This detection rule identifies potentially spoofed emails that successfully arrive in a user's Gmail inbox despite failing one or more email authentication protocols, specifically DMARC, SPF, or DKIM. The rule is significant in combating phishing attempts and business email compromise (BEC) as it targets common methods employed by attackers to impersonate legitimate domains. The detection works by monitoring GSuite activity events, triggering alerts when a spoofed email is delivered. Compliance with DMARC, SPF, and DKIM is crucial for secure email communication, and failures in these checks indicate suspicious sender practices. The operational response includes reviewing authentication failures, blocking malicious domains, notifying users, and potentially enhancing DMARC policies. Testing the rule involves scenarios of varied authentication successes and failures, ensuring proper alerting thresholds are established.