Gmail Delegation + Forwarding + 2FA — Setting Up Mildred's Access
Codified from Gmail draft
19dc13e84bd4eb1e· Apr 24 2026
Personal reference. Delete the draft after this is executed.
Honest answer first
The RIGHT mechanism = Gmail Delegate Access. Not shared password. Not credential handoff.
- She logs in as herself → opens your mailbox in a separate view
- She can read, reply (as you), send, archive
- 2FA stays intact on YOUR account (delegation doesn't bypass it)
- You can revoke in 1 click
- Fully auditable — her actions show in your mailbox
Scoping = Gmail Labels + Filters. Sensitive threads get labeled SAM-ONLY; filter hides them from delegate view.
Time: 30–45 min initial setup. Mildred's side is 5 min.
Step 1 — Confirm account type (2 min)
Check: is sam@hookstreetcapital.com a Google Workspace (paid) account or a free Gmail?
- Workspace (paid): Full delegation features available. Go to Step 2.
- Free Gmail: Delegation is limited (no send-as). Consider upgrading to Workspace Business Starter (~$7/user/mo) before setup — worth it for any serious ops work.
Verify: log into sam@hookstreetcapital.com → look for admin.google.com access → if yes, Workspace.
Step 2 — Set up labels for scoping (10 min)
Before granting Mildred access, build the scoping structure.
Create these labels in your Gmail:
SAM-ONLY(red, top-level)SAM-ONLY/Legal— Asher, HOA, any lawsuitSAM-ONLY/EG-Internal— EG-CONTEXT-PACK, Eli/Huvie strategySAM-ONLY/Personal— Chanie, family, medicalSAM-ONLY/Finance— cards, mortgages, anything not STR-reimbursementSAM-ONLY/Drafts-System— where HOW-TO, DECISIONS-PENDING, OPEN-LOOPS liveMILDRED(green, top-level) — for her focus zonesMILDRED/Property— 9312, 9332, vendorsMILDRED/Admin— subscriptions, utilities, 20four7VAMILDRED/Calendar— scheduling, routingMILDRED/Clients-Admin— consulting invoicing, NOT strategy
Apply labels retroactively:
- Gmail search:
from:asher@gulkoschwed.com→ applySAM-ONLY/Legalto all - Search:
eden gardens OR huvie OR eli→ review, applySAM-ONLY/EG-Internalto strategic ones [HOW-TO]drafts → auto-labeledSAM-ONLY/Drafts-Systemif you apply a filter
Step 3 — Create filter rules (10 min)
Auto-label future emails so you don't have to remember.
Filter 1 — Legal auto-label
- From: asher@gulkoschwed.com OR orlando-law.com OR anything with "di masi burton"
- Apply label: SAM-ONLY/Legal
Filter 2 — EG Internal
- From: eli@steinhardtbuilders.com OR sharona@steinhardtbuilders.com
- Apply label: SAM-ONLY/EG-Internal
- (NOT for huvie@, jessica@, abe@ — those are admin/ops Mildred can see)
Filter 3 — Personal
- From: chanietreitel@gmail.com
- Apply label: SAM-ONLY/Personal
Filter 4 — Subject-based
- Subject contains: [HOW-TO] OR [DECISIONS-PENDING] OR [OPEN-LOOPS] OR [EG-CONTEXT-PACK] OR [CLAUDE CODE]
- Apply label: SAM-ONLY/Drafts-System
- Also: Skip Inbox (keep these in drafts only)
Step 4 — Grant Mildred delegate access (5 min)
- Gmail → Settings (gear) → See all settings
- Accounts and Import tab → "Grant access to your account" section
- Click "Add another account"
- Enter:
mildred@hookstreetcapital.com - Choose: "Mark conversation as read when opened by others" (YES — you'll see what she touched)
- Send invitation
- Mildred gets email with link → she accepts → done
Her access shows up as account switcher in HER Gmail. She opens your mailbox in her browser.
Step 5 — Scope Mildred's view (5 min, her side)
Two options here — pick one:
OPTION A — Honor system (simpler, works if trust is solid)
- Mildred sees everything by default
- You tell her: "Anything labeled SAM-ONLY → skip it. It's not in your purview."
- Write the "Mildred Purview Memo" so it's explicit
OPTION B — Technical scoping (more complex, air-gap)
- Set up a forwarding rule: only certain labels forward to a shared mailbox Mildred sees
- Mildred doesn't see the main inbox at all, only the forwarded labels
- More work, breaks if you add a new label and forget
- Most consultants/execs use Option A
Recommendation: Option A + written memo. Trust + clarity > technical lockdown.
Step 6 — Confirm 2FA remains intact (2 min)
- Your account 2FA: unchanged. Delegation does NOT bypass.
- Mildred cannot change your password, cannot change 2FA, cannot download data.
- She can ONLY: read, send as, archive, label (within her own view).
- Audit log:
admin.google.com→ Reports → Audit → Email Log → shows all delegate actions.
If you're on a free Gmail (not Workspace): 2FA still works, but you don't get the full audit log.
Step 7 — Set up "send as" properly (5 min)
When Mildred replies from your delegated view:
- Default: shows "from
sam@hookstreetcapital.com, sent bymildred@hookstreetcapital.com" - Most recipients don't notice
- If you want cleaner presentation: configure your account to send as
sam@with no "sent by" attribution (Workspace admin setting)
Step 8 — Forwarding (if relevant)
Only do this if you want certain threads to COPY to Mildred's own inbox (not just show in delegated view):
Settings → Forwarding and POP/IMAP → Add forwarding address: mildred@hookstreetcapital.com
Then create filter → "Forward to mildred@hookstreetcapital.com" for specific labels.
Most people don't need this. Delegate access is cleaner.
Step 9 — Mildred's onboarding (10 min with her, live)
Walk-through (on Tuesday sync or a one-time call):
- Show her how to switch to your account view
- Walk the labels —
MILDRED/*= her zone;SAM-ONLY/*= skip - Explain "send as" — what recipients see
- Give her the Purview Memo (separate doc)
- Set her expectation: when ambiguous, ASK before acting
Done state
- Mildred has delegate access, logs in as herself
- All historical sensitive threads labeled
SAM-ONLY - Filters auto-label future sensitive threads
- Purview memo sent (separate doc)
- 2FA intact, audit log on
- Mildred knows her zone, knows when to ask