provider)
+
+            assert gmail.policies_fetched is False
+            assert gmail.policies.enable_mail_delegation is None
+
+    def test_gmail_fetch_policies_build_service_returns_none(self):
+        """Test early return when _build_service fails to construct the client"""
+        mock_provider = set_mocked_googleworkspace_provider()
+        mock_provider.audit_config = {}
+        mock_provider.fixer_config = {}
+        mock_session = MagicMock()
+        mock_session.credentials = MagicMock()
+        mock_provider.session = mock_session
+
+        with (
+            patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=mock_provider,
+            ),
+            patch(
+                "prowler.providers.googleworkspace.services.gmail.gmail_service.GoogleWorkspaceService._build_service",
+                return_value=None,
+            ),
+        ):
+            from prowler.providers.googleworkspace.services.gmail.gmail_service import (
+                Gmail,
+            )
+
+            gmail = Gmail(mock_provider)
+
+            assert gmail.policies_fetched is False
+            assert gmail.policies.enable_mail_delegation is None
+
+    def test_gmail_fetch_policies_execute_raises(self):
+        """Test inner except handler when request.execute() raises during pagination"""
+        mock_provider = set_mocked_googleworkspace_provider()
+        mock_provider.audit_config = {}
+        mock_provider.fixer_config = {}
+        mock_session = MagicMock()
+        mock_session.credentials = MagicMock()
+        mock_provider.session = mock_session
+
+        mock_service = MagicMock()
+        mock_request = MagicMock()
+        mock_request.execute.side_effect = Exception("Execute failed")
+        mock_service.policies().list.return_value = mock_request
+
+        with (
+            patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=mock_provider,
+            ),
+            patch(
+                "prowler.providers.googleworkspace.services.gmail.gmail_service.GoogleWorkspaceService._build_service",
+                return_value=mock_service,
+            ),
+        ):
+            from prowler.providers.googleworkspace.services.gmail.gmail_service import (
+                Gmail,
+            )
+
+            gmail = Gmail(mock_provider)
+
+            assert gmail.policies_fetched is False
+            assert gmail.policies.enable_mail_delegation is None
+
+    def test_gmail_fetch_policies_ignores_ou_and_group_level(self):
+        """Test that OU-level and group-level policies are skipped, only customer-level used"""
+        mock_provider = set_mocked_googleworkspace_provider()
+        mock_provider.audit_config = {}
+        mock_provider.fixer_config = {}
+        mock_session = MagicMock()
+        mock_session.credentials = MagicMock()
+        mock_provider.session = mock_session
+
+        mock_service = MagicMock()
+        mock_policies_list = MagicMock()
+        mock_policies_list.execute.return_value = {
+            "policies": [
+                {
+                    # Customer-level: no policyQuery → should be used
+                    "setting": {
+                        "type": "settings/gmail.mail_delegation",
+                        "value": {"enableMailDelegation": False},
+                    }
+                },
+                {
+                    # OU-level: has policyQuery.orgUnit → should be skipped
+                    "policyQuery": {"orgUnit": "orgUnits/sales_team"},
+                    "setting": {
+                        "type": "settings/gmail.mail_delegation",
+                        "value": {"enableMailDelegation": True},
+                    },
+                },
+                {
+                    # Group-level: has policyQuery.group → should be skipped
+                    "policyQuery": {"group": "groups/contractors"},
+                    "setting": {
+                        "type": "settings/gmail.auto_forwarding",
+                        "value": {"enableAutoForwarding": True},
+                    },
+                },
+                {
+                    # Customer-level: no policyQuery → should be used
+                    "setting": {
+                        "type": "settings/gmail.auto_forwarding",
+                        "value": {"enableAutoForwarding": False},
+                    }
+                },
+            ]
+        }
+        mock_service.policies().list.return_value = mock_policies_list
+        mock_service.policies().list_next.return_value = None
+
+        with (
+            patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=mock_provider,
+            ),
+            patch(
+                "prowler.providers.googleworkspace.services.gmail.gmail_service.GoogleWorkspaceService._build_service",
+                return_value=mock_service,
+            ),
+        ):
+            from prowler.providers.googleworkspace.services.gmail.gmail_service import (
+                Gmail,
+            )
+
+            gmail = Gmail(mock_provider)
+
+            assert gmail.policies_fetched is True
+            assert gmail.policies.enable_mail_delegation is False
+            assert gmail.policies.enable_auto_forwarding is False
+
+    def test_gmail_policies_model(self):
+        """Test GmailPolicies Pydantic model"""
+        from prowler.providers.googleworkspace.services.gmail.gmail_service import (
+            GmailPolicies,
+        )
+
+        policies = GmailPolicies(
+            enable_mail_delegation=False,
+            encrypted_attachment_protection_consequence="SPAM_FOLDER",
+            script_attachment_protection_consequence="QUARANTINE",
+            anomalous_attachment_protection_consequence="WARNING",
+            enable_shortener_scanning=True,
+            enable_external_image_scanning=True,
+            enable_aggressive_warnings_on_untrusted_links=True,
+            domain_spoofing_consequence="SPAM_FOLDER",
+            employee_name_spoofing_consequence="SPAM_FOLDER",
+            inbound_domain_spoofing_consequence="QUARANTINE",
+            unauthenticated_email_consequence="WARNING",
+            groups_spoofing_consequence="SPAM_FOLDER",
+            enable_pop_access=False,
+            enable_imap_access=False,
+            enable_auto_forwarding=False,
+            allow_per_user_outbound_gateway=False,
+            enable_enhanced_pre_delivery_scanning=True,
+            comprehensive_mail_storage_enabled=True,
+        )
+
+        assert policies.enable_mail_delegation is False
+        assert policies.encrypted_attachment_protection_consequence == "SPAM_FOLDER"
+        assert policies.enable_shortener_scanning is True
+        assert policies.domain_spoofing_consequence == "SPAM_FOLDER"
+        assert policies.enable_pop_access is False
+        assert policies.enable_auto_forwarding is False
+        assert policies.enable_enhanced_pre_delivery_scanning is True
+        assert policies.comprehensive_mail_storage_enabled is True

tests/providers/googleworkspace/services/gmail/gmail_shortener_scanning_enabled/gmail_shortener_scanning_enabled_test.py

@@ -0,0 +1,118 @@
+from unittest.mock import patch
+
+from prowler.providers.googleworkspace.services.gmail.gmail_service import GmailPolicies
+from tests.providers.googleworkspace.googleworkspace_fixtures import (
+    CUSTOMER_ID,
+    DOMAIN,
+    set_mocked_googleworkspace_provider,
+)
+
+
+class TestGmailShortenerScanningEnabled:
+    def test_pass(self):
+        mock_provider = set_mocked_googleworkspace_provider()
+
+        with (
+            patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=mock_provider,
+            ),
+            patch(
+                "prowler.providers.googleworkspace.services.gmail.gmail_shortener_scanning_enabled.gmail_shortener_scanning_enabled.gmail_client"
+            ) as mock_client,
+        ):
+            from prowler.providers.googleworkspace.services.gmail.gmail_shortener_scanning_enabled.gmail_shortener_scanning_enabled import (
+                gmail_shortener_scanning_enabled,
+            )
+
+            mock_client.provider = mock_provider
+            mock_client.policies_fetched = True
+            mock_client.policies = GmailPolicies(enable_shortener_scanning=True)
+
+            check = gmail_shortener_scanning_enabled()
+            findings = check.execute()
+
+            assert len(findings) == 1
+            assert findings[0].status == "PASS"
+            assert "enabled" in findings[0].status_extended
+            assert findings[0].resource_name == DOMAIN
+            assert findings[0].customer_id == CUSTOMER_ID
+
+    def test_fail_disabled(self):
+        mock_provider = set_mocked_googleworkspace_provider()
+
+        with (
+            patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=mock_provider,
+            ),
+            patch(
+                "prowler.providers.googleworkspace.services.gmail.gmail_shortener_scanning_enabled.gmail_shortener_scanning_enabled.gmail_client"
+            ) as mock_client,
+        ):
+            from prowler.providers.googleworkspace.services.gmail.gmail_shortener_scanning_enabled.gmail_shortener_scanning_enabled import (
+                gmail_shortener_scanning_enabled,
+            )
+
+            mock_client.provider = mock_provider
+            mock_client.policies_fetched = True
+            mock_client.policies = GmailPolicies(enable_shortener_scanning=False)
+
+            check = gmail_shortener_scanning_enabled()
+            findings = check.execute()
+
+            assert len(findings) == 1
+            assert findings[0].status == "FAIL"
+            assert "disabled" in findings[0].status_extended
+
+    def test_pass_using_default(self):
+        mock_provider = set_mocked_googleworkspace_provider()
+
+        with (
+            patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=mock_provider,
+            ),
+            patch(
+                "prowler.providers.googleworkspace.services.gmail.gmail_shortener_scanning_enabled.gmail_shortener_scanning_enabled.gmail_client"
+            ) as mock_client,
+        ):
+            from prowler.providers.googleworkspace.services.gmail.gmail_shortener_scanning_enabled.gmail_shortener_scanning_enabled import (
+                gmail_shortener_scanning_enabled,
+            )
+
+            mock_client.provider = mock_provider
+            mock_client.policies_fetched = True
+            mock_client.policies = GmailPolicies(enable_shortener_scanning=None)
+
+            check = gmail_shortener_scanning_enabled()
+            findings = check.execute()
+
+            assert len(findings) == 1
+            assert findings[0].status == "PASS"
+            assert "secure default" in findings[0].status_extended
+
+    def test_no_findings_when_fetch_failed(self):
+        mock_provider = set_mocked_googleworkspace_provider()
+
+        with (
+            patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=mock_provider,
+            ),
+            patch(
+                "prowler.providers.googleworkspace.services.gmail.gmail_shortener_scanning_enabled.gmail_shortener_scanning_enabled.gmail_client"
+            ) as mock_client,
+        ):
+            from prowler.providers.googleworkspace.services.gmail.gmail_shortener_scanning_enabled.gmail_shortener_scanning_enabled import (
+                gmail_shortener_scanning_enabled,
+            )
+
+            mock_client.provider = mock_provider
+            mock_client.policies_fetched = False
+            mock_client.policies = GmailPolicies()
+
+            check = gmail_shortener_scanning_enabled()
+            findings = check.execute()
+
+            assert len(findings) == 0

tests/providers/googleworkspace/services/gmail/gmail_untrusted_link_warnings_enabled/gmail_untrusted_link_warnings_enabled_test.py

@@ -0,0 +1,124 @@
+from unittest.mock import patch
+
+from prowler.providers.googleworkspace.services.gmail.gmail_service import GmailPolicies
+from tests.providers.googleworkspace.googleworkspace_fixtures import (
+    CUSTOMER_ID,
+    DOMAIN,
+    set_mocked_googleworkspace_provider,
+)
+
+
+class TestGmailUntrustedLinkWarningsEnabled:
+    def test_pass(self):
+        mock_provider = set_mocked_googleworkspace_provider()
+
+        with (
+            patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=mock_provider,
+            ),
+            patch(
+                "prowler.providers.googleworkspace.services.gmail.gmail_untrusted_link_warnings_enabled.gmail_untrusted_link_warnings_enabled.gmail_client"
+            ) as mock_client,
+        ):
+            from prowler.providers.googleworkspace.services.gmail.gmail_untrusted_link_warnings_enabled.gmail_untrusted_link_warnings_enabled import (
+                gmail_untrusted_link_warnings_enabled,
+            )
+
+            mock_client.provider = mock_provider
+            mock_client.policies_fetched = True
+            mock_client.policies = GmailPolicies(
+                enable_aggressive_warnings_on_untrusted_links=True
+            )
+
+            check = gmail_untrusted_link_warnings_enabled()
+            findings = check.execute()
+
+            assert len(findings) == 1
+            assert findings[0].status == "PASS"
+            assert "enabled" in findings[0].status_extended
+            assert findings[0].resource_name == DOMAIN
+            assert findings[0].customer_id == CUSTOMER_ID
+
+    def test_fail_disabled(self):
+        mock_provider = set_mocked_googleworkspace_provider()
+
+        with (
+            patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=mock_provider,
+            ),
+            patch(
+                "prowler.providers.googleworkspace.services.gmail.gmail_untrusted_link_warnings_enabled.gmail_untrusted_link_warnings_enabled.gmail_client"
+            ) as mock_client,
+        ):
+            from prowler.providers.googleworkspace.services.gmail.gmail_untrusted_link_warnings_enabled.gmail_untrusted_link_warnings_enabled import (
+                gmail_untrusted_link_warnings_enabled,
+            )
+
+            mock_client.provider = mock_provider
+            mock_client.policies_fetched = True
+            mock_client.policies = GmailPolicies(
+                enable_aggressive_warnings_on_untrusted_links=False
+            )
+
+            check = gmail_untrusted_link_warnings_enabled()
+            findings = check.execute()
+
+            assert len(findings) == 1
+            assert findings[0].status == "FAIL"
+            assert "disabled" in findings[0].status_extended
+
+    def test_pass_using_default(self):
+        mock_provider = set_mocked_googleworkspace_provider()
+
+        with (
+            patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=mock_provider,
+            ),
+            patch(
+                "prowler.providers.googleworkspace.services.gmail.gmail_untrusted_link_warnings_enabled.gmail_untrusted_link_warnings_enabled.gmail_client"
+            ) as mock_client,
+        ):
+            from prowler.providers.googleworkspace.services.gmail.gmail_untrusted_link_warnings_enabled.gmail_untrusted_link_warnings_enabled import (
+                gmail_untrusted_link_warnings_enabled,
+            )
+
+            mock_client.provider = mock_provider
+            mock_client.policies_fetched = True
+            mock_client.policies = GmailPolicies(
+                enable_aggressive_warnings_on_untrusted_links=None
+            )
+
+            check = gmail_untrusted_link_warnings_enabled()
+            findings = check.execute()
+
+            assert len(findings) == 1
+            assert findings[0].status == "PASS"
+            assert "secure default" in findings[0].status_extended
+
+    def test_no_findings_when_fetch_failed(self):
+        mock_provider = set_mocked_googleworkspace_provider()
+
+        with (
+            patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=mock_provider,
+            ),
+            patch(
+                "prowler.providers.googleworkspace.services.gmail.gmail_untrusted_link_warnings_enabled.gmail_untrusted_link_warnings_enabled.gmail_client"
+            ) as mock_client,
+        ):
+            from prowler.providers.googleworkspace.services.gmail.gmail_untrusted_link_warnings_enabled.gmail_untrusted_link_warnings_enabled import (
+                gmail_untrusted_link_warnings_enabled,
+            )
+
+            mock_client.provider = mock_provider
+            mock_client.policies_fetched = False
+            mock_client.policies = GmailPolicies()
+
+            check = gmail_untrusted_link_warnings_enabled()
+            findings = check.execute()
+
+            assert len(findings) == 0