10 Things to Do After Setting Up Google Workspace

You have signed up for Google Workspace, created your admin account, and logged into the Admin console for the first time. Congratulations. But here is the uncomfortable truth: a freshly provisioned Google Workspace environment is not ready for production use. Out of the box, email may not route correctly, security settings are permissive, and there is no structure in place for how your team will use the platform day to day.

The gap between "account created" and "business ready" is where most Australian SMBs lose time, expose data, or create technical debt that costs far more to fix later. Over the past several years of deploying Google Workspace for businesses across Australia, the same ten post-setup tasks come up every single time. Skip any of them and you will eventually pay for it -- with a security incident, a compliance gap, or hours of rework.

What you will learn in this post:
- The 10 critical steps to complete in your first 48 hours after setup
- Why each step matters for Australian businesses specifically
- The exact Admin Console paths to action every recommendation
- Common mistakes that catch new admins off guard

1. Verify Your Domain and Configure MX Records

This is the most fundamental step, and it is the one that trips up the most people. Until your MX records are correctly configured, email sent to your domain will not reach Google Workspace. It will either bounce, land in your old provider's inbox, or disappear entirely.

What to do:

1. In the Admin console, navigate to Account > Domains > Manage domains and confirm your domain shows as verified. If it does not, follow the verification prompt -- Google typically provides a TXT record you need to add at your DNS provider.
2. Update your MX records at your domain registrar or DNS host. If you are using an Australian provider like VentraIP, Crazy Domains, or Synergy Wholesale, log into their DNS management panel and replace your existing MX records with Google's five MX records. The primary record should point to ASPMX.L.GOOGLE.COM with priority 1.
3. Delete any old MX records pointing to your previous email provider. Leaving them in place can cause intermittent delivery failures.
4. Allow up to 72 hours for DNS propagation, though most Australian DNS providers propagate within a few hours.

Why it matters: Every hour your MX records are misconfigured is an hour where client emails might not reach you. For a business that depends on email for quotes, invoices, or client communication, even a single missed message can cost real money.

2. Set Up SPF, DKIM, and DMARC Records

Once email is flowing, you need to prove to the world that your emails are legitimate. SPF, DKIM, and DMARC are three DNS records that work together to authenticate your outbound email and prevent attackers from spoofing your domain.

What to do:

1. SPF: Add a TXT record to your DNS with the value v=spf1 include:_spf.google.com ~all. If you use other services that send email on your behalf (such as Xero, a CRM, or a marketing platform), include their SPF entries as well.
2. DKIM: In the Admin console, navigate to Apps > Google Workspace > Gmail > Authenticate email. Generate a DKIM key, then add the provided TXT record to your DNS. This cryptographically signs every outbound email.
3. DMARC: Add a TXT record for _dmarc.yourdomain.com.au with a value like v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@yourdomain.com.au. Start with p=none if you want to monitor before enforcing.

Why it matters: Without these records, your business emails are far more likely to land in spam folders. Worse, attackers can send emails that appear to come from your domain. For Australian businesses, email authentication is increasingly expected by government agencies, banks, and enterprise clients you might work with.

3. Enforce Two-Factor Authentication for All Users

This is the single highest-impact security change you can make, and it takes five minutes. A default Google Workspace deployment allows users to log in with just a password. That means a single compromised password -- from a phishing email, a reused credential, or a data breach -- gives an attacker full access to your business email, files, and contacts.

What to do:

1. Navigate to Security > Authentication > 2-Step Verification.
2. Set Allow users to turn on 2-Step Verification to On.
3. Set Enforcement to On for your top-level organisational unit.
4. Allow a grace period of 7 to 14 days so users can enrol their devices.
5. For admin accounts, require hardware security keys or at minimum an authenticator app. Discourage SMS-based verification.

Why it matters: The Australian Signals Directorate's Essential Eight framework lists multi-factor authentication as one of the most effective controls against cyber threats. If your business handles personal information under the Privacy Act 1988, failing to enforce MFA and then suffering a breach puts you in a very difficult position with the Office of the Australian Information Commissioner.

4. Configure Admin Roles and Least Privilege Access

In many small businesses, every IT-adjacent person ends up as a Super Admin. This is dangerous. A Super Admin can delete users, wipe devices, export all company data, and change every security setting. If one of those accounts is compromised, the attacker has total control.

What to do:

1. Create at least two dedicated Super Admin accounts that are not used for daily email or browsing (for example, admin@yourdomain.com.au and admin-breakglass@yourdomain.com.au).
2. Navigate to Account > Admin roles and review the built-in roles: User Management Admin, Groups Admin, Help Desk Admin, and Services Admin.
3. Assign each person the most limited role that covers their responsibilities. A manager who needs to reset passwords only needs the Help Desk Admin role, not Super Admin.
4. Store break-glass Super Admin credentials in a secure, offline location accessible to at least two trusted people.

Why it matters: The principle of least privilege is foundational to every serious security framework. For Australian SMBs, it directly supports compliance with the Australian Privacy Principles. If a data breach occurs because an overprivileged account was compromised, regulators will ask why that access existed.

5. Build Your Organisational Unit Structure

Organisational Units (OUs) are Google Workspace's mechanism for applying different policies to different groups of users. Without them, every setting you configure applies to the entire organisation -- which means your marketing team has the same sharing permissions as your finance team, and your contractors have the same access as your permanent staff.

What to do:

1. Navigate to Directory > Organisational units and plan a structure that reflects how your business actually operates. A common starting point for an Australian SMB:
2. /Staff -- Permanent employees
3. /Staff/Management -- Senior leadership with broader access
4. /Staff/Finance -- Finance team with restricted external sharing
5. /Contractors -- External contractors with limited service access
6. /Shared Accounts -- Service accounts, shared mailboxes
7. Move users into the appropriate OUs.
8. Apply OU-specific policies as you work through the remaining steps (sharing settings, app access, mobile management).

Why it matters: OUs are the foundation for every targeted policy in Google Workspace. Without them, you are forced to choose between "wide open for everyone" or "locked down for everyone." Neither works for a real business.

6. Set Up Shared Drives

Personal Google Drive is useful, but it creates a serious problem: when an employee leaves, their files go with them unless you intervene. Shared Drives solve this by making the organisation -- not the individual -- the owner of the files.

What to do:

1. Navigate to Apps > Google Workspace > Drive and Docs > Sharing settings > Shared drive creation.
2. Decide who can create Shared Drives. For most SMBs, restricting creation to admins or managers prevents sprawl.
3. Create Shared Drives for your core business functions: Finance, Operations, Marketing, Client Projects, HR, and Templates.
4. Set appropriate access levels. Members can be Managers, Content Managers, Contributors, Commenters, or Viewers.
5. Configure external sharing at the Shared Drive level -- disable it for sensitive drives like Finance and HR, enable it selectively for Client Projects.

Why it matters: Australian businesses subject to the Privacy Act need to demonstrate that personal information is stored and managed appropriately. Files sitting in a departed employee's personal Drive, inaccessible to the business, is not a defensible position. Shared Drives also make onboarding faster -- new team members get access to everything they need on day one.

7. Configure Email Routing and Compliance Settings

If your business uses email for anything beyond casual communication -- invoicing, contracts, client correspondence, regulatory submissions -- you need to think about how email is routed, stored, and protected.

What to do:

1. Navigate to Apps > Google Workspace > Gmail > Compliance.
2. Set up Content compliance rules to flag or quarantine emails containing sensitive content (tax file numbers, credit card numbers, health information).
3. Configure Email routing if you need to split mail flow, for example routing specific addresses to a ticketing system or forwarding a copy of all outbound email to an archive.
4. Under Spam, phishing and malware, review your inbound protection settings. Enable enhanced pre-delivery message scanning and external email warning banners.
5. Add your business domain and any trusted partner domains to the email allowlist if legitimate emails are being caught by spam filters.

Why it matters: Australian businesses in regulated industries -- financial services (APRA), healthcare, legal -- often have specific email retention and monitoring requirements. Even for non-regulated businesses, having email compliance rules in place before an incident is far better than scrambling to set them up after one.

8. Apply Company Branding

This is the step that is easiest to postpone and the one your users will notice most. Custom branding makes Google Workspace feel like your platform, not a generic Google product.

What to do:

1. Navigate to Account > Account settings > Personalisation.
2. Upload your company logo. Google recommends a PNG or GIF file, 320 by 132 pixels.
3. Set a custom colour scheme that matches your brand.
4. Under Apps > Google Workspace > Gmail > User settings, configure a custom email footer (disclaimer) if required. Many Australian businesses include disclaimers about confidentiality, the Privacy Act, or intended recipients.
5. Set up a custom Gmail theme or configure default signatures for your organisation.

Why it matters: Professional branding builds trust with clients and reinforces company identity for employees. For Australian businesses, a consistent email disclaimer can also satisfy certain legal and regulatory expectations, particularly in professional services.

9. Enable Mobile Device Management

Your team is accessing company email and files on their phones. That is a reality, not a choice. Without mobile device management (MDM), you have no visibility into which devices are connected, no ability to enforce screen locks, and no way to wipe company data from a lost or stolen phone.

What to do:

1. Navigate to Devices > Mobile & endpoints > Settings > Universal settings.
2. Enable Basic mobile management at minimum. This requires no agent installation and provides device inventory, screen lock enforcement, and remote account wipe.
3. For businesses on Business Plus or Enterprise plans, consider Advanced mobile management, which adds app management, device encryption enforcement, and more granular controls.
4. Set a policy requiring a screen lock with a minimum PIN length of six digits.
5. Enable the ability to remotely wipe a device or remove the corporate account when an employee leaves or a device is reported lost.

Why it matters: The average Australian reports a lost or stolen phone roughly once every few years. For a business with 20 staff, that means you will likely face a lost-device scenario every year. Without MDM, your only option when a phone goes missing is to change the user's password and hope for the best. With MDM, you can wipe corporate data from the device within minutes.

10. Establish a Backup and Recovery Strategy

Here is the part that surprises most new admins: Google does not back up your data in the way you might expect. Google Workspace provides excellent infrastructure redundancy -- your data is replicated across multiple data centres to protect against hardware failure. But it does not protect against accidental deletion, malicious deletion by a disgruntled employee, or ransomware that encrypts files through a synced desktop client.

What to do:

1. Evaluate whether Google Vault (included with Business Plus and Enterprise) meets your retention needs. Vault provides email archiving, Drive file retention, and eDiscovery. Navigate to Apps > Google Workspace > Google Vault to enable and configure retention rules.
2. If Vault is insufficient or you are on a Starter or Standard plan, implement a third-party backup solution. Reputable options for Australian businesses include Backupify (by Datto), Spanning Backup, and AFI Backup. Costs typically range from $5 to $10 AUD per user per month.
3. Set retention policies that align with your legal obligations. Australian tax records must be kept for five years. Employment records have varying retention requirements depending on the type.
4. Test your recovery process. A backup you have never tested is not a backup.

Why it matters: Data loss is not hypothetical. Users permanently delete files from the Trash after 25 days. A compromised account can delete years of shared documents. For Australian businesses with obligations under the Privacy Act, the Tax Act, or industry-specific regulations, losing records can result in penalties, litigation, or audit failures.

Common Mistakes to Avoid

Even after completing all ten steps, new admins frequently fall into these traps:

Skipping email authentication records. You set up MX records and email works, so you assume everything is fine. Three months later you discover half your outbound emails to Outlook recipients are landing in spam because you never configured SPF and DKIM.

Applying settings globally instead of by OU. You restrict external sharing because of a security concern, not realising you have just blocked your sales team from sharing proposals with clients. Always test policy changes on a small OU first.

Leaving the default sharing settings wide open. Google Workspace defaults to allowing external sharing on Drive. If a single user accidentally sets a file to "Anyone with the link," your sensitive business data is one URL away from being public.

Not documenting your configuration. Six months from now, you will not remember why a specific email routing rule exists or which OU has different sharing permissions. Maintain a simple configuration log, even if it is just a Google Doc.

Ignoring audit logs. Navigate to Reporting > Audit and investigation regularly. Audit logs tell you who changed what, when files were shared externally, and when login attempts failed. This is your early warning system.

Affiliate and Partner Programs

If you are setting up Google Workspace for the first time, or recommending it to clients, the following referral link may be useful:

• Google Workspace Referral Program -- Sign up through Google's official referral program, which often includes introductory credits for new customers. This supports our ability to produce independent, practical guides like this one at no additional cost to you.

Wrapping Up

Setting up a Google Workspace account is the easy part. The ten steps in this guide are what turn a blank environment into a secure, structured, and professionally configured platform that your team can rely on every day.

If you are working through this list for the first time, prioritise in this order: get email flowing with correct MX records and authentication (steps 1 and 2), lock down security with 2FA and proper admin roles (steps 3 and 4), build the organisational structure with OUs and Shared Drives (steps 5 and 6), then handle routing, branding, mobile, and backup (steps 7 through 10). You can realistically complete everything in a single afternoon.

The investment of a few hours now will save your business from security incidents, compliance headaches, and the kind of disorganised file sprawl that only gets harder to fix over time. Australian SMBs that get these foundations right from day one spend less on remediation, face fewer audit surprises, and give their teams a far better daily experience with the platform.

Need help configuring Google Workspace for your business? Contact our team for a free consultation.