Shared Inboxes and Aliases Done Right

Every business needs them: support@yourcompany.com, sales@, info@, billing@. Shared inboxes let multiple people handle customer inquiries without forwarding personal email addresses.

But shared inboxes create security risks if they're not configured properly. Here's what to watch out for and how to set them up right.

The Risks

Too Many People Have Access You add someone to the shared inbox "temporarily." Three years later, they still have access—even though they changed roles or left the company. Every person with access is a potential point of compromise.

Emails Forwarded Externally Someone sets up a rule to forward all support@ emails to their personal Gmail. Customer inquiries go to their phone. They can see every customer interaction, including after they leave.

No Accountability Multiple people access the same inbox. Who sent which response? Who deleted that email? Without logging, you have no audit trail.

Phishing Landing in Shared Inbox Phishing email hits support@. Multiple people see it. Someone clicks. Their account is compromised. Now the attacker has access to the shared inbox—and every other account that person has.

Customer Data Exposure Shared inbox contains ongoing customer conversations with sensitive information. Everyone with access can see it. Former employee included.

How to Set Up Shared Inboxes (Microsoft 365)

Create the Shared Mailbox

1. Go to Exchange Admin Center (admin.exchange.microsoft.com)
2. Navigate to Recipients > Shared mailboxes
3. Click Add a shared mailbox
4. Enter a name and email address (e.g., support@yourcompany.com)
5. Add members who need access

Configure Permissions

1. Grant Full Access only to people who need it (not everyone)
2. Set Send As permission for members who need to send from the shared address
3. Do NOT give Full Access to people who just need to send—only to those who need to read emails

Set Up MFA for Members

Every person with shared mailbox access needs MFA on their personal account. If their account is compromised, the shared mailbox is compromised.

Disable External Forwarding

1. Exchange Admin Center > Mail flow rules
2. Create a rule: Block automatic forwarding from shared mailboxes to external domains
3. Or: Set up a rule that requires approval for any email sent from shared mailbox to external recipients

Enable Auditing

1. Microsoft Purview Compliance Center > Audit
2. Enable mailbox auditing for all shared mailboxes
3. Log accesses, sends, deletes

How to Set Up Shared Inboxes (Google Workspace)

Create the Shared Mailbox

1. Admin Console > Apps > Google Workspace > Gmail > Shared mailbox settings
2. Add the shared mailbox address
3. Add members who need access

Configure Permissions

1. Only add people who need access
2. Set appropriate access levels (Read and manage, Read only, Send mail as)

Restrict External Forwarding

1. Admin Console > Apps > Google Workspace > Gmail > End user access
2. Look for forwarding settings
3. Disable automatic forwarding to external addresses

Enable Audit Logging

1. Admin Console > Reporting > Gmail logs
2. Enable mailbox logging

What About Aliases?

Aliases are different from shared inboxes. An alias (e.g., sales@yourcompany.com that delivers to john@yourcompany.com) is just a forwarding address. It doesn't have its own login.

When aliases make sense:

• Single person handling multiple roles
• Simplified email addresses for marketing materials

When shared inboxes make sense:

• Multiple people handling the same function
• Need accountability and audit trails

What Can Go Wrong

"Former employee still has shared inbox access" Terminated employee can still read support@ emails. Customer data exposed. Potential compliance violation.

"Customer data in shared inbox wasn't handled properly" HIPAA, PCI DSS, or other regulations may apply if customer data is stored in shared inboxes. Access controls and retention policies matter.

"Phishing hit the shared inbox" Multiple people clicked. Account compromises spread through the team. Attacker now has access to the shared inbox and multiple personal accounts.

"Emails forwarded to personal accounts" A departing employee set up forwarding to their personal Gmail. After they leave, they continue receiving customer emails. They have your customer list.

What It Costs

Shared mailbox hosting:

• Microsoft 365 Business Basic: Included (2GB per mailbox)
• Microsoft 365 Business Standard: Included (50GB per mailbox)
• Google Workspace Basic: $6/user/month, shared mailboxes included

Audit and monitoring tools:

• Microsoft Purview: Built-in, free with most plans
• Third-party tools: $2-$10/user/month

Consulting for setup: $500-$1,500

• Initial configuration
• Policy documentation
• Training

Minimum Viable Implementation

1. List every shared mailbox and alias in your organization. Document who has access and why.

2. Remove anyone who shouldn't have access. Former employees, people who changed roles, vendors with unnecessary access.

3. Disable external forwarding on all shared mailboxes. Create a mail flow rule in Exchange or set the policy in Google Admin.

4. Enable MFA for everyone with shared mailbox access. This is non-negotiable.

5. Document shared mailbox policies. Who can access what. How to handle sensitive data. What to do if suspicious activity is detected.

6. Set up logging. Track who accesses shared mailboxes and when. Review logs monthly.

7. Repeat quarterly. Access reviews are ongoing. People come and go. Roles change.

Vendor Questions (Copy/Paste)

1. "Can we block automatic forwarding from shared mailboxes to external email addresses?"

2. "Do shared mailboxes inherit MFA policies from individual users, or do we need to configure it separately?"

3. "Can we set up alerts when someone accesses a shared mailbox from a new device or location?"

4. "What's the retention policy for shared mailbox emails? Can we automatically delete emails after a certain period?"

5. "Do you log who sends emails from shared mailboxes?"

6. "Can we require approval before someone can send from a shared mailbox address?"

When to Hire Help

DIY-friendly if:

• Under 10 shared mailboxes
• Simple role assignments
• Basic Microsoft 365 or Google Workspace setup
• No regulatory compliance requirements

Get professional help if:

• Over 25 shared mailboxes
• Complex role structure
• Regulatory compliance requirements (HIPAA, PCI DSS, etc.)
• Previous security incidents involving shared mailboxes
• Need help setting up proper auditing

Warning signs you need help now:

• You don't know who has access to which shared mailboxes
• A former employee might still have shared mailbox access
• Shared mailboxes don't have MFA requirements
• No one is monitoring shared mailbox access
• You found forwarding rules from shared mailboxes to personal accounts