Back to blog
Email Alias Tutorial: Google Workspace & Microsoft 365 Setup
Written by
Brightside Team
Published on
Dec 5, 2025
You've got a problem. Customers email sales@yourcompany.com, support tickets fly into help@yourcompany.com, and job applications land in careers@yourcompany.com. But here's the reality: it's just you or maybe two other people checking all these addresses.
Hiring more people isn't in the budget. Creating separate email accounts for each address? That means more passwords, more logins, and more monthly license fees eating into your cash flow.
Email aliases solve this. They let you receive mail at multiple professional addresses while everything lands in your existing inbox. No new passwords. No extra fees. Just better organization and a more credible presence.
This guide walks you through setting up aliases in Google Workspace and Microsoft 365. You'll need admin access to your email system and about 15 minutes of focused time. By the end, you'll look like a 50-person operation even if your team fits around one lunch table.
What Exactly Is an Email Alias?
Think of your main email address as your home. An alias is like adding extra doors to that same house. Mail delivered to any door ends up in the same living room.
When someone emails support@yourcompany.com, it doesn't create a separate mailbox. The message arrives in john.doe@yourcompany.com's inbox instead. You can reply as support@, keeping your personal address private and maintaining that professional appearance customers expect.
The best part? Most email platforms include aliases at no extra cost. Google Workspace allows up to 30 aliases per user. Microsoft 365 offers similar limits depending on your plan. You're already paying for the service, so you might as well use this feature.
Google Workspace Setup: The Four Critical Steps
Step 1: Access the Admin Console
Log into admin.google.com using your administrator account. Navigate to the Users section from the main menu. Find the person who should receive the alias emails and click their name.
You'll see their account details page. Look for a section called "User information" or "Alternate emails." Different Google Workspace versions label this slightly differently, but it's always in the account overview area.
Step 2: Add Your First Alias
Click "Add Alternate Email" or the equivalent button. A small window appears asking for the email address you want to create.
Type just the part before the @ symbol. If you want jobs@yourcompany.com, type "jobs" into the field. The domain dropdown already shows your company domain. Select it and click Add.
Google saves this immediately. Send a test email from your personal Gmail or another account to verify it works. You should see the message arrive in the user's main inbox within seconds.
Step 3: Configure "Send As" Settings
Receiving emails is only half the equation. When you reply to that test message, your response will show it came from john.doe@yourcompany.com by default. That defeats the whole purpose of having a professional alias.
You need to enable "Send As" functionality. This tells Gmail: "When I'm replying to emails sent to jobs@, let me respond as jobs@ instead of showing my personal address."
Here's how to set it up:
Open Gmail (not the admin console this time)
Click the gear icon in the top right
Select "See all settings"
Navigate to the "Accounts and Import" tab
Find the "Send mail as" section
Click "Add another email address"
A popup window appears. Enter the alias you just created (jobs@yourcompany.com). Make sure to uncheck the box that says "Treat as an alias." This setting confuses people, but unchecking it gives you the cleanest behavior when sending and receiving replies.
Google sends a verification code to that alias address. Since the alias delivers to your inbox, you'll receive the code immediately. Enter it to confirm ownership.
Step 4: Set Your Default Reply Address
Back in that same "Send mail as" section, you'll now see both your main address and your new alias listed. Click "make default" next to the alias if you want all outgoing mail from this inbox to appear from the alias by default.
Alternatively, leave your personal address as the default. When you reply to specific messages sent to the alias, Gmail automatically uses that alias for the response. You can manually switch between addresses using the "From" dropdown when composing.
Microsoft 365 Setup: Navigating Exchange Settings
Microsoft's approach differs slightly but follows the same logic. The interface isn't always intuitive, so pay attention to these specific menu paths.
Step 1: Open the Admin Center
Navigate to admin.microsoft.com and sign in with administrator credentials. Click "Users" in the left sidebar, then select "Active users" from the submenu.
Find the account that needs the alias. Click the person's name to open their settings panel. Look for a link labeled "Manage username and email" or "Email aliases" depending on your Microsoft 365 version.
Step 2: Create the Alias
Click "Add an alias" or the plus icon. A text field appears where you'll type the desired alias name.
Enter the local part only (the text before @). Microsoft automatically appends your verified domain. Click Add or Save.
Microsoft confirms the alias was created. Like with Google, send a test email from an external account to verify delivery works correctly.
Step 3: Enable Reply Capabilities
Microsoft historically made replying from aliases more complicated than Google. Recent updates improved this, but you might need to adjust settings depending on your specific Microsoft 365 plan.
Open Outlook (the desktop app or web version). Go to Settings, then View all Outlook settings. Navigate to Mail > Compose and reply. Look for an option related to "Default From address" or "Choose the account to send from."
Add your alias to the list of available sending addresses. The exact location of this setting varies between Outlook versions, which frustrates many admins. If you can't find it, search Microsoft's documentation for "send from alias Outlook [your version number]."
Some Microsoft 365 plans require additional steps in the Exchange Admin Center. Navigate to Recipients > Mailboxes, select the user, and verify that "Send As" permissions are enabled for the alias. This permission lets the mailbox owner send messages that appear to come from the alias address.
Step 4: Adjust Permissions if Needed
If the "on behalf of" text appears when sending from your alias, the permissions aren't configured correctly. Return to the Exchange Admin Center, find Mailbox Delegation settings, and explicitly grant "Send As" permissions to the user for their own alias.
This step trips up many people. The system assumes you might be delegating to someone else, so granting yourself permission to send as your own alias feels redundant. Microsoft's security model requires it anyway.
Mobile Configuration: Don't Break Your Professional Image
You're at a coffee shop when a hot lead emails sales@yourcompany.com. You tap out a reply on your phone. The message sends from john.doe@yourcompany.com instead of the professional alias.
The client now has your personal address. They'll email you directly next time, bypassing your organized system. Your carefully constructed professional presence just crumbled because of a mobile app setting.
iPhone and Android with Gmail
The Gmail mobile app automatically detects aliases configured on the desktop. Open the app and start composing a message. Tap the "From" field at the top. Your main address and all configured aliases appear in a dropdown menu.
Select the appropriate alias before sending. The app remembers your choice for future replies to that conversation thread. If you want to change the default sending address, adjust it in the mobile app's settings under your account preferences.
Outlook Mobile (iOS and Android)
Outlook's mobile app requires explicit configuration. Open the app and tap your profile picture or the menu icon. Go to Settings, then select your account. Look for "Default account" or a similar option.
You won't see aliases listed the same way Google shows them. Instead, you need to enable "Show From field" in composition settings. This adds a From dropdown to every new message, letting you manually select which address to send from.
The extra tap for every message feels annoying at first. After a few days, it becomes automatic. The alternative is sending messages from the wrong address, which looks unprofessional and confuses your email routing.
Troubleshooting the Most Common Problems
"My test email bounced back"
DNS records take time to propagate across the internet. Wait 15 minutes and try again. If the alias still doesn't work after an hour, check these items:
Verify you typed the alias correctly (no typos or extra spaces)
Confirm your domain's MX records point to the correct email server
Check that you didn't exceed your platform's alias limit per user
"Replies show 'on behalf of' instead of clean From addresses"
This indicates permission settings need adjustment. For Google Workspace, you probably left the "Treat as an alias" box checked. Go back to your Send As settings and reconfigure with that box unchecked.
For Microsoft 365, you need to explicitly grant Send As permissions in the Exchange Admin Center. Navigate to the user's mailbox delegation settings and add the permission there.
"I'm drowning in spam at my new alias"
Public-facing email addresses attract spam. That's the trade-off for having professional, guessable addresses like info@ or sales@. Your email platform's spam filter catches most junk, but some slips through.
More concerning than spam is targeted phishing. Once you publish jobs@yourcompany.com on your website, attackers know this address exists. They'll craft messages that look like job applications but contain malicious attachments or links.
Technical email settings block some threats. Training the humans behind those inboxes is equally important.
Top 5 Security Awareness Services
Setting up accounts@ or ceo@ makes you look professional. It also paints a target on your back. Attackers love role-based aliases because they know exactly what kind of bait to use. They'll send fake invoices to accounts@, wire transfer requests to ceo@, and malicious resumes to hr@.
Technical settings catch spam. Only trained humans catch sophisticated phishing that mimics your bank, your CEO's writing style, or your biggest client's logo. Here are the top tools to protect the people behind the aliases.
KnowBe4
KnowBe4 dominates the security awareness market through sheer content volume. The platform offers over 1,000 training modules covering everything from basic password hygiene to advanced social engineering tactics.
Their phishing simulation tool includes thousands of templates that mimic real-world attacks. Admins can customize everything from sender names to attachment types. The reporting dashboard shows which employees clicked links, opened attachments, or entered credentials.
The strength here is comprehensiveness. Whatever training scenario you need, KnowBe4 probably has it. The weakness is that this comprehensiveness creates complexity. Smaller organizations often feel overwhelmed by the number of options and settings. The reporting interface works well for large enterprises but feels cluttered for teams under 50 people.
Brightside AI
Brightside takes a different approach than traditional training platforms. While others focus only on corporate email security, Brightside protects employees' personal digital footprints that attackers exploit for spear-phishing.
The platform scans data brokers, social media, and leaked credentials. It identifies what information about your employees exists online. Then "Brighty," an interactive chat-based companion, walks each person through securing their exposed data. This includes removing information from data broker sites, adjusting privacy settings, and understanding which online accounts pose risks.
For businesses, Brightside combines this personal protection with corporate awareness training. Admins get vulnerability scores for each employee and can deploy phishing simulations personalized using real OSINT data. The simulations feel authentic because they use actual exposed information attackers would find.
The limitation is that Brightside doesn't offer real-time email scanning or blocking. It focuses on human behavior change and exposure reduction rather than technical filtering. You'll still need traditional email security for spam and malware.
What makes Brightside unique is that it's the only platform addressing both sides of human risk. Your employees become less vulnerable targets while simultaneously learning to spot attacks. When someone tries phishing your team using leaked personal data, Brightside already helped remove that data or trained your people to recognize its misuse.
Proofpoint Security Awareness
Proofpoint leverages threat intelligence from its email security business to create highly realistic training. When new phishing techniques appear in the wild, Proofpoint incorporates them into simulations quickly. Your employees face the same tactics real attackers currently use.
The platform excels at granular reporting that large security teams need. You can drill down into specific departments, job roles, or risk levels. Integration with other Proofpoint security tools creates a unified view of email threats and human vulnerabilities.
The downside is cost and complexity. Proofpoint targets large enterprises and prices accordingly. Implementation and ongoing management require dedicated IT resources. Small and medium businesses often find the platform overkill for their needs.
Hoxhunt
Hoxhunt automates most of the admin work through AI-driven simulations. The system automatically adjusts difficulty based on each user's performance. Employees who spot threats easily get harder simulations. Those struggling receive simpler scenarios with more obvious warning signs.
Gamification drives strong engagement rates. Employees earn points for reporting suspicious emails and lose points for falling for simulations. Leaderboards create friendly competition that makes security training less tedious.
The limitation is reduced admin control. Hoxhunt's automation means you can't manually craft every campaign detail. Reporting dashboards also lack depth for detailed compliance audits that some regulations require. The platform prioritizes engagement over exhaustive documentation.
SoSafe
SoSafe builds training around behavioral science and psychology rather than just technical security concepts. Content explains why humans fall for scams and how attackers manipulate psychological triggers. This approach helps employees understand their own vulnerabilities.
The platform has strong GDPR compliance and focuses heavily on the European market. Privacy protections are built in from the start rather than added later. Admins can't access detailed personal data about employee failures, only aggregated team metrics.
The content library is smaller than US-based competitors like KnowBe4. Some users report that lesson formats become repetitive over time. SoSafe works best for organizations that value the psychological approach and need GDPR compliance more than they need massive content variety.
![](data:image/svg+xml,<svg display="block" role="presentation" viewBox="0 0 5100 5100" xmlns="http://www.w3.org/2000/svg"><path d="M 2549.943 0 C 2604.313 0 2647.667 44.755 2647.667 99.064 L 2647.667 1913.976 L 3181.485 179.581 C 3197.488 127.584 3252.221 98.039 3304.109 114.594 C 3355.807 131.087 3384.01 186.769 3368.058 238.596 L 2835.267 1969.657 L 3854.672 471.155 L 3854.672 471.155 C 3885.315 426.107 3946.369 414.658 3990.92 446.073 C 4035.208 477.305 4046.036 538.842 4015.564 583.639 L 2999.287 2077.545 L 4411.997 948.478 C 4454.589 914.443 4516.219 922.109 4549.498 965.266 C 4582.575 1008.17 4575.334 1070.237 4533.005 1104.066 L 3121.428 2232.225 L 4803.583 1570.563 C 4854.284 1550.622 4910.834 1576.466 4930.145 1627.35 L 4930.58 1628.54 C 4948.992 1678.931 4924.368 1735.57 4874.282 1755.275 L 3196.166 2415.358 L 4994.896 2280.271 C 5049.133 2276.19 5095.643 2317.61 5099.572 2371.807 L 5099.572 2371.807 C 5103.501 2425.953 5063.525 2473.786 5009.339 2477.856 L 3209.108 2613.054 L 4968.868 3015.588 C 5021.792 3027.698 5054.415 3080.884 5042.719 3133.848 C 5031.003 3186.954 4978.918 3221.001 4925.843 3208.861 L 3166.182 2806.347 L 4728.005 3710.031 C 4774.929 3737.179 4791.018 3797.537 4764.607 3844.855 L 4764.607 3844.855 C 4738.064 3892.416 4678.293 3909.394 4631.116 3882.103 L 3065.958 2976.491 L 4293.727 4302.645 C 4330.248 4342.086 4328.774 4403.897 4290.566 4441.5 L 4289.657 4442.378 C 4250.64 4479.829 4189.223 4478.263 4152.095 4439.166 L 4151.217 4438.237 L 2920.6 3109.002 L 3704.738 4740.963 C 3728.028 4789.433 3708.828 4848.164 3661.116 4872.687 L 3659.985 4873.263 C 3611.202 4897.553 3552.612 4876.808 3529.029 4827.732 L 2743.264 3192.378 L 3012.989 4985.837 C 3021.059 5039.498 2984.904 5090.311 2931.236 5098.683 C 2877.464 5107.066 2827.86 5069.454 2819.776 5015.702 L 2549.922 3221.385 L 2280.07 5015.702 C 2271.985 5069.454 2222.381 5107.066 2168.609 5098.683 C 2114.941 5090.311 2078.787 5039.498 2086.857 4985.837 L 2356.583 3192.367 L 1570.805 4827.732 C 1547.224 4876.808 1488.638 4897.553 1439.853 4873.263 C 1391.323 4849.083 1371.628 4789.817 1395.1 4740.963 L 2179.192 3109.103 L 948.662 4438.237 C 911.636 4478.233 849.551 4480.122 810.222 4442.378 C 771.135 4404.867 769.348 4342.399 806.152 4302.645 L 806.152 4302.645 L 2034.005 2976.4 L 468.692 3882.103 C 421.515 3909.394 361.744 3892.416 335.201 3844.855 C 308.79 3797.537 324.889 3737.179 371.803 3710.031 L 1933.577 2806.377 L 174.036 3208.861 C 120.971 3221.001 68.886 3186.954 57.159 3133.848 C 45.474 3080.884 78.097 3027.698 131.02 3015.588 L 1890.778 2613.054 L 90.499 2477.856 C 36.313 2473.786 -3.662 2425.942 0.266 2371.797 C 4.185 2317.61 50.706 2276.19 104.942 2280.261 L 1903.609 2415.348 L 225.495 1755.265 C 175.016 1735.409 150.402 1678.031 169.643 1627.345 C 188.802 1576.857 244.615 1551.021 295.013 1570.099 L 296.195 1570.557 L 296.195 1570.558 L 1978.734 2232.377 L 566.975 1104.066 C 524.646 1070.237 517.404 1008.17 550.482 965.266 C 583.761 922.109 645.401 914.443 687.982 948.478 L 2100.529 2077.413 L 1084.345 583.639 C 1053.873 538.842 1064.701 477.305 1108.989 446.073 C 1153.54 414.658 1214.594 426.108 1245.237 471.156 L 2264.509 1969.465 L 1731.778 238.596 C 1715.828 186.769 1744.03 131.087 1795.728 114.594 C 1847.617 98.039 1902.349 127.584 1918.354 179.581 L 2452.22 1914.137 L 2452.22 99.064 C 2452.22 44.755 2495.573 0 2549.943 0 Z" fill="rgb(165, 140, 255)" height="5099.852970288682px" id="KrZEL4sI2" stroke-dasharray="" stroke-linecap="round" stroke-linejoin="bevel" stroke-width="46.866" stroke="rgb(165, 140, 255)" width="5099.838395299793px"/></svg>)
Start your free risk assessment
Our OSINT engine will reveal what adversaries can discover and leverage for phishing attacks.
Frequently Asked Questions
What's the goal of using an email alias instead of a shared mailbox?
The primary goal is simplicity and cost-efficiency when one person owns responsibility for an address. An alias routes email to an existing inbox without requiring new logins or licenses. If multiple people need to manage the same address together, like a support team handling customer questions, a shared mailbox or group works better. Shared mailboxes show which team member replied to each message and prevent duplicate responses. Aliases work perfectly for single-owner scenarios where you just need professional branding without additional infrastructure.
How often should we review our list of active email aliases?
Audit your aliases at least twice per year or whenever employees leave the company. Old aliases like summer-intern@ or promo-2023@ accumulate silently. They become spam collection points or potential security backdoors if the underlying account gets compromised. During your audit, delete aliases that no longer serve a business purpose. Document which aliases are active, who owns them, and what they're used for. This prevents the "mystery address" problem where IT gets questions about an alias nobody remembers creating years ago.
What happens if an employee replies from their primary address instead of the alias?
The recipient sees the employee's personal name and direct email address instead of the professional alias. This breaks brand consistency and trains customers to email employees directly. When Jane replies to a support question using jane.doe@company.com instead of support@company.com, that customer will email Jane directly next time. They'll bypass your ticketing system, routing rules, and any coverage you had planned when Jane goes on vacation. The professional facade crumbles and your organized email system becomes chaos.
How does setting up aliases improve our overall cybersecurity posture?
Aliases let you segment your digital identity across different vendors and services. Create unique aliases for each SaaS provider or vendor relationship. When bill-software@ starts receiving spam, you instantly know that software vendor leaked or sold your data. You can delete that specific alias without changing your primary email address or affecting other vendor relationships. This containment limits damage from data breaches. Aliases also reduce your attack surface by keeping your primary email address private. Attackers must guess which aliases exist rather than finding your main address plastered across the internet.
What To Do Next
You now understand how to configure aliases in both major business email platforms. The technical setup takes minutes. The strategic thinking about which aliases to create and how to manage them takes longer.
Start by creating three essential aliases today. Most businesses need support@, billing@, and either sales@ or info@. These cover the majority of external communication scenarios. Set up the Send As permissions correctly so replies maintain your professional appearance.
Document your aliases in a simple spreadsheet. Include columns for the alias address, which account it delivers to, and what purpose it serves. Update this document when you add or remove aliases. Future you will appreciate this documentation when questions arise.
Remember that professional email addresses deserve professional protection. The aliases you just created will receive phishing attempts disguised as customer inquiries, partnership proposals, and job applications. Technical spam filters catch obvious threats. Trained humans catch the sophisticated attacks that slip through.
Your email infrastructure is now more professional and organized. Make sure the people checking these inboxes have the skills to spot when something isn't quite right.
