If it has a google-site-verification record it's probable that it's (or it was) using Workspace:
dig txt hacktricks.xyz
[...]
hacktricks.xyz. 3600 IN TXT "google-site-verification=2mWyPXMPXEEy6QqWbCfWkxFTcQhyYdwHrOxee1Yeo-0"
hacktricks.xyz. 3600 IN TXT "google-site-verification=C19PtLcZ1EGyzUYYJTX1Tp6bOGessxzN9gqE-SVKhRA"
hacktricks.xyz. 300 IN TXT "v=spf1 include:usb._netblocks.mimecast.com include:_spf.google.com include:_spf.psm.knowbe4.com include:_spf.salesforce.com include:spf.mandrillapp.com ~all"
If something like include:_spf.google.com also appears it confirms it (note that if it doesn't appear it doesn't denies it as a domain can be in Workspace without using gmail as mail provider).
Try to setup a Workspace with that domain
Another option is to try to setup a Workspace using the domain, if it complains that the domain is already used (like in the image), you know it's already used!
Try to recover the password of an email using that domain
If you know any valid email address being use din that domain (like: admin@email.com or info@email.com) you can try to recover the account in https://accounts.google.com/signin/v2/recoveryidentifier, and if try doesn't shows an error indicating that Google has no idea about that account, then it's using Workspace.
Enumerate emails and service accounts
It's possible to enumerate valid emails of a Workspace domain and SA emails by trying to assign them permissions and checking the error messages. For this you just need to have permissions to assign permission to a project (which can be just owned by you).
Note that to check them but even if they exist not grant them a permission you can use the type serviceAccount when it's an user and user when it's a SA:
# Try to assign permissions to user 'unvalid-email-34r434f@hacktricks.xyz'# but indicating it's a service accountgcloudprojectsadd-iam-policy-binding<project-controlled-by-you> \--member='serviceAccount:unvalid-email-34r434f@hacktricks.xyz' \--role='roles/viewer'## Response:ERROR: (gcloud.projects.add-iam-policy-binding) INVALID_ARGUMENT: User unvalid-email-34r434f@hacktricks.xyz does not exist.
# Now try with a valid emailgcloudprojectsadd-iam-policy-binding<project-controlled-by-you> \--member='serviceAccount:support@hacktricks.xyz' \--role='roles/viewer'# Response:ERROR: (gcloud.projects.add-iam-policy-binding) INVALID_ARGUMENT: Principal support@hacktricks.xyz is of type "user". The principal should appear as "user:support@hacktricks.xyz". See https://cloud.google.com/iam/help/members/types for additional documentation.
Note how when the user email was valid the error message indicated that they type isn't, so we managed to discover that the email support@hacktricks.xyz exists without granting it any privileges.
You can so the same with Service Accounts using the type user: instead of serviceAccount::
# Non existentgcloudprojectsadd-iam-policy-binding<project-controlled-by-you> \--member='serviceAccount:<invalid-sa-name>@<proj-uniq-name>.iam.gserviceaccount.com' \--role='roles/viewer'# ResponseERROR: (gcloud.projects.add-iam-policy-binding) INVALID_ARGUMENT: User <invalid-sa-name>@<proj-uniq-name>.iam.gserviceaccount.com does not exist.
# Existentgcloudprojectsadd-iam-policy-binding<project-controlled-by-you> \--member='serviceAccount:<sa-name>@<proj-uniq-name>.iam.gserviceaccount.com' \--role='roles/viewer'# ResponseERROR: (gcloud.projects.add-iam-policy-binding) INVALID_ARGUMENT: Principal testing@digital-bonfire-410512.iam.gserviceaccount.com is of type "serviceAccount". The principal should appear as "serviceAccount:testing@digital-bonfire-410512.iam.gserviceaccount.com". See https://cloud.google.com/iam/help/members/types for additional documentation.
