The short answer: Neither platform configures SPF, DKIM, or DMARC automatically for your custom domain — both require the same manual DNS steps to reach a secure baseline. For anti-phishing controls, Microsoft 365 Business Premium (with Defender for Office 365) offers more granular threat protection than Google's equivalent tiers. For admin visibility and reporting, Microsoft's Defender portal is more comprehensive. For easier authentication setup and direct Gmail inbox insight via Postmaster Tools, Google Workspace has a slight edge. For most SMBs, the email security difference between the two platforms is not the deciding factor.
Choosing between Google Workspace and Microsoft 365 often comes down to productivity tools and cost. Email security is less commonly the deciding factor — but it should at least be a consideration, because the two platforms have meaningfully different defaults and different approaches to authentication setup.
This guide compares both platforms on SPF, DKIM, and DMARC defaults, anti-phishing controls, admin visibility, and where each one requires manual configuration to reach a secure baseline.
The Short Version
Neither platform is "more secure" by default. Both require manual steps to reach a properly authenticated, enforced configuration. The differences are in how difficult those steps are and what's included at which pricing tier.
For most SMBs, the email security differences won't be the deciding factor. But if you're mid-migration or evaluating both, understanding what each requires is useful.
SPF: What Gets Set Up Automatically
Google Workspace
When you add a domain to Google Workspace and verify it, Google does not automatically publish an SPF record on your behalf. You need to add it yourself:
v=spf1 include:_spf.google.com ~all
This is a manual DNS step. Google's documentation covers it, but many new users miss it — and their email starts landing in spam or failing authentication without them knowing why.
Microsoft 365
Microsoft 365 is similar — it does not automatically add an SPF record to your domain's DNS. The required include string is:
v=spf1 include:spf.protection.outlook.com ~all
Again, a manual DNS step required. Both platforms leave SPF setup to the admin.
Winner: Tie — both require manual SPF setup.
DKIM: Default Signing Behaviour
Google Workspace
DKIM signing is not enabled by default in Google Workspace. You have to:
- Go to Admin Console → Apps → Google Workspace → Gmail → Authenticate Email
- Generate the DKIM key for your domain
- Add the provided TXT record to your DNS
- Enable DKIM signing in the Admin Console
Until you complete this, outgoing email from Google Workspace is unsigned. Many businesses run Google Workspace for months or years without DKIM enabled, unknowingly.
Microsoft 365
Microsoft 365 enables DKIM signing automatically for *.onmicrosoft.com addresses (the default Microsoft domain), but not for custom domains. For your actual business domain, you need to:
- Go to Microsoft Defender → Email & Collaboration → Policies & Rules → Threat Policies → DKIM
- Enable DKIM for your custom domain
- Add the CNAME records Microsoft provides to your DNS
The setup flow is slightly more involved than Google's, but the outcome is the same — manual action required.
Winner: Tie — both require manual DKIM setup for custom domains.
DMARC: What Each Platform Does by Default
Neither Google Workspace nor Microsoft 365 publishes a DMARC record for your domain. DMARC is entirely your responsibility in both cases.
This is a significant gap. Without DMARC, your domain can be spoofed — attackers can send email that appears to come from your domain with no policy in place to block it.
The setup process is identical for both platforms — DMARC is a DNS record you publish, not a setting inside the email platform. See the DMARC setup guide for Google Workspace or the Microsoft 365 authentication guide for step-by-step instructions.
Winner: Tie — DMARC requires identical manual effort on both platforms.
Anti-Phishing and Advanced Threat Protection
This is where the platforms diverge meaningfully.
Google Workspace
Included at all tiers:
- Spam filtering and phishing detection (Gmail's ML-based filters)
- Safe Browsing link scanning
- Attachment sandboxing for some file types
Available at Business Starter and above (with enhanced protections at higher tiers):
- Advanced phishing and malware protection settings in Admin Console
- Controls for unauthenticated email (warn users about emails from domains without DMARC/DKIM)
- Display name spoofing protection
- Protection against inbound emails that spoof your own domain
Microsoft 365
Included at Microsoft 365 Business Basic:
- Exchange Online Protection (EOP) — Microsoft's baseline spam and malware filtering
Microsoft 365 Business Premium or Defender for Office 365 (add-on):
- Safe Links — rewrites URLs to check them at click time
- Safe Attachments — sandboxes attachments in a secure environment before delivery
- Anti-phishing policies with spoof intelligence
- Impersonation protection for specific users and domains
- Attack simulation training
Winner: Microsoft 365 — particularly at the Business Premium tier or with Defender for Office 365, the anti-phishing controls are more granular and more configurable than Google's equivalent.
However, Microsoft's advanced features come at a higher price point (Business Premium is significantly more expensive than Business Basic). Google's protections are more uniformly distributed across tiers.
Admin Visibility and Reporting
Google Workspace
- Google Postmaster Tools (free, separate service) — shows domain reputation, spam rate, and DMARC compliance specifically for Gmail traffic
- Admin Console reports — email log search, delivery status, basic spam statistics
- Alert Center — notifications for suspicious activity
The main gap: Google's admin reporting is less detailed than Microsoft's on email flow and security incidents. Postmaster Tools is valuable but only shows Gmail-specific data.
Microsoft 365
- Microsoft Defender portal — detailed threat reports, email security status, attack simulation results
- Message Trace — comprehensive email delivery logs with full header information
- Threat protection status report — shows malware, phishing, and spam detections over time
- Spoof intelligence report — shows who's spoofing your domain
Winner: Microsoft 365 — the reporting and admin visibility tools are more comprehensive, particularly useful for organisations with dedicated IT or security teams.
MTA-STS: Encrypting Email in Transit
Google Workspace
Google Workspace supports MTA-STS — the standard that enforces TLS encryption for email in transit. However, Google does not automatically publish an MTA-STS policy for your domain. You need to set it up yourself (a policy file + DNS record). See the MTA-STS Generator for the records.
Microsoft 365
Microsoft 365 supports MTA-STS for inbound mail and respects MTA-STS policies on receiving domains. As with Google, publishing your own MTA-STS policy requires manual DNS configuration.
Winner: Tie.
Authentication Setup Complexity: A Practical Comparison
| Step | Google Workspace | Microsoft 365 |
|---|---|---|
| SPF | Add 1 TXT record to DNS | Add 1 TXT record to DNS |
| DKIM | Enable in Admin Console + add 1 TXT record | Enable in Defender portal + add 2 CNAME records |
| DMARC | Add TXT record to DNS (platform-agnostic) | Add TXT record to DNS (platform-agnostic) |
| MTA-STS | Manual (policy file + DNS record) | Manual (policy file + DNS record) |
| Difficulty | Moderate | Moderate–High |
Microsoft's DKIM setup requires CNAME records rather than TXT records, which can be slightly less intuitive. But the overall complexity is comparable.
Which Platform Is Easier to Secure Properly?
Google Workspace is slightly more straightforward for authentication setup — the DKIM flow in Admin Console is cleaner, and Postmaster Tools gives direct feedback on how Gmail is evaluating your domain.
Microsoft 365 offers more advanced threat protection capabilities at higher tiers, and better admin reporting for organisations that have IT staff to use those tools.
For most SMBs, the deciding factor shouldn't be email security — the baseline security posture is similar once authentication is properly configured on both. The difference is in how easy it is to get there and what's available at which price point.
What You Need to Configure Yourself (On Both Platforms)
Regardless of which platform you choose, the following are always manual:
- SPF record — add to DNS, include the platform's authorised sending range
- DKIM signing — enable in platform admin settings, add DNS record
- DMARC record — publish at
_dmarc.yourdomain.com, start withp=none, progress top=reject - Third-party senders — any tool sending email from your domain (CRM, marketing platform, support tool) needs to be added to your SPF record and have DKIM configured
The free Security Score tool checks all of these across your domain in one pass, regardless of which email platform you use.
Migrating Between Platforms
If you're migrating from Google Workspace to Microsoft 365 (or vice versa), email authentication records need to be updated. The specific SPF include string, DKIM selector, and sometimes DMARC reporting address will change.
For a full migration checklist covering authentication setup, see the Google Workspace email migration checklist.
Related Guides
- How to Set Up DMARC for Google Workspace (Step-by-Step)
- Email Authentication for Microsoft 365
- SPF, DKIM, and DMARC: What They Are and Why Every Business Needs All Three
- MXToolbox Alternatives: Free Email Security Checkers Compared
Check your current authentication setup — free Security Score at EmailAudit.io. Works for Google Workspace and Microsoft 365 domains. No account required.